Bring your own device (BYOD) is an IT policy where employees are allowed or encouraged to use their personal mobile devices — and, increasingly, notebook PCs — to access enterprise data and systems. BYOD is bringing your own, non-corporate device into the workplace and using it for privileged access. By now, we all know the advantages like increased productivity, cost savings and employee satisfaction that come along with BYOD.
However, with BYOD comes responsibility and necessity to take precautions. Nearly half of enterprises that allow employee-owned devices to connect to a company’s network have experienced a data breach, a study has revealed. Most of these companies reacted by restricting data access rights (45%) or installing security software (43%), according to the survey of 400 IT professionals by Decisive Analytics.
Given that BYOD devices are mostly unmanaged, planned access control models around trusted devices becomes a major, if not impossible task. Another technology challenge for IT is creating a BYOD program that can truly span multiple device types, or specifically be consistent between mobile devices and PCs/Macs. Those IT security organizations leaning heavy on MDM controls for their BYOD program will be limited when their workers request to use other computing platforms like PCs.
One of the first noticeable impacts on IT security about BYOD is user rights. Believe it or not, the actual device owner will have a say in what runs on their device. Taking a device security centric approach to a device you don’t own can end up in user rejection or project abandonment. Another challenge is the user can, and will do non-IT approved things to their personal devices. The picture is an extreme example to make the point, but issues like Jailbreaking are simple and done by the masses, and cause a major security risk.
Containerization is the common theme when discussing app centric security strategies. A secure container is used that can add security controls above the native OS, and more focuses around the app in protection. This data shielding strategy however, has many different methods, each with their own merits and use case considerations. For those concerned about the integrity of the app itself, for threats against mobile malware, app tampering, code theft, or fraud — an hardened app strategy allows for controls to be put in place that protect the app itself. For enterprise customers racing to deploy mobile apps, each with their own security requirements like authentication, encryption, VPN, etc. — an app wrapping strategy allows for these controls to be added post development.
A great way to protect against data loss on mobile is not to store the data on the mobile device to start. Virtualization technology has long provided this sort of containerized approach, and solutions like Citrix and VMware are available for mobile devices.
No single approach to network security can solve all small-device business access problems. Government agencies will need to consider and potentially implement multiple categories of security policies for every type of access. When accessing external data over LANs and WANs, companies will be able to set configuration rules that benefit from the inherent protections offered for access controls by every point of network entry. If you have a healthy layered defense in place so that you can get the access to people outside of your walls, then your mobile access people coming in with their own devices, in a lot of cases, are just going to look like a new client on that web application.
A Mobile Device Management (MDM) platform seems to be the prevalent approach today (over 80% MDM solutions are on-premise, per Gartner). Cisco Identity Services Engine (ISE) is integrated with leading MDM partners (Airwatch, Citrix, Fibrelink, Good, MobileIron and SAP Afaria) to protect the customers’ MDM investments. Cisco ISE further extends the reach of current MDM solutions into network enforcement and provides consistent, unified policy for not just mobile devices but all networked devices. Cisco ISE is an all-in-one enterprise control platform on-premise targeted for customers who demand scalable and complex network policy requirements. ISE provides one policy for the entire enterprise no matter what device, no matter what use case.
Cisco Mobile Collaboration Management Service (MCMS) is a cloud service to manage mobile collaboration devices, applications and content across multiple mobile platforms from a single web-based interface. This changes the game from basic MDM to a network-aware collaboration management platform with video and collaboration becoming the future of the mobile evolution.
BYOD is here to stay. However, BYOD needs careful planning and implementation to make sure you are taking into account all the security challenges posed by these new breed of mobile devices. Please share your comments and thoughts with me. Follow me on Twitter at GTSI_Architect.