Friday, September 7, 2012

BYOD Program & Controls Requirement - II

As I wrote the previous Post - BYOD Program & Controls Requirement I received the comment on WFH, but I am certainly not covering that in this article, as that is a separate topic of discussion. What is more interesting that broke out as a discussion point with a colleague over a cup of coffee.  The discussion actually presented a counter argument to the Jump Server configuration.  

While in the discussion, I was very much inclined to and well still am that an organization as the first step to BYOD program should define the set of machines that they would allow.  It is pretty much important for the organization to define whether they are going to allow.  The Deep Dive on the topic reveals that the selection of devices would prompt additional thought process or should I say depending on the Support Strategy for the BYOD program the organization needs to define what devices would be allowed.

The various strategies would revolve around user experience v/s technological deployments. If an organization would like to restrict user experience and go with technological deployments that would ensure Data Security and related controls, the organization would then need to restrict the BYOD to Laptops and Desktops (may be or when its WFH). In this case the controls would be around the set of controls that have already been discussed in the previous post as mentioned above.

In case the organization would select User Experience then the organization would need to ensure that they provide support to any device and enhance the Mobility aspect of the user.  This decision however needs to be based on the following decisions - 
  1. What applications would be supported for BYOD and what level of modifications / application changes would need to be carried out?
  2. What level of Security would be needed to extend the support to the devices?
  3. What would be the application support, would it be Browser based only or Client based with a part of the program sits on the client side
  4. Would VPN security be extended to these Devices that would be supported?
There are many more questions that need to be answered for a Successful BYOD program. The Organization would additionally need to check if One Device One Number sort of Program be adopted or not. If the organization would decide to implement this program for increased mobility they need to ensure the Soft Phone Support. 

The BYOD Program as it seems is not actually an easy decision to take as the organization would require to answer many other questions and Specifically that would help them ensure mitigating Risks and meeting Compliance Requirements in Operationally Effective and Efficient Manner




BYOD Program & Controls Requirement


BYOD or Bring Your Own Device is the way organizations are planning to take.  The talk is going abuzz in the corporate world as it would help organizations reduce their IT budget and increase operational efficiency.  In my view it is not that bad an idea, but would require looking a bit deeper at the Compliance perspective and the risks that would emanate when an organization would run BYOD.  The Organizations would require investing and managing various technological solutions to ensure that the Data Privacy and Protection Laws of the world are addresses and that the common framework of controls is enforced across all the devices that come in being due to BYOD. 

The BYOD program from the aspect of controlling data access and ensuring data protection would need to evaluate and consider deploying following technologies:
  •   Jump Server – to log in to the organizations corporate network and provide viral desktop environment to the users.  The virtual desktop would have all the desired user settings including file & print configuration, Proxy settings, mailbox configuration and the application shortcuts for the desired applications for the user concerned
  • Network Admission Control – to control the risks emanating from the unpatched and unprotected personal devices that can introduce Trojans, viruses, worms, BOTS etc in the corporate network.  The Organizations would need to critically look at investing on a strict Anti-Virus & Patch Management Regime Supported by the Network Admission Control devices.
  • Two Factor Authentications – to ensure that the password compromises do not impact / provide access to the corporate network. Additionally this would also help organizations to be able to support the Work from Home (WFH) program thus further reducing their operational cost associated with Facility Management for the ever growing number of seats with workforce increase.

These are just the indicative controls that should be considered or rather implemented by the organizations seriously going the BYOD path.  Certainly the CXOs of the world would be better placed to take the final decision on the set of controls from the likes of IDM, DLP, SSO to add to.  This would certainly require an indepth assessment on the requirements and the risks emanating to an organization.