Due diligence oversight, from inception, is crucial once an organization decides to investigate a mobility program that enables workers to access both corporate and personal data.
The evolving trend, over the last few years, of providing corporate, handheld devices to designated employees to enable them to better perform their jobs were issued with fairly strict technological restrictions and in an atmosphere of trust. As feature-enriched smartphones, tablets and amazingly thin & highly compact notebooks started evolving, these same workers and workplace colleagues started sporting such devices for personal use – hence, it is quite common to see folks carrying a corporate-issued Blackberry together with an Android, Windows, or iPhone device.
As organizational technology advances, accompanied by aging device replenishment needs workforce divestment and remote or home office access, more organizations began investigating and implementing a single device strategy, wherein restricted and controlled access would be provided to corporate servers while also partitioning the device for the employee’s personal use.
There is a variety of approaches ranging from BYOD (Bring Your Own Device) under which an employee may use their own, or corporate issued or funded, device to access both organizational data that is ideally segregated from personal data to COPE (Corporate Owned, Personally Enabled), strategies under which the Corporation issues an authorized device for corporate utilization and also so enabled for the employee’s personal use.
The various criteria that distinguish “a wider array of technology options beyond BYOD, such as HYOD (Here’s Your Own Device) or CYOD (Choose Your Own Device) BYOD programs in terms of ownership, contracting and paying for services, many of which are described summarized in the Ontario’s Information and Privacy Commissioner’s most excellent December 2013 white paper: BYOD: (Bring Your Own Device) Is Your Organization Ready?
Mobile devices provide splendid access capabilities to enterprise Critical data and databases hosted in backroom servers (both via VPNs and direct connect), Server-based and cloud enabled corporate apps, corporate e0mail, and additional corporate authorized/enabled functions.
Mobile device strategies and resulting policies range from organizationally-owned devices that are furnished to select workers, through to those where the organization will enable the worker to link up and connect their own smart phone or tablet to enterprise servers that host privileged and sensitive data, as well as data required by law to be maintained as private (e.g. personal information of employees and customers). However, caution must be exercised in establishing an organizational mobile strategy as handheld devices may translate into a potential springboard for violation of organizational end-to-end security policies that were carefully designed precisely to protect confidential and entrusted data from unauthorized or public disclosure.
While mobile devices, come in a variety of designs and dimensions, ranging from smart phones, tablets to phablets, and sometimes include notebooks (in the ever-diminishing size), your organizational strategy must, of necessity, translate into a policy that reflects security and privacy containment – a policy that prohibits access and retention for personal benefit or possible disclosure, inadvertently or by design, of organizationally privileged and sensitive data , as well as that category of data required by law to be maintained as private or confidential.
In developing the approach, risk assessment and management must recognize that potential of a mobile device serving as a gateway for external intrusions, threats that result in critical data destruction, or unauthorized or inadvertent disclosure of sensitive, business-critical, and associated confidential information. Likewise, the potential for compromise of personal information of employees, customers, or those to which the organization has a duty of privacy remains a key consideration in developing your organization containment strategy.
The separation of cloud-based offerings, initially designed to serve either the consumer or the business marketplace, has become blurred over the last couple of years or so, while the memory handling and storage of capacity of mobile devices continues to increase, as have mobile friendly cloud-based services.
Today, workgroups that may include outside consultants, business units, and individual employees have moved onto a new organizational and IT challenge: Bring Your Own Cloud (BYOC).
Witness the ubiquitous use by both business and consumers of cloud storage and sharing services, such as Dropbox, OneDrive, Box, Google Drive, etc. More and more organizations, or employees and internal working groups, are moving away from the IT department managed web portal and related file and document sharing structures to cloud-based services. It’s become quite common in both public and private sectors, to receive a folder sharing invite to one of the web-based, cross-platform cloud services. Are there organizational policies in place that govern the access and use by employees of cloud-based services — at both the inviting and accepting ends?
What has been termed as Cloud Sprawl has become a fact of life and needs to be understood within the context of corporate security and personal enablement? The internal storage capabilities and ever-evolving capacities of personal devices now enable the transfer of large files and blocks of data from corporate servers to personal accounts. What are the risk mitigation steps that need to be taken that will preclude the copying and transfer of folders and files from corporate servers (resident or cloud-based) to personal folders on home-based servers or to cloud storage accounts?
It used to be that we all worked from a desk in a designated office or bench top in a manufacturing facility – today many of us work from our homes, coffee shops, sports and recreational facilities. What has become obvious is that while we are no longer required to lug around our notebooks or laptops with us, we still need the right policies.
Photo by VIKTOR HANACEK via PicJumbo.com
End-of-support-devices: Time to Upgrade is Now
Sadly, it’s too often the case that something needs to ‘go boom’ with networking devices for organizations to realize there’s even a problem. But there are simple steps IT leaders before disaster strikes.