Apple's new iPad release is just one of many new mobile devices to be entering the market and changing the workplace. It's one reason organizations considering the use of employee-owned tablets for work purposes need to implement structured bring-your-own-device policies. What should they include in those policies to ensure ongoing mobile security?
Joe Rogalski of New York's First Niagara Bank [$31 billion in assets] says the addition of the 4G Network and upcoming apps for the new iPad will increase tablet usage among employees who seek out the latest technology. With this continued growth, organizations can no longer ignore the BYOD trend.
So how should organizations develop their policies to ensure employee-owned devices are protected?
First, they should consider a mobile device management solution. Rogalski, who implemented an MDM solution for First Niagara Bank, says an MDM solution can ensure strong passwords, encryption and the ability to remotely wipe any mobile device connected to the network.
"I think that's very important that you have the mobile device management in place as well as the ability to wipe the device and track the device because once it's gone we want to get that data off there as quickly as possible," Rogalski says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
To enroll their devices for support, employees need to sign a form that gives the organization consent to wipe the device if it's lost, stolen or compromised.
But it's not just about wiping the device. "It's also making sure that the security configurations and policies are in place for the passwords to make sure they're not using simple passwords," Rogalski says.
Organizations need to make sure that if there are business applications running on employee-owned devices, that they're protected end-to-end and that they're sectioned off so the data on the devices can be managed separately.
During this interview, Rogalski discusses:
- Why tablets and iPads pose security concerns unique in the mobile-device arena;
- How organizations should enforce with employees their rights to remotely access, track and wipe mobile devices that connect to a corporate network;
- Basic requirements for usernames and password protections all BYOD policies should include.
Rogalski is the information security officer and first vice president of First Niagara Bank, a top 25 regional bank located in the northeast. Rogalski currently holds CISM and CRISC certifications. Rogalski has more than 18 years of experience in technology and security in a variety of technical and management positions. Before joining First Niagara, Rogalski practiced information security risk management for M&T Bank. Rogalski also frequently speaks about security, risk management and awareness with industry leaders and First Niagara customers.
First Niagara's BYOD Policies
TRACY KITTEN: First Niagara has its own established policies and procedures specific to BYOD. Can you tell us a bit about the bank's policies and why you found it necessary to establish the policies in the first place?
JOE ROGALSKI: About a year ago, we really didn't have a policy in place but we had some devices that were connecting to our network. So at that point, we really had to step back and figure out if it was something we were going to support, because we're a financial institution, or if we were going to just simply disable them. With senior management, they're always driving because they want the same device that their 13 year old daughter has and they want to be that cool. Heads of business, senior management, were really pushing us to develop a policy for bring-your-own-device or to enable iPads and iPhones specifically on our networks. At that point, we really stepped back and said, "Yes, this is a good idea. We can support it. What do we need to do to support it?"
Currently today the policy has a very restricted group that has access to the devices. It's probably about five percent of our population and it's typically management-level people or senior business people in the organization.
KITTEN: Can you give us some highlights from the policies?
ROGALSKI: Basically, we implemented a mobile device management solution that has the ability to make sure that the passwords are in place, that they're complex passwords, that encryption is taking place. We also have the ability to wipe the device whenever we need to, and it can be your personal family photos as well and they're well aware of that. To actually sign up for the service today, you need to sign a form that gives us consent to wipe that device. I think that's very important that you have the mobile device management in place as well as the ability to wipe the device and track the device because once it's gone we want to get that data off there as quickly as possible.
KITTEN: I wanted to ask about security measures and risk mitigation and what works best, and it sounds like maybe just having the ability to remotely access and wipe the device is the best thing?
ROGALSKI: It's not only remotely wiping the device, but it's also making sure that the security configurations and policies are in place for the passwords to make sure they're not using simple passwords: 1234 password, date of birth, those types of things. We want to make sure that if there are business applications running on there that it's end-to-end in a safe zone and that they're kind of sectioned off and that we're able to manage that data separately, and really control our data on that device.
KITTEN: What policies would you say all organizations should consider, even those that fall outside of the purview of financial services?
ROGALSKI: I think it really depends on what type of data is going to be on the device. If it's e-mail, that's one thing. You're going to want to have an e-mail management program on there to keep your corporate private data away or segregated somehow to make sure you can manage that corporate data. Really I think it depends on the industry and what's on that device. iPads are being used more and more to create IP, or intellectual property, more so than a phone is. So you really need to manage that IP on there and what's on there and how you're going to control it. Everybody needs to make sure they have control of the devices in some way, shape or form.
iPad 3 Concerns
KITTEN: I wanted to ask specifically about the new iPad. How do you expect the release of this iPad 3 to impact your organization?
ROGALSKI: I think it's interesting. There needs to be a business driver for it, and iPads are really cool and everything today, and we all know they're great for e-mail and web browsing. But, I don't want to say there's no killer app, but there's no business app today that's impacting us. With the 4G network coming on board and a snappier browser, we may start to see more of the business applications drive down. I know SAP is coming out with an app and a few others are introducing native apps on the iPad that will actually sandbox your data away so that it's protected [and] give you the ability to manage that data, but it's still looking for that killer app. Once that app comes out from our remote sales people that they can't live without, I think that's when we're going to see it really take off.
Advice for Organizations
KITTEN: Finally, what advice would you offer to other organizations and businesses that are just starting to address BYOD?
ROGALSKI: I think the first thing is you need to embrace it and figure out how you can do it, because if you don't, they're going to find a way around it. It's just like any other security protocol, you need to make it easy for the user and enable them to do it, because if you just say no, it's going to come back and bite you.