The key to a secure bring-your-own-device (BYOD) implementation is to treat staff as security specialists, according to Intel's Rob Evered, the company's senior information security technologist and strategist.
"We have got about 60,000 small form-factor devices at Intel and I want all of the employees with these device to be security people. They know their device better than I do.
"I want to have 60,000 people looking for vulnerabilities when they read news articles; 60,000 people looking at ways of trying things. And I want to get that data back so that when one person discovers something, I can either do something about it or inform all the other people with the same device," says Evered, who was speaking at a recent Computing IT Leaders's Forum.
That means knowing exactly the devices that staff are using to access the network and corporate services, as well as keeping the communications channels open, he says. In order to get staff "onside", he adds, and to ensure that they don't use services that put valuable data and information in insecure situations, companies need to offer incentives.
Hence, if an analysis of network traffic suggests that a lot of people are using Dropbox or Evernote, effectively putting company information outside the firewall in a potentially insecure location, then why not provide a corporate subscription to these services? After all, that would would be cheaper and more popular than trying to replicate such applications using an in-house development team.
Single sign-on
Furthermore, he continues, instead of chivvying people to use these accounts, let them migrate naturally by making it the easier option. One way to do this, says Dragan Pendic, chief security architect within Global Information Management and Security at Diageo, is to provide single sign-on.
The benefit for staff is that they can access all the services they need to use in their everyday work without having to memorise a plethora of user name and password combinations. The benefit for organisations, though, is that it gets to know where its corporate data is at all times, while the corporate subscriptions to Dropbox and others will come with added security that the free versions that staff were using don't have.
"Single sign-on cuts off the attack surface because when you hit the resource that has been enabled on single sign-on, the actual direct access, even if you know the user name and password, will not be possible," says Pendic.
"Dropbox will come back to your organisation with the IF provided, it will verify the ID trying to access the particular resource, and that's a big win for security. It minimises the risk of information leakage, unauthorised access and so on," he says.
At Intel, continues Evered, the company uses a number of tools and techniques to keep the dialogue open with BYOD-using staff. "It's all about leading them down the same path. We provide a path of services that staff could try and do on their own, but if they do it the IT way, they get better responses, better usability and so they want to follow the IT path.
"That means that we need to establish that two-way communication. We use social media, and site forums and a variety of methods because we need to communicate the way that they communicate. We can't communicate as IT any more. We have to be driven by our users and how they want to communicate and match that," he says.
Companies then need to be open about why they set particular security policies, and explain the reasoning clearly to staff. "We've set a PIN on your device and this is the reason why, this is the logic. Argue with us. If you don't like it, tell us why you don't like it, because we want a data-driven approach to security," says Evered.
With computing becoming ever-more pervasive, he notes, with the advent of smart watches and "wearable computing", organisations do not have the power to stop staff using their own devices - whether that is smartphones on the move, PCs at home, tablets in the office or whatever emerges and proves popular in the future.
"It's really about positioning the right information in the right place. Getting information to the end-employee is a really powerful function. It's something that enables us to be very business focused and successful, so the only challenge we have got is the security," says Evered.
