The following blog was written by Nate Rushfinn, a Principal Customer Solutions Architect with CA Technologies.
According to a recent Gartner Group CIO study, by 2016 80% of employees will be eligible to use their own equipment with employer data. But a Forester study revealed that today, 37% of people already use their own devices without formal permission.
Based on these numbers, BYOD is clearly not a fad, and the use of employee owned devices on government networks will only increase, One thing is for certain–no one wants a repeat of the $1.5 million dollar stolen laptop incident. If we are going to allow personal devices on the network, we need to ensure that security is a two way street, and that we protect both the personal information of the employee and the sensitive data of the agency.Government agencies are not fast food restaurants. Our mission statement is not to provide the low-cost burger AND to give it to you “Your Way”. Agencies must remain true to their mission to serve and protect the people.
BYOD can work, but not in both models. One model is Full Up Control. Government Furnished Equipment (GFE) is provided to the employee, and the devices are locked down either at the factory or in the operations center with an approved image that contains a Mobile Device Management (MDM) agent built-in. MDM allows devices to be fully managed over the air, preventing the installation of unapproved software and unauthorized access to sensitive data. Devices can be tracked via GPS and wiped clean when they are lost. With full up control, government agencies have end-to-end management of the device and the data.
The other model is BYOD, where employees purchase and own their own device. They are fully responsible for everything including damage, loss and corruption. If they get a virus or can’t install an app, they do not call the help desk. It means that they can install their own apps and can go where ever they want. However, when they want to access protected or sensitive data on the government network, they do so only through a secure tunnel. They do not have wide-open access to the network like a VPN. Using strong two-factor authentication that protects against man in the middle attacks, users are first properly authenticated and then given access through single sign-on only specific applications where the data is protected in-motion and at rest. Sensitive and secure data does NOT ever reside on the phone and it is simply not available when you don’t have service.
Both models work, but problems arise when we try to mix them and want to have a little bit of both. We cannot give up our mission to server and protect. There can be no potential for a stolen device with sensitive data on it. No, you can’t have it your way.