Getting to BYOD

Last updated: 21 March 2014

Recent data suggests that 70 percent of companies in the United States will utilize BYOD this year. Indeed, BYOD is cost-effective, convenient and often heightens productivity, making it an advantageous choice for a wide spectrum of businesses.

Historically, though, allowing employees to access data with their personal devices has not been without a unique set of dilemmas, among them mobile credentialing. Mobile credentialing is imperative in an increasingly mobile workforce. Given the rise of BYOD practices, we’ve compiled a checklist for corporate decision makers to use so they can successfully navigate the BYOD waters and arrive safely – and securely – at customer and employee satisfaction.

Analyze Risk

First you’ll need to ask and determine the answers to some important questions about your business. These might include: Which devices can your business support? What policies are in place – from both HR and IT perspectives – that will govern the new implementation? How much technological support are you willing or able to provide for personal devices? Will you offer both logical and physical access solutions, or just one of the two?

Don’t Agonize Over Devices

It’s easy to fall prey to this one: spending too much time and energy thinking about and issuing specific-device mandates within your company. The average lifespan of a mobile phone is 18 months to two years, meaning there is high device turnover among users. This underscores the need for a handset-agnostic mobile security solution, and it should serve as a reminder that the smartphones and tablets utilized in BYOD are of far less consequence than network security. Your main focus should always be network security.


Given the security risk associated with multiple-password usage (employees emailing passwords to web-based, personal addresses, etc.) consider employing SSO as part of a larger SSL VPN strategy. SSL VPN confers secure connectivity even on devices without the installed software.

Consider SIM

Perhaps most crucial is the adoption of a SIM card solution, which has the highest level of risk assurance of all available security solutions. At Gemalto we’re currently working in conjunction with mobile operators on a pilot program in which derived credentials are loaded onto users’ SIM cards, allowing data to be securely accessed via mobile applications.

For government employees whose jobs demand increased security compliance, placing PIV and PIV-I credentials in a secure UICC (a next-generation SIM card) that can be inserted into various mobile devices and can be moved from handset to handset makes the most sense.

NIST Computer Security Division recently published two documents providing guidance: Mobile, PIV, and Authentication (NISTIR 7981); and Guidelines for Derived Personal Identity Verification (PIV) Credentials (Draft Special Publication 800-157).

Other levels of mobile security solutions exist and can be useful for applications that don’t require the utmost security. The trusted execution environment with a handset-embedded secure element is the best fit for ad-hoc security applications. Using a mobile phone application with user credentials embedded is sufficient for low-security applications.