What role does cloud play in ensuring secure BYOD use?
BYOD security is and has been a major point of interest (perhaps hype) in IT for some time now. The desire for employees to use their own smartphones and devices frames an opportunity for businesses to cut capital expenses and increase efficiency. Despite the potential upsides, and while there are many companies that have come to embrace such an approach, there are major hurdles where security and compliance are concerned.
As an added layer of complexity, many companies are also balancing the cloud and network requirements of BYOD with the degree to which they have outsourced their infrastructure to managed service providers or other outsourced cloud and infrastructure providers.
What primary concerns of BYOD do managed services figure in?
Security: One of the chief challenges to BYOD, and a major component of maintaining compliance, security on the technical end benefits from seasoned practitioners. Most companies instituting BYOD policies and procedures might have several well trained technicians, but if the company is looking at managed service providers anyway, the reality is that they are looking to take advantage of the technical bench at the MSP for a range of expertise reasons – security chief among them. Depending on the scale of BYOD implementation in an organization, more security checks on the technical end must be instituted. Physical security will reside with the company itself, given those employees’ phones, laptops, and other devices remain within the individual employee’s control.
Monitoring: BYOD usage is a difficult security proposition and monitoring is a key to ensuring compliance and accountability on the part of the actual use of devices around company data. There are many ways that BYOD can go bad: exposing internal networks to viruses, employees taking sensitive data, misusing of network bandwidth, as noted by SCMagazine.com. However, with the right network access controls and policies in place, combined with multifactor authentication and consistent password update protocols, some of the threats/pitfalls can be mitigated. Again, the experience of the MSP comes into play since they have seen so many different kinds of business implement so many different kinds of infrastructure approaches. Where monitoring is concerned, MSPs are truly experts, as the offering is part of the package they develop for every client.
Data Control: Central to security, monitoring, and ultimately compliance, data control is possibly the most important aspect of balancing BYOD momentum with smart business policy. While there are many threats to data from a BYOD perspective (employees losing phones, taking documents on flash drives, etc.) that MSPs cannot control, there are other ways in which MSPs can directly help ensure data integrity. From a cloud architecture perspective, best practices for redundancy, high availability, and disaster recovery are an MSP’s bread and butter. Most MSPs will not interact with the application layer of a client’s business. However, depending on the nature of the relationship, and the associated compliance requirements, an MSP can become a business associate. Signing a BAA does not make the MSP responsible for the data, but does assign the limits of liability in the case of a breach or some other disruption or exposure, since the infrastructure the client company uses is related to the MSP.
Compliance: Whether PCI compliance, HIPAA, SSAE16, NIST, FISMA, or any other the other numerous types of compliance that businesses have to comply with, utilizing managed service providers to manage audits and procedure is always a good idea. Layer on BYOD compliance requirements, which almost every MSP has to handle internally anyway, and you have a readymade policy foundation on which your company can model its own approach. Depending on the degree of infrastructure an MSP maintains for your company, you can also utilize their security and compliance protocols as a runway to enhance your own and utilize their compliance audit to fulfill at least some portion of your compliance obligation.
How else do MSPs enable or hinder BYOD for your organization? Let us know on Twitter @CloudGathering
By Jake Gardner