by Paul Schwarzenberger, Enterprise Security Architect
There is a fast growing trend amongst HP’s enterprise customers towards a “Bring Your Own Device” or BYOD model for mobile and portable devices. Employees are increasingly allowed – or encouraged – to use their personal device such as a smartphone or tablet, to access business resources. Many organizations wish to embrace the consumerisation approach in order to maximize productivity and flexibility for their mobile workforce and to improve employee satisfaction.
However, personal mobile devices are outside of corporate control, which can lead to increased risks ranging from data loss to compromise of the corporate network. Here is my view of the top 5 enterprise security challenges with the BYOD approach.
1. Loss of corporate data – once data is on a personal mobile device, it can be e-mailed from a personal email account, uploaded to servers on the Internet using an app such as DropBox, transferred to a home computer through synchronization, or the mobile device itself can be lost or stolen.
2. Balancing security against user experience – there are security solutions available which provide a secure container for corporate data, however these often only work for a few applications such as email, and the user experience can be restrictive. On the other hand, giving the user the flexibility to use any app for business purposes can remove the separation between business and personal data.
3. Malicious apps – earlier this year Google removed 58 malicious apps from the Android MarketPlace; this demonstrates the potential risk of harmful apps not just on Android smartphones but on any mobile operating system. Apps can be designed to covertly record phone conversations, turn on the phone camera, take screen captures, capture passwords, or track location, and upload the harvested information to the attacker.
4. Legal and Privacy issues – many enterprise customers are considering implementing a mobile device management (MDM) system to enforce a minimum security standard on devices connecting in to a company’s email servers. In addition to ensuring smartphones comply with a security policy, MDM systems can remotely wipe a lost or stolen device, and report the device location. Are these actions legal or ethical, and should a user explicitly agree to them in advance as a condition of use? Such judgments may vary from one country to another, for example the privacy laws in Germany are particularly strict.
5. Who pays? – enterprises need to decide who should pay for the mobile device, who pays for data charges, and who should pay for business related apps. Data charges while roaming abroad can be particularly significant.
Do you allow employees to use their own mobile devices within your corporation? If so, how are you managing your information security as it relates to these devices?
If you want to learn more about HP’s Enterprise Security solutions, visit these resources: