There are 3 main options:
1. Prohibit use of private/personal devices & provision of company devices.
The organization defines a regulation that prohibits the use of private devices for work purposes (e.g. to access e-mails). If a mobile device is required for the role, a company issued mobile devices can be provided by the organization. Mobile Device Management (MDM) should be implemented for these devices to centrally control and manage software solutions, security settings and password policies. In addition, MDMs offer features such as remote wipe, which can be used to wipe entire devices if they are misplaced or stolen.
2. Allowing the use of private devices according to a policy & implementing a container solution.
In this case, the organization defines that the use of private devices is allowed. However, certain rules must be adhered to when using private devices, which are defined, for example, in a Bring-Your-Own-Device policy (BYOD policy). In addition, an appropriate level of information security should be ensured by technical protection measures such as, through the installation and maintenance of a container solution. A container solution is usually an app that employees can download to their private device. The organization then manages all relevant apps, security settings, etc. within the container app. The advantage of such a solution is that the private and business data on the cell phone are compartmentally separated and the organization does not have access to the employee's private data.
The following should be considered when selecting and implementing a container solution on private devices:
-
Authentication should be strong and in the best case have multi-factor authentication. So, in addition to a password, a biometric feature such as fingerprint or a face scanner on the smartphone should have to be used, optionally for an extra layer of assurance, a security code sent by mail or SMS would make this even safer.
-
The solution should have appropriate encryption mechanisms, such as AES-265 encryption. A good overview of state-of-the-art encryption mechanisms can be found in TeleTrust's guideline on the current “State of the art” in IT Security.
-
Mobile device management functions should be avoided on private phones, as unauthorized admin rights to employees' private phones can be obtained.
-
It must be ensured that data downloaded to the smartphone via apps in the container (e.g. teams) remains in the container and is separate from the users private data.
-
A BYOD (Bring Your Own Device) policy should be established that formally instructs to use the container app for business purposes on private phones.
-
Possible solutions include Virtual Solution, MobileIron Appconnect, Miradore or Intune. Intune also has BYOD functionality and could be cost effective (depending on the existing O365 license).
3. Prohibition to use private devices with exception.
The organization defines a rule that it is prohibited to use private devices for work purposes (e.g., to access emails) organization-wide. It defines, a clearly outlined exception, that private devices are allowed for authentication as part of multi-factor authentication procedures in a professional context.
Note regarding option 3: it is important to note that employees cannot in principle be required to use their private devices for professional purposes. If employees are not willing to use their private device, the organization must provide a company cell phone for the activation if multi-factor authentication is mandatory for employees.
Conclusion: There are various options for handling private devices. The options depend, among other things, on the financial resources of the organization. Options 1 and 2 are the best options from an information security perspective. Option 3 is associated with residual risks.