What might be surprising to some is how Microsoft actively supports a BYOD program that doesn't deny employees any choice of mobile computing device, including smartphones and tablets from Apple and Android.
BYOD on a large scale was a decision made a few years ago to "embrace what's coming" in terms of worker preferences and productivity, says Bret Arsenault, chief information security officer at Microsoft. Today, about 90,000 devices are "personally owned" by Microsoft employees and used for business purposes, including email and document editing. But it's not that just anything goes with BYOD, Arsenault emphasizes. "Security is not an afterthought."
Microsoft does mandate encryption and can extend a wipe capability to corporate data through use of its own service, Windows Intune. "We're effectively securing the data — segregating and protecting the data on the device when it's not owned by the business," says Tim Rains, Microsoft directory of Trustworthy Computing. Microsoft uses Intune across the enterprise, testing out new features before they're generally available.
According to Arsenault, the Microsoft BYOD strategy involves "certifying a set of capabilities, not the device." Through the certificate-based Intune agent software, Microsoft can set limits related to a PIN timeout policy and manage the key that provides access to encrypted data. Education and training on use of BYOD in business is also an element in all this. "It's the base minimum," he notes.
But BYOD is not usually accorded the same level of trust as corporate-issued devices. And BYOD is subject to specific network-access controls on the Microsoft enterprise network which is set up under a model called "variable user experience" based on the identity of the device and the location, says Arsenault. In this, Microsoft recognizes security levels tied to on-network, off-network, wireless and Internet. Sometimes BYOD users don't get the same access as they might with a corporate-issued device, depending on the sensitivity of the resource.
Gartner analyst Lawrence Orans says it's a common security practice associated with BYOD to set up policies for mobile-device management based on network-access control. But one of the challenges in all this is that the various MDM vendors have specific partnerships with specific NAC vendors and when you pick NAC, "you're also picking the MDM. If you pick the MDM first, you also limit the NAC partnership," he points out.
The big players in NAC, including Cisco, ForeScout and Aruba Networks, each have several partnerships with MDM vendors, typically partnering with the MDM vendor to create integrated NAC and MDM client software. But there are a lot more MDM vendors than NAC vendors, Orans points out, advising enterprise IT managers to choose carefully if they're supporting NAC, too.
Sign up for CIO Asia eNewsletters.