Slowly but surely, bringing your own device to work is becoming mainstream. Though security concerns remain, Gartner estimated this month that by 2017, half of employers will stop providing employees with machines.
BYOD is a widely acknowledged trend. Not so widely acknowledged, but equally important to productivity and data and network security, is its lesser-known byproduct, BYOS.
BYOS as a growing force in the enterprise
Whether you expand BYOS to Bring Your Own Service or Bring Your Own Software, the acronym’s central meaning remains the same: many workers want to share and access company data without using enterprise software. To give just one example, over 2 million businesses use Dropbox, and those business users save over 600 million files on the service every workweek, according to a Dropbox spokesperson.
Workers are getting accustomed to using their own laptops and phones; it’s not surprising that they want to use their preferred file hosting services, social networks, and productivity applications as well. Having a choice is especially important to Millennials, who have been using consumer software for the majority of their lives. In the 2011 Cisco Connected World Technology Report, 56 percent of college students said that if a potential employer banned social media access, they would either find a way to get around the ban or outright reject a job offer. And that's just social media access.
It’s impossible to predict the future, but the evidence suggests that BYOS won’t be a short-lived trend. A future where employees regularly use non-enterprise services and applications could be desirable—if IT professionals navigate the security challenges with caution.
Establish clear policies
The Cheshire Cat from Alice in Wonderland said it best: if you don’t know where you’re going, any road will take you there. It’s difficult to choose the right tools for securely using non-enterprise services if you don’t have well-defined policies.
First, policymakers must identify the most sensitive data in the enterprise. The criteria for highly sensitive data vary by organization, but there are three main types: data that would give competitors a significant edge, private customer data, and data that requires protection to comply with industry-specific laws. This data should be kept off non-enterprise services entirely, or at least encrypted at the file level.
When it comes to less sensitive data, companies should decide which non-enterprise services and applications are secure enough and which ones pose too many risks. Like a good diet plan, this method gives employees options—but only healthy ones. To keep employees involved, companies could survey them to determine which services and applications are already popular.
Check non-enterprise services for security holes
When deciding which services to accept, it’s wise to go beyond reading reviews and ask for the results of a vulnerability scan.
Most companies that make popular file hosting services and productivity applications do a good job of describing their security features to potential customers. However, asking for concrete proof eliminates a certain amount of doubt. It also puts emphasis on the fact that your company expects network security to be taken very seriously.
In all likelihood, many companies have up-to-date reports at the ready. Even if they don’t, they can easily scan their code for vulnerabilities using services like Hewlett-Packard’s Fortify On Demand, which offers free, standard, and premium scans. The premium scan supports the scan of over 20 programming languages and looks for cross-site scripting and SQL injection.
Protect sensitive data
Even after choosing non-enterprise services carefully, IT administrators should select the right tools to prevent highly sensitive data from winding up on one of them.
Both network- and endpoint-based Data Loss Prevention (DLP) solutions stop employees from sharing sensitive data, whether the attempts take place through non-enterprise email accounts, social networks, or file hosting services. Network-based solutions detect sensitive data as it gets sent out of the enterprise network; endpoint-based solutions examine user activity that takes place on laptops, tablets, servers, and so forth. Some solutions, such as RSA Data Loss Prevention, notify users when they’ve attempted to violate a company policy, thus encouraging awareness of the rules.
As effective as DLP solutions can be, they don’t cover everything. It’s important to ensure that only the right people can access sensitive data in the first place. Varonis’s Data Governance Suite, for example, includes two components: DatAdvantage and DataPrivilege. The former records user activity, shows which users can access which folders, and makes recommendations upon perceiving superfluous access. The latter allows data owners to review permissions and grant or revoke them where necessary. (It should be noted that on May 22, Varonis announced the launch of DatAnywhere, a Dropbox-like service for the enterprise.)
Embracing the BYOS trend might still seem risky, but it’s important to remember that consumer software companies aren’t the enemy. Those who threaten enterprise networks and the data they carry are, and network and data security policymakers must keep that real threat in mind, considering consumer software and service providers as potential allies.
“We’re constantly working to improve systems, policies, and procedures that protect our user’s data,” the Dropbox spokesperson I spoke to wrote in an email, noting this month’s new development: single sign-on (SSO) for Dropbox for Business customers.
They have a vested interest in security, too.
How does your organization handle BYOS security? Let us know your thoughts in the comments.