February 21, 2012

The bring-your-own-device (BYOD) trend is one of the more dramatic results of the consumerization of IT, in which consumer preference, not corporate initiative, drives the adoption of technologies in the enterprise. By 2014, 90 percent of organizations will support corporate applications on personal devices predicted Monica Basso, research vice president at analyst firm Gartner, in her Spring 2011 presentation, "Bring Your Own Mobility: Planning for Innovation and Risk Management."

While many financial institutions look at BYOD as a possible way to reduce costs, the real value of a well-designed BYOD program is increasing employee satisfaction and speeding up the rate of technology adoption in the enterprise. However, BYOD for financial services companies is more than just moving ownership of the device to the employee. It has complex and hidden implications for which a strategy needs to be defined in advance of implementation.

The initial success of any BYOD program will depend on early preparation and an understanding of the nuances of complex issues. Two of the most critical things to figure out at the very beginning stages of planning a BYOD implementation -- and two which get very little attention upfront when the central concern is security -- are establishing a trust model and understanding what BYOD means in terms of legal liability.

Establishing a Trust Model
Trust is the foundation for enterprise security: Which users do I trust with which data under what circumstances? Every major financial organization has gone through data classification to establish this underpinning for its security policies. However, trust models for mobile add a new level of complexity.

The trust level of a mobile device is dynamic, and it depends on its security posture at a given point in time. For example, a company’s CFO is trusted with financial data on her tablet, but not if she inadvertently disables encryption or downloads a rogue app. And because mobile devices are not locked down as tightly as traditional laptops and desktops, they fall out of compliance more frequently.

BYOD adds another layer to the trust model because the trust level for employee-owned devices may be different than for corporate-owned devices. Privacy policies will vary, and user expectations will differ. On corporate devices, users may accept not being able to use social networking apps, but that type of policy is unacceptable for personal devices.

Building a BYOD trust model requires a financial institution to do the following:

  • Define remediation options for notification, access control, quarantine and selective wipe. These options may differ in severity from personal to corporate devices. For example, on a corporate device with a moderate risk compliance issue the remediation might be an immediate full wipe, but on a personal device it may be a less severe action initially, such as blocking enterprise access, followed by a selective wipe of enterprise data.
  • Set a tiered policy. Ownership is now a key dimension along which to set policy. Personal and corporate devices will each have different sets of policies for security, privacy and app distribution.
  • Establish the identity of each user and device. As device choice becomes fluid, confirming the identity of user and device, usually through the use of certificates, becomes more important.
  • Take a critical eye to the sustainability of the security policy being instituted. What is the impact of the policy on user experience, and will users accept that tradeoff over the long term? If the trust level of the personal device is so low that security requires extensive usage restrictions, the employee’s personal mobile experience will be damaged, and neither the policy nor the BYOD program will be sustainable.