Embracing secure BYOD without user conflict

End users just want to do what’s convenient. That means using their personally owned smartphones, tablets and laptops for both business and pleasure. Of course, this doesn’t sit well with IT, whose inflexible security policies don’t take user 'feelings' into account.

Worse still, employees in many organisations today have multiple choices when it comes to when and where to work, contributing to unchecked behaviours that bypass traditional security measures, such as using unsanctioned or unapproved applications, accessing insecure WiFi networks, or choosing to store important data and files on their personal devices.

As a result, the IT/employee divide is a growing problem. As IT struggles to protect digital assets and sensitive data, control costs, and maintain quality support and security, they are constantly opposed by indifferent armies of co-workers whose actions they can’t control.

Improving the relationship between IT and end users

IT teams looking for a way to resolve this should consider implementing Gartner’s Managed Diversity Model for BYOD and Choose Your Own Device (CYOD). Gartner’s model improves the relationship between IT and end users. The model has given businesses a new way to organise end users, specify device options and create a solid set of best practices — while still granting choice. By following its framework, IT and security pros can better respond to end-user preferences and re-address how security is deployed within their organisations.

The key for a happy balance between employees’ wants and IT security management is two-way communication that addresses each party’s concerns. Instead of maintaining rigid control from the top down, under Gartner’s model, IT can, and should, shift some decisions to end-users in a semi-managed device environment. There are still structured options, but with a broader scope. End users have more device choice—with the caveat that users accept more responsibility if they choose their own preference over IT’s. This Information Technology Infrastructure Library (ITIL)-compliant model presents three service choices available to users within the organisation, ranging from the traditional 'IT-controls-and-manages-everything' device to the 'user-free-for-all' device.

When applied correctly, this model offers more user choice without coming at the expense of security.

The fully managed device model

The fully managed device is the typical model most corporations employ, where IT and security professionals choose which devices are used, while also taking full responsibility for decisions that encompass everything from purchase to everyday use. This model allows organisations to implement any control(s) they deem fit for keeping safe the devices and the sensitive data they hold, without input or interruption from the end user. Usually devices that are used within this model are those essential to an employee’s workflow, such as computers or mobile devices required for daily tasks. IT will usually select devices for which they know they can manage security and support, allowing them to control the entire device and deploy robust security measures at all levels.

In this model, security may seem straightforward on the surface—with management solutions like Enterprise Mobile Management (EMM), companies can keep an eye on their devices and curb any risk incurred by the end user. The downside to this model is the lack of choice and the likely response by end users to circumvent security by using devices and services they prefer.

The semi-managed device model

Gartner defines semi-managed devices as those for which IT security and end users split the responsibility. This model has gained in popularity, as employees have increasingly demanded more choice. They have no qualms spending their own money to use their favoured devices, often bypassing IT and security measures to do so. It’s the driving force behind organisations’ move toward the BYOD and BYOC norms generally being adopted today.

Although a semi-managed device environment does provide personal flexibility to end users, that same flexibility raises security issues. Enterprise IT leaders are being forced to rethink their approaches, especially when it comes to safeguarding their network and endpoints — in large part because the end user is 100 per cent responsible for the device and its personally installed applications, while IT is only in control of enterprise content (e.g., corporate data, files, important login information, and financial records) in this model.

Mitigation of potential security issues in this model must start with IT security teams working directly with human resources, legal and finance departments to ensure compliance is always met. Options should be limited to a set of devices IT knows are highly secure and compatible with existing access control, management and security tools. More importantly, security management tools should be launched at the content and application level, not the device level. The ability to have safeguards at a granular level is paramount in a corporate environment where a personal application can be compromised and then negatively impact the larger device ecosystem, including critical content.

This level of security is even more important in cases where employees’, customers’ and contractors’ non-managed devices interact with a corporate network. Clear delineation of responsibility along with education is important whenever end users are involved.

Like it or not, the traditional, fully managed device environment’s days are numbered, and the corporate ecosystem that is emerging is more difficult to protect. However, with the right approach, training and tools, IT and security professionals can better enable and satisfy the “choice-first” employee while still maintaining a secure network.

Rob Greer, CMO and SVP of Products, ForeScout

Image Credit: Shutterstock/Rawpixel