The proliferating use of personal devices to access corporate applications and data has become a major security headache for companies. Some have tried to deal with the problem by banning such use or by simply making it harder for employees to use their devices to access corporate networks.
A growing number of others though have begun implementing a Bring Your Own Device (BYOD) approach to address the issue. The idea here appears to be that such a policy will lead to happier employees, better productivity and lower costs for enterprises.
One such company is Unisys which is beta-testing a BYOD policy to see how it will work. Under it, employees will be allowed to use pretty much any mobile client device of their choice so long as they abide by an Acceptable Use Agreement (AUA) according to Patricia Titus, the chief information security officer at Unisys.
One of the main components of the AUA is a requirement that users allow a PKI device certificate to be installed on their personal devices, said Titus, who is a former security executive at the U.S. Transportation Security Administration. The certificate will be used to authenticate the device to the Unisys network each time the owner tries to access the network.
Users will also need to agree to install remote wipe software on their devices, so that any corporate data on it can be quickly erased in the event the device is lost or stolen. The agreement requires the device owner to quickly report the loss of the device to the appropriate contact.
One potentially thorny condition requires users to acknowledge that they understand their personal devices could get confiscated for unspecified periods, in the event of a legal hold. A legal hold typically happens when a company is in a legal dispute or anticipates one, in the near future. It's too early to say how that requirement will affect adoption of the BYOD approach, Titus said.
Initially at least, personal mobile devices will be permitted access only to specific applications such as corporate e-mail and calendaring, though access could be broadened in future, Titus says. Access to more sensitive applications will require a higher, multi-factor level of authentication, which could even include biometrics, Titus said. And before a BYOD policy can be rolled out worldwide, tweaks will need to be made to the AUA to accommodate overseas security and privacy regulations regarding issues such as the remote wiping of data, she said. So far, the pilot has gone very well, according to her.
Unisys is among a growing number of enterprises implementing such polices to deal with what Titus calls the "consumerization of the IT infrastructure." Others are experimenting with different models including paying for employees to buy their own devices for connecting into the corporate network.