Last updated: 
3 weeks 3 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

BYOD: Doing it Better

Thursday, March 6, 2014 - 09:07

I reckon the education sector accepted user-owned devices (now known as Bring Your Own Device) at least fifteen years ago, the moment we provided remote access and encouraged staff and students to work outside the office. My talk at the Janet/Jisc services day in London therefore looked at how we can do it better, suggesting a three step plan. Your comments and experiences on these ideas would be very welcome:

1. Recognise BYOD

The biggest concern with BYOD is that 'company' information will be stored on devices owned by employees or students, and thereby be exposed to greater risk. So the first step is to identify where our systems or processes are likely to result in off-server storage. Users may transfer information manually if our processes encourage them to take local copies or work at home; or it may be done automatically by client software that creates an off-line cache or backup. Both of those can be an advantage if we want people to work whenever they have a good idea, even if they don't happen to be 'in the office', and for non-sensitive data those copies may not create additional risks. But where local storage isn't necessary, or we can provide the same function in ways that don't require it (e.g. remote desktop services), then it may be possible to reduce it. If local storage is needed we should aim to ensure that it is encrypted and, if possible, that it can be remotely wiped if the device is lost. Many of the issues here are common to all mobile devices so the same solutions may make managed mobile devices more secure as well. One difference is that you can't insist on wiping or crushing a user-owned device when it is no longer used – the Information Commissioner suggests at least changing any passwords that may have been stored on a device that may be sold or handed down to a relative. It's also worth identifying and documenting the information and services that shouldn't be available off-site; some may be suitable for managed devices but not user-owned ones, but remember that many security risks (such as reading the wrong file on a train) apply to all forms of portable device, no matter who manages them.

2. Improve BYOD

I've written previously that BYOD may create opportunities: modern portable devices support a lot of security technologies, and users ought to be motivated to use them to protect their own information on the device at least as much as to protect their employer's. The ICO's excellent Guide to BYOD has a list of good practices, all of which look like common sense to me to protect my own information and bills (my summary: passphrases, patches, anti-virus, firewall, safe downloads/configuration, account/directory separation, and viewing information in safe places). If we can help and encourage device owners to do those to protect their own information then any corporate information gets protected too as a side effect. If, having had this simple good practice explained, security measures are still "too inconvenient" for a device owner to protect their own information (which probably includes passwords for e-banking, social networking and personal photographs) then those devices probably aren't a safe place for the employer's information either.

3. Adopt BYOD

Universities and colleges hope that their users don't just work in the office, 9-5, but whenever and wherever a good idea occurs. Given that work pattern, BYOD feels like something that we ought to be designing in to our systems and processes. That involves providing guidance and support to users in some of the harder questions: how to backup devices in ways that are safe for both personal and organisational information; how to use wireless and other untrusted networks safely; how to assess security when installing new applications and software. In designing our systems, perhaps we should even be assuming BYOD use ("Bring Your Own by Default"?), unless particular information or services are unsuitable for it? I suspect our users may already expect that all systems will be accessible from their devices and many of them are innovative enough to put that expectation into practice. In most cases that will have benefits for the organisation and we should be encouraging it: where it creates unacceptable risks then we need to explain clearly why this system is an exception and users shouldn't try to work around our security measures.