I reckon the education sector accepted user-owned devices (now known as Bring Your Own Device) at least fifteen years ago, the moment we provided remote access and encouraged staff and students to work outside the office. My talk at the Janet/Jisc services day in London therefore looked at how we can do it better, suggesting a three step plan. Your comments and experiences on these ideas would be very welcome:
1. Recognise BYODThe biggest concern with BYOD is that ‘company’ information will be stored on devices owned by employees or students, and thereby be exposed to greater risk. So the first step is to identify where our systems or processes are likely to result in off-server storage. Users may transfer information manually if our processes encourage them to take local copies or work at home; or it may be done automatically by client software that creates an off-line cache or backup. Both of those can be an advantage if we want people to work whenever they have a good idea, even if they don’t happen to be ‘in the office’, and for non-sensitive data those copies may not create additional risks. But where local storage isn’t necessary, or we can provide the same function in ways that don’t require it (e.g. remote desktop services), then it may be possible to reduce it. If local storage is needed we should aim to ensure that it is encrypted and, if possible, that it can be remotely wiped if the device is lost. Many of the issues here are common to all mobile devices so the same solutions may make managed mobile devices more secure as well. One difference is that you can’t insist on wiping or crushing a user-owned device when it is no longer used – the Information Commissioner suggests at least changing any passwords that may have been stored on a device that may be sold or handed down to a relative. It’s also worth identifying and documenting the information and services that shouldn’t be available off-site; some may be suitable for managed devices but not user-owned ones, but remember that many security risks (such as reading the wrong file on a train) apply to all forms of portable device, no matter who manages them.
2. Improve BYODI’ve written previously that BYOD may create opportunities: modern portable devices support a lot of security technologies, and users ought to be motivated to use them to protect their own information on the device at least as much as to protect their employer’s. The ICO’s excellent Guide to BYOD has a list of good practices, all of which look like common sense to me to protect my own information and bills (my summary: passphrases, patches, anti-virus, firewall, safe downloads/configuration, account/directory separation, and viewing information in safe places). If we can help and encourage device owners to do those to protect their own information then any corporate information gets protected too as a side effect. If, having had this simple good practice explained, security measures are still “too inconvenient” for a device owner to protect their own information (which probably includes passwords for e-banking, social networking and personal photographs) then those devices probably aren’t a safe place for the employer’s information either.
3. Adopt BYODUniversities and colleges hope that their users don’t just work in the office, 9-5, but whenever and wherever a good idea occurs. Given that work pattern, BYOD feels like something that we ought to be designing in to our systems and processes. That involves providing guidance and support to users in some of the harder questions: how to backup devices in ways that are safe for both personal and organisational information; how to use wireless and other untrusted networks safely; how to assess security when installing new applications and software. In designing our systems, perhaps we should even be assuming BYOD use (“Bring Your Own by Default”?), unless particular information or services are unsuitable for it? I suspect our users may already expect that all systems will be accessible from their devices and many of them are innovative enough to put that expectation into practice. In most cases that will have benefits for the organisation and we should be encouraging it: where it creates unacceptable risks then we need to explain clearly why this system is an exception and users shouldn’t try to work around our security measures.