From mobile device policy to bring your own device (BYOD)

From mobile devices to BYOD

Andrew Cormack, Chief regulatory adviser @Janet_LegReg

09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 3

We like mobile computing

» Research and education aren’t just office hours

» Work wherever/whenever inspiration strikes

» Increased productivity

» Happier users

» Could your organisation cope without it?

Policies

How we secure it

» De jure: the things we write down

Policies

How we secure it

» De jure: the things we write down

» De facto: the things we do

› This sets policy: “email on any device”

So how do we secure mobile computing?

AccessServer Device User

IMAP orweb or

VTTY ornone

authenticationencryption

IMAP orweb or

VTTY ornone

profilesmanagement

IMAP orweb or

VTTY ornone

policiesguidancesupport

profilesmanagement

IMAP orweb or

VTTY ornone

What do you do?

Discuss around table for 10 mins

Fill in the columns

What’s the difference with BYOD?

profilesmanagement

IMAP orweb or

VTTY ornone

profilesmanagement

IMAP orweb or

VTTY ornone

profilesmanagement

IMAP orweb or

VTTY ornone

What controls do you enforce on mobile devices?

» Passphrase, patches, anti-virus, firewall

» Encryption, remote wipe

» Safe downloading, account/directory separation

» Thinking about where you are

What we’d like…

Feels like basic good practice…

What we’d like…

Feels like basic good practice…

Actually, it’s the ICO’s recommendationsfor BYOD!

» Warns against MDM/tracking of non-owned devices

What we’d like…

How to be safe without device management?

Already rely on users for some controls

» Their behaviour may already be biggest risk

» Especially if they have admin rights!

Possibly move some controls to server-side

» But tightening de facto policies on existing services is a hard sell

Or, encourage users to implement them

Possibly move some controls toserver-side

» What do you lose with corporate mobile?

» What do you lose with BYOD?

Self-interest

81% employees don’t care about mobile security

Self-interest

Surely more care about their own devices?

Self-interest

Their BYOD security interests are same as ours

Self-interest

» If they know why/how to do the right thing

Self-interest

» If they know why/how to do the right thing

» Might BYOD even be more secure?

How might we help?

Discuss around tables for 10 mins:

» How to motivate

» How to support

And report back good ideas…

Good questions...

“What should I do if I lose it?”

“What should I do when I pass it on?”

Good questions...

“How should I back up my device?”

Good questions...

“How should I back up my device?”

“How do I share files with others?”

“How do I get new apps?”

BYOD plan

1. Review existing measures for mobile devices

› Already accepted risk: don’t demand more of BYOD

› If risk now unacceptable, change mobile

BYOD plan

2. Prepare to support device owners

BYOD plan

2. Prepare to support device owners

3. Motivate device owners

› Should improve mobile security too

BYOD future

Design systems to be BYO-by-Default?

BYOD future

» Presume it is the norm

» Identify / configure systems and data that aren’t suitable for it

BYOD future

» Presume it is the norm

» Identify / configure systems and data that aren’t suitable for it

BYOD will happen anyway

Much better to design for it than ignore it

Questions?

Or, come and discuss this afternoon…

BT paper» btplc.com/News/Articles/ShowArticle.cfm?ArticleID=F5E90F45-

966A-4872-8CF6-C2C32F608541ICO on BYOD» ico.org.uk/for_organisations/data_protection/topic_guides/online/byodCESG» gov.uk/government/collections/bring-your-own-device-guidanceMe» community.ja.net/blogs/regulatory-developments/article/mobile-

device-policy-byod» community.ja.net/blogs/regulatory-developments/tags/BYOD

References

From mobile device policy to bring your own device (BYOD)

Education

Bring Your Own Device (BYOD) in Schools€¦ · “Bring your own device (BYOD) refers to technology models where students bring a personally owned device to school for the purpose

Horizon Report: Bring Your Own Device (BYOD)

BYOD : Bring Your Own Device

BYOD Bring Your Own Device. What is BYOD? Bring Your Own Device to school is a new program in FCPS. It allows you to bring your own Personally-Owned Device

air watch bring your own device (byod)

Perancangan Kebijakan Bring Your Own Device (BYOD) dan Mobile Device Management (MDM)

FOR STUDENTS THE 411. bring your own device – Collier County Public Schools What is BYOD? BYOD is an acronym for Bring Your Own Device. A “device” is

BRING YOUR OWN DEVICE - clearwatercompliance.comclearwatercompliance.com/.../Federal-CIO-Council-Releases-BYOD-To… · government-wide bring-your-own-device (BYOD) 1 guidance based

Chapter 20 Bring Your Own Device (BYOD)faculty.georgebrown.ca/.../comp3049-intermediate-wirel/cwnasg_ch2… · Chapter 20 Bring Your Own Device (BYOD) Chapter 20 Overview • Mobile

BYOD Bring Your Own Device

Bring Your Own Device (BYOD) – Requirements and …

Prosedur Bantuan Bring Your Own Device (BYOD) Universiti ... · Prosedur ini menerangkan secara terperinci berkenaan pelaksanaan Bantuan Bring Your Own Device (BYOD) Universiti Teknologi

BYOD = Bring Your Own Device

BYOD-Data collection. Bring your own device From Wikipedia Bring your own device (BYOD) (also called bring your own technology (BYOT), bring your own

Employment Bring Your Own Device (BYOD)

BYOD-Bring Your Own Device

BYOD (Bring Your Own Device) - Meetupfiles.meetup.com/1698110/BYOD Slides MMv5.pdf · BYOD (Bring Your Own Device) Randy Gower – Good Technology Today’s Agenda BYOD Trends, Challenges

Kedron State High School Bring Your Own Device (BYOD

Bring Your Own Device (BYOD)

BYOD – Bring your own device