Additional access control factors including device type, NAC profile, and geolocation can be used to make more informed access control decisions in a BYOD environment. With device type restrictions, certain data can be accessed only on approved devices such as company issued laptops or restricted on mobile phones. NAC profile can also play a role in access decisions. Access might be denied to devices that do not have the latest virus definitions or patch levels. [Also see: "NAC access control: A multi-dimensional puzzle"]
Lastly, geolocation features that report a device's global position are built into many new devices and this allows access control systems to grant or deny access based on where the device is in the world. This is especially important in complying with regulations that might stipulate that data not leave the country or when data must be treated differently for certain countries or states, however it is not completely reliable since geolocation data can be modified by the user on their device. If BYOD is in your future, consider adopting applications that support some of these access controls.
4. Data containment
It is almost certain that data exists on personal devices in BYOD organizations. This is a concern for both companies and individuals, necessitating data containment. Companies run the risk that data could be lost if personal devices are shared, compromised or stolen and individuals are concerned that the presence of company data on their devices could result in seizure if the data is part of a legal hold. [Also see: "Corporate-owned vs. employee-owned devices"]
The best method, of course, is to ensure that company data does not reside on personal equipment. Proponents of virtualization and terminal servers argue that data containment is effectively handled when access is through a virtual machine or terminal server because the data a user accesses stays on a machine residing within the corporate network. However, even with virtual desktops, data is sometimes accessed through other channels such as mobile phones and Web applications.
The combination of device encryption and remote wiping technology provides a level of assurance that data will not be purloined before it can be wiped. Encrypted devices increase the amount of time and effort required to obtain data on the device, giving organizations time to erase all data remotely. Devices can also be configured to wipe all data if an incorrect password is used too many times.
DRM (digital rights management) has found new life in the BYOD environment by allowing data owners to specify acceptable actions that can be performed on the data. For example, data can expire after 24 hours after download or data can be read but not printed and functionality like copy and paste can be removed.
Sign up for MIS Asia eNewsletters.