Microsoft’s CISO shares best-practices for balancing employee autonomy and security in today’s bring-your-own world.

Bret Arsenault, CISO, Microsoft

June 30, 2014

4 Min Read

Securing a company’s IT environment can be a daunting task, and the growing adoption of bring-your-own-device can only add to the complexity. To effectively manage BYOD, security managers need to define new strategies to manage the resulting risks.

It likely won’t surprise you that recent research we conducted in a Trust in Computing survey shows that 78 percent of organizations allow employees to bring their own computers to the office for work purposes. BYOD can improve employee satisfaction and productivity, and the trend is becoming more commonplace today.

The good news is that BYOD can be implemented without eroding security. But it’s no small task for enterprises. At Microsoft’s, our IT group coordinates data security management across 340,000 devices connecting to the network and 2 million remote connections each month.

The internal BYOD policies we have developed, which I oversee as chief information security officer, provide a framework for enabling employees to use their personal devices while helping to maintain protections for corporate information. I believe that companies of many sizes can leverage at least some of what we’ve instituted in their own organizations. Here’s a sampling of some of our best-practices:

Best-Practice 1:  Develop a BYOD strategy
Effective security starts with a detailed strategy. At Microsoft we set out to define:

  • The company’s goals for the BYOD framework

  • The capabilities we need to reach those goals

  • A plan for supporting and securing access from personal devices

  • A strategy for accountability and implementation

To help put that into perspective, here’s a breakdown of how this works at Microsoft. Our goals for BYOD are to give employees access to messaging, collaboration, and line-of-business applications, to boost productivity, and to help employees balance their work and personal lives. This approach includes employee training and engages various departments like Human Resources and Legal.

Our standards for the use and integration of personally managed devices require employees to:

  • Accept security controls on personal phones in order to access email

  • Set personal phones to lock automatically after a period of inactivity

  • Provide ability to remotely wipe company data from a device that is lost or stolen

The final piece in the strategy is assigning accountability for implementing and overseeing BYOD. At Microsoft, our IT department oversees a coordinated effort to help secure data on more than 340,000 end-user devices being used at the company; and 90,000, or a quarter of the devices used in our environment, are personally owned.

Best-Practice 2: Manage between personal and corporate data
Companies need to take steps to segregate and protect corporate data effectively. For example, at Microsoft, any device accessing company email must adhere to security standards that:

  • Encrypt the data on the device

  • Require a PIN

  • Allow remote maintenance and updates to protect company applications and data

We continuously evolve this standard using technologies such as Microsoft Intune and other similar products that manage personally owned devices from the cloud by removing company data from a device without impacting personal files, apps, or pictures when employees leave the company or lend their phones to someone else.

Best-Practice 3: Define conditions for access
At Microsoft, we’ve moved to a Variable User Access model, which looks at the strength and trustworthiness of the device, and the identity presented by the employee, to determine the level of access to company resources. For example, we ask:

  • Is the employee using a non-corporate identity, such as a personal email account, or are they using a trusted ID from the corporate managed directory?

  • Is the device authenticated and fully managed by the company, using a mobile device management solution, or is the device personally owned by the employee?

  • Is the device being used from a known location or from a new, unknown external location?

The strength of those and other factors will determine the level of employee access, ranging from full network access and data, to full network access but no local data, to some access to web applications, to no access (guest Internet).

As BYOD continues to become more mainstream in the workplace, security can’t be an afterthought. Each company should determine which BYOD-friendly devices, services, and practices will best balance the benefits of BYOD with the increased security risks that come with it.

About the Author(s)

Bret Arsenault

CISO, Microsoft

As Microsoft's Chief Information Security Officer, Bret Arsenault is responsible for enterprise-wide information security, compliance, and business continuity efforts. He leads a global team of security professionals with a strategic focus on information protection, assessment, awareness, governance, and enterprise business continuity. His role, combined with extensive experience in network computing, distributed processing, security, and web-based solutions, makes him a highly sought-after speaker and presenter. Arsenault is also involved at the executive level with both Microsoft customers and partners, holding advisory board roles with government agencies, security companies, and other high-profile organizations.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights