Skip Links

BYOD is a user-driven movement, not a secure mobile device strategy

By Sean Martin, a CISSP and the founder of imsmartin consulting, Network World
July 06, 2012 02:50 PM ET

Regardless if you call it the consumerization of IT or the bring your own device (BYOD) movement, the trend of people using their own mobile devices to access corporate resources is unstoppable. Some users (guests) simply want to check their social networks, while others (employees) want to connect to their organizations' sales applications and other business apps while on the road. Many organizations have tried to fight the tide, but it's a losing battle.

Let's be honest -- users are controlling the IT security agenda, like it or not. They love their devices and the apps on them, and they want to use them at work. Clearly, vendors and enterprises alike have recognized this is more than a fad and are fueling the secondary driving force behind BYOD: the potential to make and/or save money by capitalizing on the movement.

TECH DEBATE: Dictate the mobile device or let the user decide?

Allowing employees to bring their own devices to work means cost-savings for corporations as it gives them the ability to avoid the expense of buying or leasing the devices themselves. These savings do come at a cost however; personal devices still need to be controlled and managed -- hence the enormous vendor revenue opportunity.

Make no mistake about it, it won't be long before there will be unfathomable numbers of these devices to control and manage throughout the corporate world. In a recent report, Gartner predicted that 90% of businesses will support corporate applications on mobile devices by 2014. And Cisco survey data suggests that we can expect to see 3.47 devices per person in 2015 and a whopping 6.58 devices per person in 2020. This begs the question: How many devices per person will the enterprise ultimately need to manage?

With this in mind, let's take a look at the basic options for addressing the BYOD phenomenon. With minor investments and relatively simple changes to infrastructure and processes, organizations can choose to:

- Block all devices that have not been provisioned by the corporation.

- Block none of the devices, regardless of their origins (note: I specifically chose this phrase over "enable all devices" as it better expresses the risk involved in letting anything access the network). [Also see: "Young employees say BYOD a 'right' not 'privilege'"]

- Or, control access for some of the devices, granting or blocking access to resources based on need and risk.

BACKGROUND: A sampling of BYOD user policies

Addressing BYOD by itself makes little to no sense as BYOD is not really a business objective, but rather a movement, not to mention a very narrow way of looking at connected systems. Therefore, it seems likely that the BYOD marketing phrase will lose its charm within a few years, if not sooner, leaving us with the real challenge: secure mobility. The real need is to enable secure access to only relevant resources from any and all securely managed devices and locations. In other words, while it's important for organizations to manage device access to their networks, it's even more important to manage what these devices can and can't do while they have access, an approach combining "mobile device management" (MDM) and "mobile application management" (MAM).

With this groundwork laid, it's important to note that secure mobility isn't limited to only those devices owned and brought into the office by employees, partners or guests; it also includes corporate-provisioned and personally owned home office desktops, laptops and any other network-connected devices available now or in the future (i.e., the Amazon Kindle, Apple TV, or maybe even the Sony PlayStation).

It's also important to understand that BYOD and MDM/MAM are two very different things and should be viewed as complementary. BYOD is about access for mobile devices, and MDM/MAM provides the option for establishing granular control over these mobile devices and their applications after they join the corporate network and/or while they are being disconnected from the network.

Protecting the organization's network and its data from attack and misuse requires more than just a BYOD mentality; establishing secure, mobile-enabled operations requires a mobility access control program that includes corporate-provisioned, approved employee- and partner-owned devices as well as unmanaged guest devices.

So, what are the end-to-end secure mobility requirements? Here's my take:

- Control access, using different levels for different devices, different OSs, different connections (wired/wireless), different users, etc.

- Manage authentication to the devices to ensure the device is being used by its intended owner.

- Ensure devices comply with defined policies (corporate/regulatory) -- validating items such as the device's unique International Mobile Equipment Identity (IMEI) number, expected OS version, rooted or jailbroken status, and specific applications installed or missing.

- Quarantine and remediate policy exceptions.

- Develop applications for the highest level of assessment and control, leveraging (near-)native OS application development methods as opposed to abstraction-based platforms.

- Manage devices once connected (using MDM tools) and the applications that run on them (using MAM).

- Utilize deep packet inspection, even when SSL-encrypted sessions are in place, in order to protect the network from malicious activity routed through devices that have been rooted, applications that have been compromised with malicious code, or devices and applications that are being misused.

- Protect the devices from attack and misuse over 3G/4G connections and public networks/hotspots.

- Protect confidential and sensitive data from loss and theft (SSL encrypted sessions and application control).

"It is imperative that organizations take a holistic approach to secure mobility, including device management and protection, network and data access control, and network protection," says Dmitriy Ayrapetov, director of product management for Dell SonicWALL.

Unfortunately however, due to the complexity involved, there are currently only a few vendors that can and do deliver an integrated stack to facilitate the end-to-end secure mobility scenario. There are even fewer vendors out there that can provide native support for each major mobile OS (Android, BlackBerry, iOS and Windows) as part of the integrated offering. It will be interesting to see how the market landscape evolves over the next six to 12 months.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News