Instrumented Interconnecteds Intelligent

Posted by
Declan McNamara in

Post feed

RSS 2.0

Balancing corporate security for mobile

The increasing adoption of bring your own device (BYOD) in all sectors of the market has the potential to cause conflict between corporate security and employees. On the one side, employees are keenly interested in using their own devices to access their work email or other data. On the other side, the enterprise is trying to ensure that all corporate data is secure.

It is an undeniable fact that mobile devices by their very nature are less secure than traditional computers or notebooks, and they are much more likely to be lost or stolen. Security is therefore a key element of any BYOD program. Balanced with that, however, is the fact that the mobile device, especially in BYOD, is not just for email or corporate data; it is also the user’s camera, social media device, music player, satellite navigation system, games console and much more. The challenge is to protect the corporate data without negatively impacting user experience to the degree that they no longer wish to partake in the BYOD program at all.

The following are some of the areas to consider when balancing these seemingly conflicting requirements:


Passcodes are the primary security measure and will typically be required on any device being used to access corporate email or data. Simple PIN-based passcodes usually aren’t sufficient, so we are going to have to live with the complex alphanumeric type until a better system becomes mainstream (most likely some form of reliable biometric). However, one concession that can be made is the “grace period” that is typically supported on all mobile devices. This is the period after the device locks during which it can be unlocked without requiring the passcode. A typical setting for this would be up to a maximum of 15 minutes.


The majority of devices now support some level of restricting native features of the device such as camera, app store and so on. While there are certainly valid use cases for “locking down” devices (for example, when they are used as a shared device or perhaps for one specific purpose, like a customer-facing app in retail), it is generally not the best practice to lock down or remove features from a device in the BYOD model. A better approach would be specific blacklisting of apps that are considered a risk to corporate security. If we use more advanced device management software, it may be possible to impose restrictions using geofencing techniques so that, for example, the camera may be disabled while within a secure work facility.


The use of containerization is certainly a strategy to consider, as it enables the personal data and the corporate data to be separated and secured to different levels. In certain industries strict rules apply in terms of encryption, audit tracking and so forth, and a secure email container may be the only option. The downside of this is that it may negatively impact the native device experience. The trend in the market, as demonstrated by the recent Samsung KNOX announcement for Android, is a dual persona on the device; this is containerization at a device level where email, apps and so on can be installed in a corporate secured area on the device while personal email, apps, data and the like are installed in the other persona of the device.

IBM is a recognized leader in providing managed mobility services, and as part of its Mobile Enterprise Services IBM can help you in defining your BYOD policies as well as managing your devices with flexible, subscription-based models.

How have corporate security policies impacted your use of your BYOD device? I’d love to hear your thoughts in the comments, or connect with me on Twitter @declan_mcnamara.

Bookmark and Share

Previous post

Next post

1 Comment
April 12, 2013
4:08 am

Hello Declan,

I have read you’re article and found it extremely good documented and realistic.
As i have a little experience in testing security mobile applications (on iOS and Android) might i bring an idea on the topic: Restrictions ?
You have mentioned “geofencing techniques” – this can be extended in many ways, with many features. Imagine a cloud server, where the device connects and receives security policies depending on its location. This policies are administered by an IT Administrator, are linked to the owner of the device (if its in Active Directory for example). Having a permanent connection to a cloud server, sending the phone location periodically clearly helps enforcing of these security policies on a device. In the BYOD system, an user is there forced to use these restrictions only at his work place or in specific or agreed locations.
Would like to talk more on this topic, if you like.

Posted by: Tatu Gabriel
1 Trackback
September 23, 2013
3:44 am

[...] more about containerization, check out these Mobile Business Insights posts from my colleagues: “Balancing corporate security with user experience” and “Mobile and virtualization—The dynamic duo for [...]

Posted by: Mobile containerization: Choose your container well | IBM Mobile
Post a Comment