The trend for individuals to 'bring their own device' (BYOD) to work is increasing, but enabling BYOD has been much easier than understanding and managing its security implications.
I believe we need to find practical ways to support consumer technology at work while maintaining control of sensitive information. The core principle is to minimise the amount of data transferred to or held on the device.
There are three steps organisations can take:
- Virtualise applications and stream them to the device.
- Allow access but implement a corporate policy to prevent the user downloading sensitive organisational data. If the organisation wants to allow data to be downloaded, it becomes the user's responsibility if they lose the device, and they need to be made aware of the consequences and their responsibilities.
- Take advantage of the remote wipe capability that most devices have, using encryption to secure sensitive data, and ensure that the organisation's BYOD policy mandates implementing Mobile Device Management (MDM) capability on the BYOD device.
As a first step, we recommend classifying users according to their job requirements and need, and then providing device, services and applications they require to fulfil their job using a virtualised solution.
Organisations can choose one of three ways to implement virtualisation: a hosted or virtual desktop, client hypervisors, or accessing applications through a portal.
A hosted or virtual corporate desktop requires software such as Quest (now Dell Software), Citrix or VMware, appropriate back end systems and network connectivity to deliver desktop or application. It will work across all types of device, including all major tablets and Windows, Android or Apple phones.
The IT team needs to ensure the device is reasonably secure and not infected, with appropriate virus protection, as well as installing appropriate client software.
Policies can be set to prevent downloading information to local devices or cutting and pasting between the virtual desktop and local device. However, the user can only work on corporate applications when connected to the network.
A second option is to install client hypervisors and virtual desktop check-in/check-out software on the device, such as MokaFive, Citrix Xenclient, VMware View offline or Windows 8 HyperV. It creates separate, bootable desktops on the device and partitions the hard drive into business and personal areas.
As this can be run locally, it's a good solution if the user needs to work offline. When they go online it checks back into the server (using a VMware/Citrix solution) or synchronises (using MokaFive/Quest).
It's particularly good with laptops, but won't work with all devices as you cannot run a full corporate desktop on devices such as an iPad. It also creates more work for the IT team, who have to configure the device and install the client hypervisor to accept the virtual desktop.
The third option is to package applications to be accessed through a portal using either application streaming or the creation of lightweight clients (apps).
These apps can run on a smartphone or tablet, as most of the processing is carried out by the web-based back end. However, it becomes more difficult if the user wants to run 'large' applications such as SAP or Microsoft Office.
In the longer term, we believe most organisations will choose this route.
- Richard founded Fordway in 1991 and has built it into one of the UK's most respected IT infrastructure change providers. An ex-technician, his 20+ years' experience enable him to prioritise business-critical problems and offer constructive, vendor independent advice.