Many employees use their personal devices and cloud apps to work from anywhere, without any oversight or security controls. But IT can also use cloud computing services to regain some control.
Part of the problem is that employees use consumer-grade mobile devices such as Apple iPads, iPhones and Google Android smartphones for business without IT knowledge, said Lisa Phifer, president at Core Competence, Inc., a network and security consulting firm.
More on consumerization and the cloud
While most mobile devices have some type of management tool, such as Apple's Mobile Device Management tool for business, to help locate a lost phone, perform a remote wipe or even change the passcode remotely, these tools may not meet enterprise standards, Phifer said.
"If a company is focused on BlackBerry, they probably have a BlackBerry Enterprise Server to do all that," Phifer said. "But you can't shoehorn an iPhone or an Android phone into that paradigm."
There are ways to alleviate the security risks associated with corporate data on consumer devices, though.
Cloud security tools for BYOD
The challenge for administrators is to provide business data to end user devices while keeping that data separated, segmented and managed, said Jim Reavis, executive director of the Cloud Security Alliance.
"People will use app stores on their devices; and whether they are corporate devices or personal, we're concerned about app store security capabilities," Reavis added.
While IT pros worry about app store security, many end users ignore the risks.
"There's awareness [among end users], but there's not necessarily compliance," Phifer added. "When you … talk about malware, especially on Android phones, people really pooh-pooh that. But with app stores, there's no guarantee."
The cloud can help IT with the BYOD security conundrum. First, enterprise IT can acquire Security as a Service products from companies such as Barracuda Networks, Sophos and Zscaler as well as mobile device management services. Using a cloud-based service also saves companies from investing in new servers, software, training and ongoing staff for maintenance.
Cloud computing can also change the way enterprises deal with malware. Rather than run software on a laptop to continuously scan for malware, cloud-based anti-malware services scan data before it ever reaches the device.
"You never get the threat on your device and you don't need to run scanning services on the device," Phifer added.
With BYOD, it has to be automated; users are not very happy about intrusive, heavy-handed governance over the devices they think they own.
Lisa Phifer, president at Core Competence, Inc.
Building BYOD policies into your cloud plan
While automated security procedures and Security as a Service (SaaS) cloud offerings can help, educating end users is also important. IT admins need to establish some ground rules as part of a BYOD policy. SaaS-based security measures are the primary piece, but educating users also has its part.
Part of that education should be creating a mobile device acceptable use, and the rules need to be enforced.
For example, more than half of employees circumvent or disengage security features such as passwords and key locks, according to a recent study by the Ponemon Institute. So, IT needs to run a security policy on employee smartphones to check whether those programs are in place and actively running, Phifer said.
"With BYOD, it has to be automated; users are not very happy about intrusive, heavy-handed governance over the devices they think they own," she said.