Pick up any business or technology publication and you’ll read about how BYOD (bring your own device) raises a number of data protection concerns due to the fact that devices are owned by the user rather than the employer.
Many IT managers are faced with demands from employees (and often even board members) wishing to use their personal laptops, tablets and smartphones in the workplace, resulting in corporate data being stored on individual devices and personal data being stored in corporate infrastructures.
Leaving aside the legal aspects of processing personal data in corporate environments, what isn’t always talked about is the increase in the volume of personal and corporate data being stored and protected in corporate networks.
With data being generated from more devices and new applications generating bigger files, it’s easy to see how more “uncontrolled” content ends in the corporate NAS or SAN.
The ideal solution to address the issue will include data segmentation (private/corporate), clear data access (inside the company network, secure remote access etc), wipe solutions etc… but unless you have an unlimited budget and resources, it isn’t always the reality.
And what about the human factor? Can IT really trust the user with BYOD? But also, can the user trust IT?
Whatever the corporate endpoint backup tool IT might use, how can you really prevent the employee from doing his own backup just to protect his kid’s pictures or his favorite music playlist?
By doing so, some corporate data may end up in a USB drive or a dropbox account without the employees knowledge.
First, let’s make a few assumptions…
- Employees expectation with BYOD is to make their lives easier.
- Employees want to use their devices not only to process data, but because they like the interface and the ease of use.
- BYOD is allowed only for “regular” business and not for highly sensitive markets or datasets.
- Employees are more and more connected and “computer-aware.”
- Employees can often find workarounds to regular security policies.
Once IT agrees on adopting the BYOD approach, the most obvious tactic is to provide employees with easy-to-implement tools to access, store and protect data in a multiple device environment.
It means installing a data protection layer on each device (to encrypt local storage, encrypt data transfer and with a wipe mechanism if the employee resigns or the device is lost). But this is complex to do.
Another possible tactic is to not focus on the device itself. If it’s too complex to protect the device, why not try to change the employee usage and provide tools and services to your users in such a way that they have no interest in storing data locally.
This means primarily using the device to process and display data rather than store it (with safeguards to protect employee data).
The user just needs to establish remote connectivity to a centralised storage mechanism. By doing so, the “corporate” data will remain in a central location - either an enterprise datacentre or a private cloud - so it becomes easier for the company to store and protect the digital assets.
Driving end user usage will lead to a better segmentation of data, as centralisation makes it easier to define personal and corporate data when compared to managing this on a per device basis.
And if the user's device were to be lost or stolen, there would be no need to worry about accidental data disclosure because there will be nothing stored on the device.
BYOD and data growth will impact storage in such a way that the traditional monolithic approach is not viable anymore from a usage, cost and performance point of view.
Primary storage (SAN/NAS) can deal with daily-use files and less frequently accessed data might need to be migrated to an active archive that empowers employees to access stored information quickly across all their devices.
Object Storage can be a good candidate, now offering NAS and HTTP/REST interfaces to allow accessing data from inside and outside the LAN at a lower cost than primary storage and with strong durability SLA.
And over time, data can be migrated into a long-term archiving solution such as tape, which is no longer dedicated to backups and can be now accessed via a NAS interface using LTFS standard.
Whatever the tactics, IT needs to first think “workflow” before taking any decision. Backup and disaster recovery (DR) are the last miles of the workflow.
The more data centric the company is or the more data stored and archived centrally, the more important the backups are. But any decisions made at the device level (earlier in the workflow chain) may impact the overall infrastructure.
For example: it might make sense to use backup deduplication and replication to reduce backups size and improve DR, but if the data is encrypted at the device level, it will impact deduplication ratio.
Another solution will be to instead encrypt static and active data to protect data sets and still benefit from deduplication.
Whatever your solution, focusing on the employee usage rather than on the device can help the company to retain some control and ensure that your BYOD strategy is an effective one.
Stephane Estevez is product marketing manager EMEA/APAC at Quantum