10 tips for implementing BYOD securely

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

With the Bring Your Own Device (BYOD) movement quickly becoming an accepted norm, IT needs to better understand how it impacts all aspects of the corporate network security strategy.

The true cost of BYOD

BYOD is another technology trend that moves a company from a position of risk avoidance to risk management. Where many IT organizations get it wrong is they focus on only one piece of the puzzle - like the device. If organizations want to minimize the risks of BYOD, they need to assess the impact on the network security ecosystem and understand the big and small weaknesses it creates.

Here are 10 tips for implementing BYOD securely and effectively within the enterprise, while fostering secure, remote access to business critical information:

1. Go Beyond Passwords to Authentication. Static passwords, combined with the risks of BYOD, are not enough to ensure secure remote access to sensitive business data and systems. Companies should consider multi-factor authentication methods to strengthen security while continuing to prioritize usability. One-time passwords and alternate notification methods (e.g. text messages) are two ways to make the authentication process holistically stronger.

2. Secure Remote Access with SSL-Based VPN. Once you have authenticated a user, companies must secure the network connection. SSL VPN gives employees enormous flexibility to access the network securely from any location and from any mobile device. Furthermore, unlike IPSec, SSL VPN provides secure remote connectivity without the need for software to be installed on each device.

3. SSO for Password Fatigue. Separate logins for individual applications are both a hassle and a security risk, as users may deploy insecure methods for keeping up with different passwords. Single sign on (SSO) tools let employees use a single password to access a portal of company and cloud applications, and can be part of an SSL VPN configuration.

4. End Node Control. Once an employee leaves the company, network access should leave right along with them. However, that is not always the case unless there is a way to instantly and effectively block specific users. Find a solution that manages devices from the corporate side, not just the employee side, and allows you to quickly remove a specific user's access privileges with a few keystrokes. This should be accomplished without requiring redefinition of the entire user base, which is both time-consuming and prone to error.

5. Applying a Federated ID. Federated ID simply means that the person's identity is stored across multiple systems, such as when you use Facebook or Twitter to log in to another account online. The same works for your organization, where you authenticate a user, and then allow them access across internal and external systems that you manage. Federated IDs allow single sign-on for the employee. What are the benefits? The employee logs in to any approved system easily, the corporation controls access even to cloud-based applications, and the service provider does not need to maintain user profiles.

6. Soft tokens with BYOD. Physical security devices have become risky and cumbersome. BYOD represents a wonderful opportunity for enterprises to save money on the costs of buying, managing and distributing hard tokens or other physical devices. Soft security tokens that interact with the employee device, such as a smartphone, provide an "ergonomic" solution that works for both parties, and can be easily updated and managed as the threat landscape changes.

7. Manage the Entire Process. The risks of BYOD make it even more critical to have a centralized view of network activity, incoming threats and abnormalities within the network, as well as the ability to quickly and easily respond. It is important to find a centralized management console that provides comprehensive reporting, incident process management, progressive multichannel alerting, geotagged statistics and the ability to apply governance across the entire platform.

8. Appoint a Leader, Execute a Strategy. Management of a BYOD strategy should not be a responsibility that's lumped in with the hundreds of other tasks that IT manages. Appoint a cross-functional leader who will oversee the policies, guidelines, roles and duties of the various departments that are involved with executing a BYOD strategy. This person will be responsible for determining every aspect of BYOD within the enterprise, including what devices will be allowed, what departments will support them and who pays for support, service, data plans, etc.

A sampling of BYOD user policies

9. Have a policy. No matter who owns the device, employees must abide by corporate information security protocols if they are using the device for business. A BYOD policy should cover the basics like requiring an auto-locking capability and a personal identification number (PIN) as well as support encryption and remote wipe in case of theft. The policy should also cover what types of data can and can't be stored on the device, what to do if it's stolen, and acceptable and unacceptable backup processes. Most importantly, having a written user agreement policy and communicating regularly the importance of following security procedures when using their devices is critical.

10. Encourage common sense. Don't assume employees will use common sense - reinforce it. Regularly review even the most obvious mobile device security measures, like what to do if a device is lost or stolen, regular device updates, locking devices when not in use and using discretion with downloads.

Following these tips will enable you to embrace BYOD while safeguarding your existing security ecosystem.

Stonesoft provides mid- and large-sized organizations software-based network security solutions, which include the industry's first evasion prevention system (EPS), the industry's first transformable Security Engine as well as standalone next generation firewalls, intrusion prevention systems and SLL VPN solutions.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Richard Benigno, Senior Vice President of Americas, Stonesoft

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts