This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
The bring your own device (BYOD) movement formally advocates use of personal equipment for work and obligates IT to ensure jobs can be performed with an acceptable level of security, but how can risks be addressed given the range of devices used and the fact that you lack control of the end point?
Companies looking to embrace BYOD -- 44% of firms surveyed by Citrix say they have a BYOD policy in place and 94% plan to implement BYOD by 2013 -- need to address four key areas: 1) standardization of service, not device, 2) common delivery methods, 3) intelligent access controls and 4) data containment.
1. Standardization of service
Standardization is necessary to implement a consistent set of security controls across different platforms while providing the same level of service. Lack of compatibility with security controls can deny legitimate users access to information services and hurt productivity. Solving this issue by adding more access methods can result in weaker security and make the environment more difficult to manage. Instead, companies can give users the service they expect through desktop and application virtualization technologies and terminal servers.
Virtual desktops are hosted on a remote server and emulate a desktop computer to provide access to IT services, including applications and tools users need to do their job. As long as they can connect to the server, users can access their virtual desktop.
Through application virtualization, software is streamed from a server to the end users device, enabling users to access their core business applications from a variety of devices. Application virtualization does not require software installation and applications can be upgraded from the server without interfacing with remote or mobile devices. In some cases, the application can be cached on the device so it will function even when a connection to the server does not exist.
Both virtualization options use terminal server connections to access the remote virtual desktop or application but terminal servers can be used alone to provide consistent access to IT services similar to desktop virtualization. It differs from desktop virtualization, however, in that the applications run on the server operating system instead of a virtualized one. Terminal servers are limited in the services they can provide because not all applications support terminal access and some may behave differently on a terminal than they would on a virtual desktop.
None of these solutions are new so their security models are mature enough to be relied upon for IT services. In fact, these tools return control of end user devices to security practitioners. Restrictions can be placed on systems so the user can neither install other applications nor change the system to introduce vulnerabilities. Since all the activity is performed remotely, the device used to connect does not matter so employees can do their job even if their primary computer is unavailable. Both terminal server and virtualization tools make it easy to restore or clon a machine so user errors result in less impact to productivity and lower support costs.
The caveats: virtualization and terminal servers shift a portion of equipment expenses from the end user to the data center, diminishing the savings ascribed to BYOD. And both solutions increase the impact of link loss, with loss of connectivity greatly impeding employee productivity. [Also see: "Can employee-owned devices save companies money?"]
These solutions may be cost prohibitive for smaller organizations as terminal server licensing can add up quickly and high availability virtual systems and the data centers they reside in can be quite expensive. However, outsourced and cloud-based solutions can offer smaller businesses the opportunity to use such services but the security of such solutions requires serious scrutiny.
2. Common delivery methods
A common delivery method can greatly aid in bringing content to a multitude of devices while avoiding the cost of supporting various services tailored to specific sets of devices. One thing most devices have in common is their support of HTTP and SSL so SSL-based technologies and Web-based applications are being used to bring content to employees no matter what system they use. Additionally, firewall rules can be simplified when services run over SSL instead of other ports.
For example, L2TP, PPTP or IPSec VPNs can be replaced with SSTP (Secure Sockets Tunneling Protocol). Phones, tablets, PCs and Macs all support SSTP so a single form of entry can be established, secured and audited to save money and reduce possible attack vectors. If virtualization or terminal servers are used, the traffic can be encapsulated over SSL.
The common delivery concept can be extended to network shares through Web-based repositories that can be accessed from anywhere. In addition to their accessibility, Web-based repositories offer additional auditing features over network shares and the ability to utilize metadata for searching, data mining and business intelligence.
Similarly, other Web-based applications like Salesforce or Outlook Web Access make key business tools available when and where they are needed, even on personal devices. User experience may vary depending on the browser used, especially for mobile users with smaller displays or tablet users lacking support for features such as Flash, but Web-based applications are accessible from a majority of devices out of the box.
3. Intelligent access controls
The common delivery method makes data that was previously hidden behind many layers of security more accessible to users and appetizing to attackers. The BYOD organization, therefore, needs more intelligent access controls.
Access control decisions are typically based on user role or in some cases by access time or machine designations. Roles define the functions a user performs which are mapped to groups with permission to resources. Thus, a branch accountant might have access to financial data for his or her branch but not to customer data. Time based controls might restrict access to financial data to business hours only and machine designations are lists of allowed or denied machines denoted by name or a unique identifier.
Additional access control factors including device type, NAC profile, and geolocation can be used to make more informed access control decisions in a BYOD environment. With device type restrictions, certain data can be accessed only on approved devices such as company issued laptops or restricted on mobile phones. NAC profile can also play a role in access decisions. Access might be denied to devices that do not have the latest virus definitions or patch levels. [Also see: "NAC access control: A multi-dimensional puzzle"]
Lastly, geolocation features that report a device's global position are built into many new devices and this allows access control systems to grant or deny access based on where the device is in the world. This is especially important in complying with regulations that might stipulate that data not leave the country or when data must be treated differently for certain countries or states, however it is not completely reliable since geolocation data can be modified by the user on their device. If BYOD is in your future, consider adopting applications that support some of these access controls.
4. Data containment
It is almost certain that data exists on personal devices in BYOD organizations. This is a concern for both companies and individuals, necessitating data containment. Companies run the risk that data could be lost if personal devices are shared, compromised or stolen and individuals are concerned that the presence of company data on their devices could result in seizure if the data is part of a legal hold. [Also see: "Corporate-owned vs. employee-owned devices"]
The best method, of course, is to ensure that company data does not reside on personal equipment. Proponents of virtualization and terminal servers argue that data containment is effectively handled when access is through a virtual machine or terminal server because the data a user accesses stays on a machine residing within the corporate network. However, even with virtual desktops, data is sometimes accessed through other channels such as mobile phones and Web applications.
The combination of device encryption and remote wiping technology provides a level of assurance that data will not be purloined before it can be wiped. Encrypted devices increase the amount of time and effort required to obtain data on the device, giving organizations time to erase all data remotely. Devices can also be configured to wipe all data if an incorrect password is used too many times.
DRM (digital rights management) has found new life in the BYOD environment by allowing data owners to specify acceptable actions that can be performed on the data. For example, data can expire after 24 hours after download or data can be read but not printed and functionality like copy and paste can be removed.
In the end, BYOD can create significant savings in equipment and support costs and it can improve employee satisfaction through the use of preferred devices, but it comes with security considerations that should not be taken lightly. If you are considering BYOD, the use of technologies such as virtual desktops and thin computing can effectively provide access and a consistent user experience to users on a variety of platforms.
Furthermore, common delivery methods such as Web-based applications and SSL technologies can make the organization's key applications accessible to business and personal equipment alike. These, coupled with more intelligent access controls, can help companies stay compliant and secure when data is increasingly available while data containment strategies reduce the risk of data loss. Now, when the BYOD policy crosses your desk you will know that the challenge is not insurmountable.
JurInnov is a provider of security, legal and forensic consulting services. The author holds over 25 certifications and is completing a doctorate in information assurance.