A recent white paper from WatchGuard describes the market drivers behind the BYOD phenomenon, the challenges presented to organizations, a strategic outline to manage BYOD, and how WatchGuard helps to create a secure BYOD ecosystems. The white paper also outlines 10 key strategic points that an IT department or administrator should consider as part of their BYOD planning process. Directly quoted from WatchGuard's white paper, the 10 points are as follows:
1. Get insights: [A common mistake in creating a BYOD strategy is] failure to know what employees are doing on the network. By taking a benchmark snapshot via firewall logs and reports, IT gains invaluable insight as to what devices are actually connected to the network, and just as importantly, what applications are being used.
2. Support social media:Do not immediately assume that use of Facebook or other social media applications means that employees are wasting their time. Instead, it is much better to review and examine the nature of the applications traversing the network first, before making any draconian moves that may grind productivity to a halt.
3. Manage passwords:Another mistake to avoid revolves around password management. All too often businesses resort to user-generated passwords as part of their access controls. This can lead to very weak passwords, which can compromise IT systems. Password policies for BYOD devices should be no different than strong password requirements for traditional IT assets, such as laptops or desktop computers.
4. Establish policy:IT should focus on policy to “keep BYOD simple.” IT should consider making a broad list (a meta table) of acceptable devices that can access the corporate network. Additionally, IT should also state which devices/operating systems that it will and will not support. This way, tech-savvy employees can utilize what they like, knowing that they are responsible for the management and well-being of their device if IT does not support it.
5. Separate work from fun:IT should also include in their policy that work information should be kept separate from personal information wherever possible. Consider making it a standard operating procedure that when employees access the corporate network on their own device that they also agree to adherence of company acceptable use policies, as well as IT monitoring and risk management tools.
6. Acceptable use:In accordance to standard security practices, companies should always enforce minimal access controls. In other words, even with BYOD, a strong security policy would be to deny all, except for approved devices, applications and users. Every business will be different. Therefore, it is critical to know in advance what your security policy is with regards to access controls.
7. Limit access via VPN technologies:For businesses that require higher degrees of protection, IT administrators may want to limit access controls to devices that support some level of VPN connectivity. This way, regardless of where a consumer device is used, a secure connection is required to access corporate data.
8. Look beyond the device:Application control strategies play an important role in making a BYOD policy secure and efficient. Make sure your BYOD policy also includes specific applications that are acceptable as well as others that are not. With application controls in place, the network becomes agnostic to the device, and instead can enforce policies based on specific, acceptable applications.
9. Apply policy to a segmented network:Sensitive data should always reside on a different network than that which is open to guests, contractors or other non-employees. With a segmented network, IT can apply one set of policies for employees and another set for guests.
10. Understand compliance:Examine what else is at risk. Is your organization subject to regulatory controls, such as HIPAA or PCI DSS? Are damage controls in place so that if an employee loses a smartphone or tablet, it can be wiped to avoid loss of data?
View/Download the white paper.