Three Use Cases for BYOD in Public Sector
Is there a place for BYOD in the Public Sector? Recent high profile examples of public officials using their personal devices to conduct government business have raised some red flags. The reality is, though, that BYOD is here to stay. The question, then, is not simply whether to allow BYOD or not, as if there were just two choices. If we look at the Health and Human Services State agency in one large US state, we can see at least three distinct use cases for BYOD, each with their own security concerns and techniques to address those security concerns.
First, and perhaps most obvious, let’s peek over the shoulder of a citizen using his personal smartphone to request benefits. A short time ago, he would have had to make photocopies of key documents and mail them to the agency. Today, however, he uses an agency-supplied mobile application to answer a few questions, take photos of his driver’s license and a recent pay stub and then digitally submit everything to the agency for processing. Since the agency has no control over the smartphone, the agency must build security into the application and develop multiple versions of the application – one for each smartphone platform that citizens may be using.
Second, in another town in the same state, a Foster Parent is hosting a graduation party for the foster child in her care. She takes some pictures of the important day with her smartphone and then uses an agency-supplied application to submit the pictures to a database maintained by the agency. The agency adds these pictures to others captured earlier from a previous foster parent, creating a photo library that the foster child is able to take with him. Since the Foster Parent is contracted by the state, the agency can impose more restrictions on the foster parent than can be imposed on the citizen in the first example. Only certain phones and operating system levels are supported and the security is built into the application design. All content associated with the application is encrypted in its own container and all data is transferred to/from the agency over an encrypted channel.
Personal Use by Employee
Finally, if we expand the definition of BYOD to include any device (corporate or personal) that is used for both government and personal work, then we can add a third use case. Imagine a Child Welfare Case Worker – an employee of the state – using an agency-issued smartphone in her daily work. A short time ago, she used three devices: the agency provided phone, a digital camera and a laptop. Today, she does everything with her agency-approved smartphone that is fully managed and secured by the agency. If the device is compromised in any way, the agency is notified and compliance rules kick in to enforce security. The compliance rules could block access to agency email, prevent access to the application or even remove the app and all its data. The app can utilize time-sensing and geo-sensing rules to prevent access out of business hours or inappropriate locations. Because of these security features, the agency permits her to use the device for personal activities as well, ranging from email, texting and even installing agency-approved applications. It is this mix of personal and business activities that allows us to consider this a form of BYOD (albeit very restrictive).
In conclusion, BYOD is possible in the Public Sector. It requires that you first determine which BYOD use cases apply and then employ the appropriate techniques to provide the needed level of security. The techniques can range from building security into the app to containerization to full monitoring of the device. As seen by the example above, it can be done successfully.