Richard Blanford, Managing Director, Fordway
The trend for individuals wanting to bring their own mobile device to work (BYOD) is increasing, from CEOs with a new tablet computer to apprentices with the latest smartphone. Mobile devices and mobile working are becoming increasingly common across the finance sector.
However, enabling mobile working has been much easier than understanding and managing the associated security implications. In many instances an increasingly technically aware user population are simply configuring their own remote and email access outside corporate IT security guidelines, and potentially storing sensitive corporate information on them. This also introduces issues where users bring their own device into the office and then connect it to the corporate network, using a wired or a wireless connection.
I believe we need to find practical ways to support consumer technology at work while maintaining control of sensitive information. There is pent up user demand for this, and our advice is: if you can make it fit your security model, then do it!
BYOD requires a security policy which is enforceable, realistic, acceptable to users and doesn’t violate personal privacy laws. It needs to ensure there is no ambiguity and that all users are clear what is and is not allowed. Once all employees have been informed, the policy should be rigorously enforced.
Whoever is responsible for company IT should also encourage users to come to them for advice on using their device, so that they don’t send information outside the organisation in an uncontrolled fashion.
The key to successful and secure BYOD is to minimise the amount of data that is transferred to or held on the device. This can be done by virtualising applications and streaming them to the device, so that the user cannot access corporate applications unless the company is in control. It ensures data stays in the cloud or on the corporate network.
Company policy should be able to prevent the user downloading data. If the organisation wants to allow data to be downloaded, it becomes the user’s responsibility if they lose the device, and they need to be made aware of the consequences and their responsibilities.
Further security can be implemented by taking advantage of the remote wipe capability that most devices have, using encryption to secure sensitive data, and ensuring that the organisation’s BYOD policy mandates implementing Mobile Device Management (MDM) capability on the BYOD device.
Implementing a virtualised solution
Virtualisation can be provided in three ways. Option one is to run a hosted or virtual corporate desktop which the user can access through their device, using software such as Quest, Citrix or VMware. All the device needs is the appropriate client software. This solution is largely device independent, so will work with everything from a user’s own laptop and all major tablet types to a Windows, Android or Apple phone. It needs appropriate back end systems and network connectivity to deliver the desktop or application, and means that the user cannot work on corporate applications unless they are connected to the network. It can also be set up so the user can only access the desktop from known IP addresses. It is important to ensure that the device is reasonably secure and not infected, with appropriate virus protection.
A second option, particularly for laptops, is to install client hypervisors and virtual desktop check-in/check-out software on the device, such as MokaFive, Citrix Xenclient or VMware View offline. Windows 8 HyperV can also work in a similar fashion. This is a higher impact solution as the IT team needs to configure the user device and install the client hypervisor to accept the virtual desktop. It works by creating separate, bootable desktops on the same device and partitioning the hard drive into business and personal areas and can then be run locally, so is a good solution if the user needs to work offline. When the user goes online it checks back into the server (using a VMware/Citrix solution) or synchronises (using MokaFive/Quest). However it will not work with all devices as you cannot run a full corporate desktop on devices such as an iPad and it needs a high specification PC to run multiple desktops.
The third option is to repackage applications to be accessed through a portal (similar to iTunes). It requires either application streaming or the creation of lightweight clients (Apps) which can run on a smartphone or tablet, which have just enough intelligence to run basic functions, while most of the processing is carried out by the web-based back end. This becomes more difficult if the user wants to run ‘large’ applications such as SAP or Microsoft Office. This is where most people believe desktops are heading, with a web portal used to display available applications to the user accessible from a wide range of devices and operating systems.
BYOD is clearly here to stay, and each organisation need to find a way to implement it that maintains data security while being realistic and is acceptable to users. The list of considerations will differ for each organisation, but it is always essential to ensure that corporate policy is made first before looking for technical solutions.
The author is managing director of Fordway, an IT integrator with more than 20 years’ experience helping organisations implement changes to business-critical infrastructure. For further information visit www.fordway.com phone 08448 700100 or email [email protected]