This is the ninth post in my series on Bring Your Own Device (BYOD). In my other posts I’ve focussed on understanding what BYOD is, and the non-technology issues that you need to factor in. Here I want to think about a key technology element that could easily be overlooked: your network. If you are going to allow people to use portable devices to access your organisation’s applications and data then you need to consider the network mechanisms for enabling this. After all without network connectivity, most tablets are just expensive paperweights!
As most BYOD devices are mobile, and most mobile devices are wi-fi enabled then looking at providing some form of wi-fi capability within office premises may seem sensible. Especially as some of those devices only have wi-fi and don’t have mobile (cellular) network capabilities. If you are looking at BYOD for laptops, then you might want to think about providing fixed network access as well. However, I would recommend that you don’t just give these employee owned (and managed) devices unfettered access to your normal corporate network. If you have all of your important corporate data, applications and devices on that network it would be highly risky to allow these devices to share that network. For an enterprise the potential for security risks seems to me to be far too high – all it requires is one employee to be late in updating anti-malware protection and you could fall foul of some very unpleasant consequences indeed. So, with those issues in mind, if your organisation is looking at making extensive use of BYOD then I suggest that you give some serious thought to the different forms of network access that you could provide to these devices.
It seems to me that there are basically five approaches:
- None. No provided network access for BYOD devices.
- Unsecured access to the internet (e.g. guest wi-fi)
- Secured access to the internet
- Secured access to a segregated part of the corporate network
- Secured access to the corporate network
I know of organisations that are using all of these approaches. Approaches 2 and 3 assume that you are providing employee owned devices access to some corporate information and applications over the internet – email at the very least. Taking these approaches will therefore give employee’s using their devices easy and cheap access to those resources while in the office.
Each of these approaches can be used for either wireless or fixed network connectivity, and the approaches could be easily mixed and matched. For example an organisation might provide unsecured wireless access to the internet and secured access to a segregated part of the network (access to virtual desktop services only) for fixed access.
The secured options can of course vary in the amount of security and authentication required to access the network. The simplest (and cheapest) example of approach 5 would be to use a wi-fi access point with just a common password (key). This is, of course, pretty unsecure. But, if you don’t have high value information and/or assets on that corporate network, then this may be acceptable. Other options could include using device authentication, or requiring user authentication with their corporate username and password. (I’m assuming that no-one is so blase about security as to consider giving unsecured access to any part of their corporate network.)
My recommendation is that if you are serious about BYOD you should provide at least some form of unsecured or secured wi-fi access to the internet. This will allow people to make the most of these devices, and reduce any financial burden of using them while in the office. But, in any case, think about how you are going to provide network access to BYO devices, and how you are going to do so securely.