Securing What You Don't Own

As an IT shop, you probably have a good handle on how you secure and manage company laptops, and you are also hopefully putting together or have already built a good system for doing the same for company smartphones. But what do you do when those laptops, smartphones and tablets are owned by employees? You may find that traditional methods of security and management will be much harder to implement.

This is part of the growing (though hardly new) phenomenon called the consumerization of IT. Employees have always brought their own new and cool devices into a company network, though in the past these tended to be either high-level management or technically sophisticated users. And back then, even if users brought their own devices to work, it was much harder to use them, as they still needed the company-approved software from IT.

But today, any employee could be bringing in the latest smartphone or tablet, and these devices are much more sophisticated and powerful than many past devices. In addition, the vast majority of your core company applications today are probably Web-based, which means that all a user needs to access them is a browser--no special company software needed.

This means that, not only is it much easier for employees to use their own devices to access company resources, it is much harder for IT shops to even know they are doing this, never mind come up with a way to stop it.The traditional solution for many businesses will be to try to put some kind of management or endpoint security app on employee-owned devices. But this can lead to a slippery slope of supporting employee devices. Because you know that once you put that app on their device, IT will be to blame for every problem that comes up on that device.

From an employee standpoint, this is also a big problem. Do you really want some app with remote monitoring and management capabilities sitting on your personal device? And do you really want to give someone else the ability to remotely wipe all of your personal data and information?

Luckily, we are starting to see some more creative methods for handling this problem, including strategies such as using virtualization to separate company apps and data from personal apps and data, as well as methods such as HTML 5 gateways to provide remote access to company applications.

For now, probably the most effective method is education. Setting down policies on how employee-owned devices should and shouldn't be used in the work environment can hopefully head off the worst problems.

Of course, the solution that some companies will choose to follow is to ban the use of employee-owned devices. But this has very little chance of success. If employees can use the device they prefer to use, than they will. Businesses will have to learn to deal with, and manage, this new reality.