There was a time—not too long ago—when IT Managers thought about managing personal device access in either/or terms. Many managers that I talked to were reluctant to take on managing personal device access. Their reasoning was simple: how can I draw the line? How can I manage personal device access to organizational information and resources, but avoid “owning” management of the rest of a user’s device?
I get it. IT Managers have enough to do without becoming every user’s personal IT concierge. Further, IT Managers don’t want to be everyone’s overlord, telling staff what they can and can’t do with their personal devices.
Managing Personal Device Access: It’s How Not If
Thank the COVID-19 pandemic for changing the calculus on this topic. As this article highlights, 39% of users are using personal devices to access organizational information. That’s a lot of organizational access that is potentially unmanaged.
The more security-focused organizations address remote access by providing users with a company-owned and managed device. These organizations manage personal device access by not allowing it. Want to access organizational apps and data? Use the device we gave you. Want to check in on Instagram? Do it on your personal device. Effectively, these organizations maintain a separation between personal and work worlds.
It’s a good strategy for the most secure of organizations. But, what about the rest of us? We don’t want to supply personal devices to staff. At the same time (I hope you’ll agree), we can’t just ignore personal devices when we put together a security program. As the study cited above shows, people are going to access organizational data and apps from their personal devices. As an IT Manager, you can manage personal device access to organizational apps and data. Or you can choose to ignore that access.
How do you think that’s going to work out?
Here’s a Game Plan for Managing Personal Device Access
So, how do I get started. Let’s start managing personal device access by first managing the devices themselves. For this, we want to use a Mobile Device Management (MDM) solution. The idea of mobile device management was novel in 2005. (Buy me a beer next time we can meet and ask me how I know that.) Now, use of an MDM is old hat.
There are several good MDM solutions out there. Here are a few.
- Google Mobile Device Management
- Microsoft Intune (part of their Enterprise Mobility + Security subscription)
- Cisco Meraki
Go here if you’d like to see a “top 10” list of MDM solutions.
Look for a solution that allows you to segregate organizational from personal data. You want to know that if you wipe a personal device, you’re only removing organizational stuff, not someone’s college reunion pictures. Also, verify that the MDM solution works for all the personal devices you want to manage: Mac as well as PC; Android as well as iOS. Inventory and remote lock are two other features that you’ll want to have. With a good MDM solution in place, you have taken a foundational step to manage personal device access.
Move Beyond MDM to Conditional Access
Once you have MDM in place, you’re ready to move to step two in your quest to manage personal device access. You’re ready for conditional access.
What is conditional access? We’ve written about it here before (natch.) As the name implies, it imposes limits on what apps or data can be accessed by a personal device (or any managed device), based on a set of conditions it encounters.
For instance, conditional access can require a user with administrative privileges to log in using multi-factor authentication. Or it can restrict how a user can access certain applications. As we teased earlier in this post, conditional access determines how users will access organizational apps and data, not just whether they can do so. In managing personal device access, you want to give users as much latitude as possible to do their jobs. Conditional access lets you do that. Trying to access our network from Russia? Sorry, we don’t have any staff in Russia. You’re blocked. Accessing from a location we don’t recognize? OK, you can come in. But only after you change your password.
I’m excited about conditional access because it’s linked to real-time threat determination. You can set policies using a threat calculation based on signals beyond your own organization. This space is evolving, and some of what’s been delivered still puts out too many false positives to be useful. But the threat determination will improve, and rapidly. Any security tool that has a machine learning element built into it is going to get more valuable over time.
You Can Do This. We Can Help.
If you avoided managing personal device access in the past because you didn’t want the headache, you were wise to wait for the toolsets to become more functional. Your waiting, however, is over. It’s time to step up and start managing personal device access. There are tools to support you. And we can help get you set up.