Bring Your Own Device (or BYOD – where an employee uses a personal device to access privileged company information and applications) has seen a massive increase over the last few years, and Gartner now predicts that 70% of mobile professionals will conduct their work on personal smart devices by 2018. But while BYOD can be a good thing for the employee, it gives IT departments a massive headache in terms of data protection and security.
As Dave Fuller already discussed in a previous blog post, Windows 10 has the potential to be the most secure enterprise Operating System (OS) ever – with a new ‘chain of trust’ from the hardware, through to the Windows OS kernel and to software running in Windows. The new Windows 10 servicing model also means that new features and functionality can be introduced through Feature Upgrades, so enterprises can take advantage of new security features as they become available.
One new feature directly addresses data protection – the aptly named Enterprise Data Protection (EDP) module which is built into the OS and managed through the Enterprise Mobile Management (EMM) console.
Enterprise Data Protection allows enterprise data on both corporate and employee-owned devices to be encrypted, and applications to be granted specific access to enterprise data. There’s no need for switching environments or multiple sign-ins, and you can even remotely wipe enterprise data off of the devices if required, without touching the user’s personal data.
When a user creates a new document, they’re asked if it’s a work document. If they respond yes, then it becomes locally-protected as enterprise data. Apps like Office also then work with EDP to continue data protection across different locations and services. For example, if a user opens a Word document and saves it with a new name, Word applies EDP to the new document to keep the encryption in place.
As well as restricting access to business data, it’s also possible to restrict copy and paste functionality so a user can’t, for example, copy content from a business Word document and paste it into another application.
And it also provides a good experience for the user. With the enterprise policies in place, there’s a very definite separation between personal and corporate data but users aren’t required to switch environments or sign-in multiple times, which is frustrating and interrupts the user’s work.
How does it work?
To set up EDP, administrators create a list of business resources (e.g. IP addresses, domains, and email accounts) so that the OS recognizes any data coming from these as business data – encrypting it and storing it in a secure virtual container on the device. A list of authorized applications can then also be created so the device knows which apps are allowed to access the enterprise data.
There are then four different protection levels to choose from:
- Block: With this setting, EDP looks for inappropriate data sharing and blocks the action. So, for example, if a user downloads image from their Outlook account and then tried to post it to Twitter, the device will block the action
- Override: Using this setting, users are advised that they are doing something inappropriate, but allows the user to override it and post anyway. All of the actions are captured in an audit log
- Audit: With Audit, EDP runs silently in the background and simply logs inappropriate data sharing without blocking anything. Again, all actions are captured in the audit log
- Off: EDP is turned off and is not protecting data
While invisible to the end-user, EDP will help IT departments overcome the challenges of BYOD by providing protection at the file level to prevent potential data leakage. Yet another reason why businesses should be looking to migrate to Windows 10 as soon as possible.
To find out how 1E can help you complete your migration quickly and securely, take a look at our Windows 10 Now solution.