You need to provide safe network access before allowing employees to bring their own devices to work
Almost every small company is experiencing the phenomenon referred to as “the consumerization of IT.” If you were the first in your office to log into your company’s network with your smartphone, you may even have been leading the charge. As more and more employees follow the “bring your own devices” trend (BYOD, for short) to work, you need to figure out how to give them remote access to the company network while keeping corporate data and personal information separate and secure.
In general, the BYOD movement is good for employers, even though people are using devices that aren’t necessarily provided by the company. Employers want to find ways to accommodate their employees’ desire to access their work email and other applications whenever and from whatever device they’re using, such as tablets and smartphones. That usually means that employers need to make some changes to the access policies. As an employer, you need to have network access policies with visibility and control over every device and application; and the user has to follow some rules to protect critical company data when accessing the network remotely.
As you begin to figure out your company’s BYOD remote access strategy, you need to start with any federal regulations that govern your industry, such as HIPPA (the Health Insurance Portability and Accountability Act). Keep in mind that employees’ mobile devices that connect to your network and email server may end up storing sensitive data, and that needs to be factored into your BYOD strategy. Once you’ve worked out the legal issues, you have to decide what’s best for your company and employees.
For example, you’ll need to answer these questions:
- Should all employees be allowed to use their own devices to log into the company network?
- Which services and applications should be accessible by personal devices?
- Should you allow equal access for every type of device and user profiles or should you choose to support only a particular device or user type?
Some companies allow access for just one device, such as the iPhone, because they can offer some measure of support for it and can customize security measures for that device. Your strategy should also consider if guest users and temporary employees can remotely access your network via their personal devices.
A two-pronged approach
Regardless of your answers to those questions, your BYOD remote access strategy should have two facets. It should require certain safeguards on the devices themselves, and it should include a layer of security for your network specific to guarding against threats introduced via mobile devices.
Smartphones and tablets should be just as secured as laptops-- for the good of your employees as well as your company. So before anyone is allowed to log onto your network, they must have certain mobile security measures in place: a pass code, mobile data encryption software, and remote management tools that let you remotely lock or wipe a lost or stolen device. Look to vendors like Lookout Mobile Security for mobile security software. Also, Apple’s App Store and Google Play for Android apps offer a variety of mobile security applications.
Consider, too, maintaining an inventory of employees’ personal devices and allowing only those registered in your inventory access to your network. This allows you to apply Access Control Lists to each device so that employees can use only the applications and services they need; for example, only HR employees gain access to employee files while access to financial applications is limited to your accountants.
You can also create a separate virtual LAN (VLAN) for mobile device traffic on your network. This will separate traffic on smartphones and tablets from the rest of the traffic on your network, which can help keep anything malicious from infiltrating the rest of your company’s assets. You can configure VLANS on routers and switches as well as wireless access points.
To fully lock down remote access for mobile devices, consider requiring users to connect via a VPN. On the network, you need to have a server or security appliance that runs a VPN, such as the Cisco SA5500 Series Adaptive Security Appliances. You can then install the Cisco AnyConnect VPN Client on your employees’ smartphones, which will allow them to securely connect to your network remotely, even if they’re in your local office.
Of course, you can ban employees from connecting to your local network with their own devices; in the end, though, that will limit their productivity. Instead, focus on a BYOD strategy that allows for controlled access with built-in security measures.
How has your company approached the BYOD phenomenon?
If you’re interested in reading more, check out these related posts: