The rise of mobile devices is transforming the way we work, live and play. Employees are increasingly working from a myriad of devices including smartphones, tablets and laptops. Workforces are more mobile and expect to have remote, real-time access to email and networks to enable optimal productivity and lifestyle.
The consumerisation of IT is seeing more and more employees elect to use their own mobile device for business purposes and has created an expectation that they can connect these devices directly to their employer’s network. This creates a gap between managing the privacy of the individual’s device and maintaining the confidentiality and integrity of the business data and systems.
Moreover, smart devices are seen as an extension of an individual’s identity and are implicitly trusted by their users and seen as something to be protected.
Today, IT departments are being required, and in some cases pressured, to accommodate anything from Apple iPads and iPhones to the many variants of Google Android. These devices are expected to work in a seamless way, without limitation to the internet and applications and with immediate and optimal performance.
Managing the impact
This presents great challenges for IT managers who are responsible for managing the complexity and security of networks, but are being forced to accommodate these devices and manage the risks and network performance issues that can come with them.
Adopting a BYOD policy will not only allow IT managers to take the lead in the management of user owned devices on their network and ensure security and network optimisation but will also support new ways of working, new business processes, increased productivity, lower costs and generally improve employee satisfaction.
There are a number of elements to consider for managing a BYOD policy:
- Wireless networks become ‘critical’. With the explosion of devices, all vying for bandwidth and IP addresses, we need to ensure the wireless network can handle two or three devices per person. Make sure you can monitor for interferers and rogue access points, for example: iPads do a very poor job at letting you know if the access point is real or an ad-hoc/rogue network from a laptop.
- End the reliance on endpoint control. If we allow any device into the network, we have to move the authentication and security into the network as well. It is very difficult to get users to install control software on their own devices.
- Authenticate every device. Use technologies like 802.1x to make sure every device is authenticated to the network. We want to associate every device to a user – no authentication means no network access. Preferably have technology that can assess the type of device and check what the security state of the device is before allowing access.
- Log and audit everything. With changes in regulation, companies may become the target of copyright infringement from September if they cannot prove which employee or guest actually broke the law.
- Maintain consistent, centralised monitoring and control. Businesses need a centralised management platform that allows administrators to control data access and prevent data loss at both the application and, if possible, device level.
- Secure the traffic. Make sure that all traffic to and from the device is ‘clean and secure’ and passes all traffic to the BYOD technology through content security and IPS. Make sure guest traffic is also scrubbed (lock down peer to peer file sharing, and use content filtering on the web traffic)
- Control the roamers. Implement VPNs for the roaming users, if you haven’t already, and make sure they are also subject to the same authentication and secure traffic requirements above.
- Write a good BYOD policy and enforce it. Ensure any device can meet a minimum set of requirements: auto-lock, auto-wipe after failed a number of failed logins, remote-wipe and encrypted file store, among others. Make sure employees understand that if they break corporate policies, including BYOD and acceptable use, you will seize the device and perform forensic analysis to gather evidence and identify any breach of policy.
The path of most security is to deny all employee owned devices, but this has drawbacks. The path of least resistance is to allow all devices onto the network, but this leaves us exposed to security risks. Finding a balance can combine security and productivity, but is certainly not the easiest to manage.
Some of the key risks include:
- Data loss – what happens if the employee loses their device?
- Data theft – smart devices have huge memory capacities and can be relatively cheap, simply connect, copy and dispose.
- Data leaks – with Facebook and Twitter installed on almost every device, it makes it very easy for information to leak out inadvertently.
- Malware/viruses/trojans – we are seeing new attacks pretty much every week against Apple and Android devices.
- Legal liabilities – how do you manage a user who has illegal content on their device and is connecting to your network, or using your network to download illegal content?
The aim is to give users flexibility and freedom, but that doesn’t mean there won’t be some constraints and compliance rules, and it shouldn’t mean IT managers spend all day cleaning up end-user devices. At the end of the day, we are still trying to do business. It can’t be a complete free-for-all.
Helping your customers
As all of your customers begin this journey – and I include the ones who have a ‘deny all’ policy – they will
need help in implementing and enforcing the appropriate policies. There is an opportunity for resellers to help enable businesses through this revolution and help customers deliver a better experience with tablets and smart phones while still maintaining security within the network.