The easiest way to secure the network and protect company data is to simply not allow mobile devices to access company resources at all. Of course, that's a highly impractical policy, and one that ignores the many benefits mobile devices bring to the table. You can block non-managed devices from connecting to the network, and you can lock down USB ports on company PCs, but it's virtually impossible to ban employee-owned devices altogether.
That doesn't mean you should just surrender and let the employees do whatever they like. There are pros and cons for both the company and the users when it comes to adopting a bring your own device (BYOD) policy, and users need to understand from square one that the tradeoff for being allowed to use their own smartphone or tablet for work is that the IT admin must be able to exercise some control to protect the network and sensitive company data.
In order to manage mobile devices effectively, you need to employ some form of mobile device management (MDM) tool. MDM gives IT admins the ability to manage security settings on mobile devices, track the mobile devices with access to the network, monitor compliance with company policies, and remotely wipe data from lost or stolen devices if necessary.
With MDM, you can apply a unique balance of access and security to fit your specific needs. Three ways to support a BYOD program include:
1. Block access to corporate resources using network access control (NAC) systems. A properly configured router can block all devices that aren't in a list of authorized devices, but that is a tedious, inelegant solution at best. NAC tools, on the other hand, provide more dynamic, robust protection.
NAC devices, such as the Black Box Veri-NAC 5230, scan all devices attempting to connect to the network to verify that they comply with corporate policies. If the device doesn't meet corporate security requirements or isn't properly patched and updated, access can be denied, or the user can be redirected to a site with links to the resources necessary to achieve compliance and get a green light from the NAC tool.
2. Grant access to all devices and design a written policy to keep corporate data safe. A written policy delivering clear instructions on the access and use of company data on mobile devices is not only a good idea, it's crucial for any company adopting the use of mobile devices at all. But by itself a written policy puts the burden on users to execute the steps to secure their mobile devices and doesn't provide IT admins with any sort of oversight or assurances that the policy is being followed properly.
In this scenario, the IT admin has to manually manage and maintain the mobile devices--taking the time to verify the use of basic security measures such as secure passwords, remote tracking for lost or stolen devices, and the activation of remote-wiping features on all mobile devices. While iPhones, iPads, and other mobile devices include these features, depending on end users to properly configure them can be a dicey proposition. In companies with more than 100 workers, it's nearly impossible to enforce.
3. Manage devices directly via a mobile device management (MDM) server.A mobile
device management (MDM) server, such as IBM Endpoint Manager for Mobile Devices, Microsoft's System Center or Symantec's Mobile Management, gives the IT admin the tools to centrally monitor and manage the mobile devices that connect to the network. MDM can be used to set security controls of mobile devices to meet company policies, and help IT admins make sure all mobile devices are properly configured.
This system offers the best flexibility--with the possibility of setting up groups of users who can be treated differently depending on their needs--while still ensuring that everyone meets minimum requirements for security. Because all major types of mobile devices are supported by the major MDM systems, you easily can support multiple manufacturers and sizes of mobile devices, including iPhones and iPads. For a company with more than a few hundred workers, a scalable MDM solution is an essential component of the data center.
An ideal solution combines all three of these options. MDM is a valuable tool for IT admins to manage mobile devices in the environment, but it should be employed in conjunction with a clearly-defined written policy and NAC tools to prevent non-compliant or unauthorized devices from connecting to network resources.
This story, "Three Common Strategies to Support BYOD" was originally published by Macworld.