By Guy Partridge
Security Technical specialist – Qatar
In light of current events, most organisations – whether in the public or private sector – have needed to rapidly adopt or expand home working. For some organisations, this has required the use of employee’s personal devices (bring your own device/BYOD policy).
In order to manage the risks associated with BYOD and align to a Zero Trust Architecture we have produced this guidance on how you can use Microsoft technologies to mitigate the risks associated with employee access to systems and services remotely through unmanaged devices.
Improve employee access
Specifically, we’re looking at how you can access Microsoft 365 services in a way that helps you meet your obligations and leverages our Zero Trust features and capabilities. This guidance doesn’t suggest a BYOD policy is a single, one-stop solution. It does, however, draw on the broad experience across the government industry and draws heavily on already existing zero trust best practices.
The controls described in this document aim to help you understand why the specific security controls are used. It also provides step-by-step configuration guidance which your IT team can use to quickly set up and manage access to your data from personal devices. This allows organisations to understand how the features and capabilities in Azure Active Directory, Microsoft Intune, and Microsoft 365 can be used as part of a zero trust architecture.
These factors all come together to ensure employees can securely access their work while keeping your organisation’s data secure on personal devices. It helps employees stay productive and collaborate together securely, no matter what device they are using.
Good, better, best blueprint for your BYOD policy
To support this effort, we’ve created a blueprint. This blueprint has been developed to support the use of BYOD scenarios where organisations are not able to provide corporate laptops or mobile devices.
The technical controls that are described in this document have been grouped into three categories, good, better, and best. The rationale for the groupings is described below:
- Forms the minimum level of configuration that all organisations should meet.
- Available with Microsoft 365 E3 license.
- Can be implemented using simple configuration tasks.
- Browser-based access for PC and Mac.
- Approved apps for mobile devices.
- MFA and Restricted Session Controls in Exchange Online and SharePoint Online.
- Forms the level that organisations should aspire to.
- Available with Microsoft 365 E5.
- Might require more complex configuration tasks.
- More flexible and granular control of user policies, session controls using Microsoft Cloud app.
- Lower residual risk than Good pattern.
- Browser-based access for PC and Mac.
- Approved apps for Mobile Devices.
- Utilises Windows Virtual Desktop (WVD) to provide a solution that matches as closely as possible the same experience of working in the office on corporate IT, from any device.
- With good management it significantly reduces the unmanaged surface by providing a virtualised corporate desktop for home workers, utilising their personal computing device.
- Lowest risk approach compared to Good and Better patterns.
So which BYOD policy route is right for you?
The decision flow above aims to help you determine which of the patterns you should use. For example, if an organisation has Microsoft 365 E5 licenses, then the control used in the Better or Best solutions will provide a lower residual risk and therefore should be used over the Good solution.
Reduce your risk security posture with BYOD
Having a strong BYOD policy aligned to zero trust improves barriers to work for your remote workforce. It also enables them to be able to connect, work, and meet together online no matter where they are, securely.
For your IT team, this guide provides thorough step-by-step instructions to set up BYOD controls while helping manage security. This means they can implement these controls across your digital estate quickly and remotely.
By using the guidance, you can enable your organisation to move to a lower risk security posture when utilising BYOD.
Find out more