Channels

10:53 AM
Ojas Rege, MobileIron
Ojas Rege, MobileIron
Commentary
50%
50%

Preparing Your Bank for BYOD

There are some issues related to trust and liability that banks must not forget to address before implementing a bring-your-own-device program.

The bring-your-own-device (BYOD) trend is one of the more dramatic results of the consumerization of IT, in which consumer preference, not corporate initiative, drives the adoption of technologies in the enterprise. By 2014, 90 percent of organizations will support corporate applications on personal devices predicted Monica Basso, research vice president at analyst firm Gartner, in her Spring 2011 presentation, "Bring Your Own Mobility: Planning for Innovation and Risk Management."

While many financial institutions look at BYOD as a possible way to reduce costs, the real value of a well-designed BYOD program is increasing employee satisfaction and speeding up the rate of technology adoption in the enterprise. However, BYOD for financial services companies is more than just moving ownership of the device to the employee. It has complex and hidden implications for which a strategy needs to be defined in advance of implementation.

The initial success of any BYOD program will depend on early preparation and an understanding of the nuances of complex issues. Two of the most critical things to figure out at the very beginning stages of planning a BYOD implementation -- and two which get very little attention upfront when the central concern is security -- are establishing a trust model and understanding what BYOD means in terms of legal liability.

Establishing a Trust Model
Trust is the foundation for enterprise security: Which users do I trust with which data under what circumstances? Every major financial organization has gone through data classification to establish this underpinning for its security policies. However, trust models for mobile add a new level of complexity.

The trust level of a mobile device is dynamic, and it depends on its security posture at a given point in time. For example, a company’s CFO is trusted with financial data on her tablet, but not if she inadvertently disables encryption or downloads a rogue app. And because mobile devices are not locked down as tightly as traditional laptops and desktops, they fall out of compliance more frequently.

BYOD adds another layer to the trust model because the trust level for employee-owned devices may be different than for corporate-owned devices. Privacy policies will vary, and user expectations will differ. On corporate devices, users may accept not being able to use social networking apps, but that type of policy is unacceptable for personal devices.

Building a BYOD trust model requires a financial institution to do the following:

  • Define remediation options for notification, access control, quarantine and selective wipe. These options may differ in severity from personal to corporate devices. For example, on a corporate device with a moderate risk compliance issue the remediation might be an immediate full wipe, but on a personal device it may be a less severe action initially, such as blocking enterprise access, followed by a selective wipe of enterprise data.
  • Set a tiered policy. Ownership is now a key dimension along which to set policy. Personal and corporate devices will each have different sets of policies for security, privacy and app distribution.
  • Establish the identity of each user and device. As device choice becomes fluid, confirming the identity of user and device, usually through the use of certificates, becomes more important.
  • Take a critical eye to the sustainability of the security policy being instituted. What is the impact of the policy on user experience, and will users accept that tradeoff over the long term? If the trust level of the personal device is so low that security requires extensive usage restrictions, the employee’s personal mobile experience will be damaged, and neither the policy nor the BYOD program will be sustainable.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AG4IT
50%
50%
AG4IT,
User Rank: Apprentice
6/13/2013 | 3:10:18 PM
re: Preparing Your Bank for BYOD
Security risks (lost devices, access to sensitive data) are definitely a part of BYOD, particularly for financial organizations. However, these risks can be reduced by keeping data and applications separate from personal devices. That means that there's no sensitive data exposed if an employee's device is lost or stolen.

This can be achieved with solutions like Ericom AccessNow, an HTML5 RDP client that enables users to connect from most types of devices to any RDP hosts (such as VDI virtual desktops or Windows Remote Desktop Services) and run full Windows desktops or applications in a browser tab.

There's nothing to install on the end user devices, as you only need an HTML5-compatible browser so using AccessNow also reduces IT support costs, since IT staff don't need to spend time installing software on so many different platforms. All they need to do is give employees a URL and login credentials.

Download this free white paper for some additional ideas on securely managing the mobile workforce:
http://www.ericom.com/WP-Mobil...

Please note that I work for Ericom
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video