Regardless if you call it the consumerization of IT or the bring your own device (BYOD) movement, the trend of people using their own mobile devices to access corporate resources is unstoppable. Some users (guests) simply want to check their social networks, while others (employees) want to connect to their organizations' sales applications and other business apps while on the road. Many organizations have tried to fight the tide, but it's a losing battle.
Let's be honest -- users are controlling the IT security agenda, like it or not. They love their devices and the apps on them, and they want to use them at work. Clearly, vendors and enterprises alike have recognized this is more than a fad and are fueling the secondary driving force behind BYOD: the potential to make and/or save money by capitalizing on the movement.
TECH DEBATE: Dictate the mobile device or let the user decide?
Allowing employees to bring their own devices to work means cost-savings for corporations as it gives them the ability to avoid the expense of buying or leasing the devices themselves. These savings do come at a cost however; personal devices still need to be controlled and managed -- hence the enormous vendor revenue opportunity.
Make no mistake about it, it won't be long before there will be unfathomable numbers of these devices to control and manage throughout the corporate world. In a recent report, Gartner predicted that 90% of businesses will support corporate applications on mobile devices by 2014. And Cisco survey data suggests that we can expect to see 3.47 devices per person in 2015 and a whopping 6.58 devices per person in 2020. This begs the question: How many devices per person will the enterprise ultimately need to manage?
With this in mind, let's take a look at the basic options for addressing the BYOD phenomenon. With minor investments and relatively simple changes to infrastructure and processes, organizations can choose to:
- Block all devices that have not been provisioned by the corporation.
- Block none of the devices, regardless of their origins (note: I specifically chose this phrase over "enable all devices" as it better expresses the risk involved in letting anything access the network). [Also see: "Young employees say BYOD a 'right' not 'privilege'"]
- Or, control access for some of the devices, granting or blocking access to resources based on need and risk.
BACKGROUND: A sampling of BYOD user policies
Addressing BYOD by itself makes little to no sense as BYOD is not really a business objective, but rather a movement, not to mention a very narrow way of looking at connected systems. Therefore, it seems likely that the BYOD marketing phrase will lose its charm within a few years, if not sooner, leaving us with the real challenge: secure mobility. The real need is to enable secure access to only relevant resources from any and all securely managed devices and locations. In other words, while it's important for organizations to manage device access to their networks, it's even more important to manage what these devices can and can't do while they have access, an approach combining "mobile device management" (MDM) and "mobile application management" (MAM).
With this groundwork laid, it's important to note that secure mobility isn't limited to only those devices owned and brought into the office by employees, partners or guests; it also includes corporate-provisioned and personally owned home office desktops, laptops and any other network-connected devices available now or in the future (i.e., the Amazon Kindle, Apple TV, or maybe even the Sony PlayStation).
It's also important to understand that BYOD and MDM/MAM are two very different things and should be viewed as complementary. BYOD is about access for mobile devices, and MDM/MAM provides the option for establishing granular control over these mobile devices and their applications after they join the corporate network and/or while they are being disconnected from the network.
Protecting the organization's network and its data from attack and misuse requires more than just a BYOD mentality; establishing secure, mobile-enabled operations requires a mobility access control program that includes corporate-provisioned, approved employee- and partner-owned devices as well as unmanaged guest devices.
So, what are the end-to-end secure mobility requirements? Here's my take:
- Control access, using different levels for different devices, different OSs, different connections (wired/wireless), different users, etc.
- Manage authentication to the devices to ensure the device is being used by its intended owner.
- Ensure devices comply with defined policies (corporate/regulatory) -- validating items such as the device's unique International Mobile Equipment Identity (IMEI) number, expected OS version, rooted or jailbroken status, and specific applications installed or missing.
- Quarantine and remediate policy exceptions.
- Develop applications for the highest level of assessment and control, leveraging (near-)native OS application development methods as opposed to abstraction-based platforms.
- Manage devices once connected (using MDM tools) and the applications that run on them (using MAM).
- Utilize deep packet inspection, even when SSL-encrypted sessions are in place, in order to protect the network from malicious activity routed through devices that have been rooted, applications that have been compromised with malicious code, or devices and applications that are being misused.
- Protect confidential and sensitive data from loss and theft (SSL encrypted sessions and application control).
"It is imperative that organizations take a holistic approach to secure mobility, including device management and protection, network and data access control, and network protection," says Dmitriy Ayrapetov, director of product management for Dell SonicWALL.
Unfortunately however, due to the complexity involved, there are currently only a few vendors that can and do deliver an integrated stack to facilitate the end-to-end secure mobility scenario. There are even fewer vendors out there that can provide native support for each major mobile OS (Android, BlackBerry, iOS and Windows) as part of the integrated offering. It will be interesting to see how the market landscape evolves over the next six to 12 months.
"BYOD is not too different from the mobile laptop movement 10 years ago; it's a new platform problem -- a control problem -- a perimeter problem -- an infrastructure challenge in meeting the demand of increased numbers of mobile devices residing and acting on the network," said ChengWei Cheng, technology evangelist at Hitachi-ID. "Device-based authentication really needs to be identity-based access control as well because, as soon as someone takes the device, they could assume the device owner's identity."
In the meantime, organizations shouldn't wait to tackle the challenge. They should begin by building focused plans for delivering secure mobility using implementation roadmaps that match their business requirements and environments. Below is one such strategy:
* Define the business strategy and requirements: Are you running a hospital that enables doctors to use their own iPads? Or, are you running an airline that provides the gate agents with company-owned Android tablets?
* Assess the current operating environment: Do you already have a home employee and mobile laptop access control program in place? Can your infrastructure handle more than one device per user?
* Design, research, and pilot: Find a handful of solutions that meet your requirements and that work within and/or extend your infrastructure. Whittle the list down to the top two or three and conduct a pilot with a few user groups.
* Deploy the solution in stages: Identify clusters to hit based on business use, business risk, device type, user maturity, physical location and other user/device/business attributes, and then prioritize, deploy and validate.
"IT administrators face increasingly sophisticated consumer devices accessing their networks, forcing a shift from a traditionally conservative stance on corporate devices to one that is more progressive," says Ayrapetov, whose company recently announced a new release of its SRA EX9000 appliance and Mobile Connect client to provide secure access for users of Windows, Windows Mobile, Apple Mac OS and iOS, Google Android and Linux systems. "The time-window for device approval and validation in most networks will shorten drastically, making it imperative that the IT security industry step up to meet the demand of IT administrators to solve these challenges."
If organizations continue to embrace BYOD and recognize that a comprehensive secure mobility program will be required to proceed, we should see great IT security successes in the near future. Of course, success in driven in part by the manufacturers of these devices, and the security vendors helping to manage and protect them.
Martin is a CISSP and the founder of imsmartin consulting. Write him at firstname.lastname@example.org.