UK shuns BYOD in effort to strengthen mobile security
The United Kingdom's Communications-Electronics Security Group, the central government agency that serves as the country's technical authority for information assurance, is recommending UK government agencies avoid allowing employees to bring their own device.
"A BYOD model is possible - although not recommended for a variety of technical and non-technical reasons," says CESG Oct. 14 in one of several documents to guide British government agencies' implementation of mobile device security.
The agency goes on to say that true security can only be ensured when device management is applied at the time of provisioning. This allows agencies to confirm a device is in a "known good" state before its allowed to access official government information and systems. However, this scenario is extremely rare in a BYOD environment because provisioning happens at the time an employee purchases his or her personal device.
"Limitations of current technology mean that a 'health check' or 'device status' check is not sufficient to verify 'known good' - malware can easily subvert such a check," says CESG.
The agency dropped a total of 15 documents for public sector IT managers and system administrators. The topics range from overview security guidance for end user devices, reports on security considerations specific to certain platforms, to an application development guide.
While the guidance does cover many popular consumer devices, such as Apple's iPhones and Andoid smartphones, it is intended to only address security considerations for knowledge workers using a corporately-managed device to access official email, calendar, collaboration tools, and other enterprise services, whether in or out of the office.
"Although devices are expected to be corporately managed, the ownership model is not particularly relevant to the remainder of this guidance," say report authors in an introductory document--implying that, although not recommended, the guidance could still be applicable to BYOD environments, as well.
"The critical aspect is that the enterprise takes over the management of the device via a device provisioning process and is able to control all relevant aspects of it throughout the time it accesses OFFICIAL information," says CESG.
The agency recommends U.K. government offices read and follow the extensive security guidance for each of the devices used on their network, pilot devices in non-operational environments prior to deployment, apply security configurations in ways that support business functions, read and assess security checklists provided in the documentation, craft mobile security operating procedures, stand up a helpdesk dedicated to mobile security and prepare a system management plan to deal with security critical updates and patches.
As more devices, platforms and security considerations develop, CESG plans to issue and re-issue documents to address them, says the agency.
- go to the CESG device security guidance landing page