Bring Your Own Device: Balancing Corporate Security and Personal Privacy

Today’s Community Contributor is Kenneth Hess, Community Manager Enable SysAdmin at Red Hat.  Kenneth’s technical expertise is in web hosting, virtualization, and open source operating systems and technologies. He has several years of experience in technology blogging and journalism. He has written several detailed reviews on TrustRadius of the tools he uses at work. Here, Kenneth shares his insight on the Bring-Your-Own-Device (BYOD) trend, which was initially tough on employees and on corporations who kept trying to get it right. Now, employees and businesses enjoy BYOD environments that work for both parties.

The bring your own device (BYOD) trend is not new in technology terms. The practice began just after smartphones hit the market in the 2009/2010 timeframe and employees insisted that they use their personally owned devices rather than corporate ones. 

BYOD advantages and disadvantages

The arguments for BYOD are that employees can be more efficient by using familiar technology and can be happier using technology that they have chosen for themselves. Employees already carry their mobile phones with them and almost no one wants to carry a second device. Business owners counter arguments include security concerns with personal devices, lack of control over technology choices, mixing of personal and corporate data, and that personal devices make company information easier to steal or to post to social media outlets.

The first solution: mobile device management

The early compromise was to allow employees to bring their own devices but those devices were subject to corporate managed security, then known as mobile device management (MDM). Employees rebelled against this heavy-handed approach citing that MDM software invaded their privacy and took ownership away from the employee without compensation from the employer.

The problem with MDM suites is that they had to take over the entire device. If you enrolled your mobile phone into the MDM, the corporation basically owned it. The administrator could set security policies that prevented users from downloading apps from app stores and could wipe out all settings, apps, and data from a device—basically resetting it back to factory defaults. Administrators could also arbitrarily lock devices and prevent employees from using them. Employees had no recourse because enrollment was voluntary and had to be initiated by the user. 

The evolution to unified endpoint management

Technology has evolved to satisfy employees and employers alike. The heavily controlled corporate MDMs have morphed into unified endpoint management (UEM) suites that offer in-app virtual private network (VPN) connectivity that have their own partitioned security thereby guaranteeing both device owner privacy and corporate security. If a company separates an employee or the employee loses a device, UEM administrators can remotely wipe all corporate data and apps from it. UEMs also manage more than a limited number of mobile phones. They manage laptop computers, tablets, mobile phones, and almost any other device as an endpoint regardless of function, manufacturer, or operating system.

And perhaps most surprising is that UEM is an accurate description of the technology and its capability to manage endpoints and not merely a marketing term. Unified endpoint management balances the need for corporate security and individual privacy by separating corporate data into secured applications. Corporate data and private data never mix. It is also not possible to pilfer data or information across this secure boundary.

VPN protection for unsecured WiFi

As described previously, UEM suites secure corporate apps by coupling them with secure network connections known as VPNs. VPNs guarantee that all data transmitted between the app and the corporate network is encrypted regardless of the type of connection the device uses (Cellular, WiFi, or tethering). UEM providers understand the requirement to secure these connections because users often connect to unsecured WiFi networks that are easily compromised. Additionally, some devices are more secure than others are and more susceptible to rogue applications that leak data.

Using containerization 

Some vendors are management suite friendly in that they provide better mechanisms for secure management that protects both the employee and the employer in BYOD-enabled environments. One such feature is that of containerization. Containerization is a security feature that logically separates a “chunk” of resources into a secure workspace that includes the app, data, and a VPN client for the app. Now, administrators can reach into the container but not the rest of the device. Employees now enroll their devices into a management suite that enables the suite to create and manage a slice of an employee’s device resources (CPU, memory, storage, and network bandwidth). If an employee is separated from a company, the administrator removes the container and the device reclaims the resources used by the container.

BYOD is here to stay

BYOD has enjoyed ten years of success in the enterprise due to attitude changes, software evolution, and vendor updates. It is now more normal for employees to use their own mobile phones than it is to use corporate-issued ones. Originally, some companies provided a cost offset for those who used their own devices but now very few do. UEM suites now provide more security with less intrusion than their earlier MDM counterparts did. BYOD continues to evolve and succeed as technology offerings, from vendors who realize that this trend will continue, also evolve.