The rapid consumer adoption of powerful smart phones and tablets is revolutionizing enterprises as employees increasingly use these devices to access corporate assets and IT systems. Today, users expect the same mobile experience they have in their off time. Taking and posting photos and videos, using location-based services, downloading and configuring apps, instant messaging and VOIP have joined making ordinary phone calls as part of the culture.
As impactful as they are on our personal lives, these technologies also are having a transformative impact on a workplace – enabling a transition from an “I’ll get back to you” mentality to “here’s the answer.” The new capabilities enabled by these powerful devices have transformed our ability to find information quickly and to communicate with one another.
With employees using one device for both personal and corporate applications, it is essential to make the distinction between personal and professional identity and to implement technology that will manage this distinction. It is obvious that personal and corporate email profiles, for example, are different and need to be managed separately. Rather than ban these devices outright, enterprises increasingly are leveraging both the device’s capabilities and productivity benefits by implementing smart bring your own device (BYOD) policies.
In many businesses, it is common for corporate data and communication to be supported on multiple devices simultaneously. An executive may still have a desktop PC in the office and send and receive emails on a smart phone, or make presentations from a tablet that also supports email and direct corporate data access. It is clear that corporate security has moved beyond the firewall and is heading toward cloud-based services and secure end-point access.
Corporate BYOD policies need to provide a clear distinction between what users do as an employee from other personal activities performed on the device. Everything people do on their personal device as an employee, must be linked to their role as that employee. This identity can be distinguished by the selection of a particular application, the presentation of a PIN or a biometric or by using the credentials on an employee smart badge.
The enterprise is responsible for creating, provisioning and managing this identity on the phone or tablet. These policies and procedures should be similar to and compatible with those used to manage identities for employee badges and other access credentials. And, while the enterprise’s objectives are ultimately to protect its own assets, it is equally important to be sure that the personal identity and associated data are properly segregated from corporate activities.
Defining a “digital identity”
The first step in establishing a BYOD policy is to have a clear digital identity for each employee, preferably one that has been established using a secure, repeatable and auditable process. The next step is to create one or more credentials linked to this identity. Depending on the device, the applications and the security level required, this can be a password, a one-time password generator seed or a digital certificate.
This credential then must be linked to the user’s corporate digital identity and injected into the device. An automated, secure process will maximize security, lower costs and provide the records required for lifecycle management and regulatory compliance. In an ideal policy, these credentials are then linked to the various systems that they will work with. There also are various lifecycle management functions required to maintain and manage the credentials on devices that need special consideration.
Ultimately, there are a few key elements for a successful BYOD program:
- Learn about your employees’ devices and how they use them
- Find out what’s working for them and what’s not
- Understand which features they would like to use in the workplace
- Set goals for the use of mobile devices
- Identify enterprise use cases
- Set policies and procedures
- Identify the enterprise identity and credentials that users will require on their mobile device and implement processes to provision and manage devices
- Train users; they already know how to use the phone, but will need training on any new apps – policy training should start early and be repeated at intervals
- Train staff to monitor and manage the identities and applications in use
While the use of personal or non-traditional computing devices in the workplace does pose challenges, the benefits of a satisfied, more productive workforce can be gained through the smart implementation of the right policies and programs to ensure the protection of corporate data and other assets.