How to cope with BYOD

Feature by Rob Buckley

The cloud, mobile device management and virtualisation are riding to the rescue of organisations faced with the inevitability of 'bring your own device'. By Rob Buckley.

Sponsor's comment

Your mobile solution
AirWatch covers the full spectrum of mobile assets.

The mobile explosion shows no evidence of waning, continuing to create new enterprise challenges and risks. While managing mobile devices – ranging from tablets to smartphones to ultrabooks – is important, perhaps even more so is the management and security of the complete spectrum of mobile assets, including mobile applications, content, and email. The AirWatch solution provides a comprehensive platform for managing all mobile assets. From a single console, administrators using AirWatch can manage both shared and employee-owned devices around the globe. With secure mobile access points, employees are empowered to work regardless of location while maintaining standards set forth in IT policies.

Mobile devices are ubiquitous in today's society – so much so, people rarely stop and consider the vulnerability these devices pose. With the growing belief that mobility is a right, not a privilege (witnessed in the explosion of BYOD in the work environments), organisations need a comprehensive security solution that not only tracks devices but safeguards them against unintended data usage or outright theft. AirWatch's mobile security solution ensures enterprise mobility deployments are secure and proprietary information is protected. AirWatch's advanced features provide end-to-end security that extends to the user, device, application, content, data and network levels. Using proprietary architecture, AirWatch is designed for scalability as an organisation's mobile demands increase. This means the same advanced security functionality is in place regardless of fleet size. Internal research confirms that AirWatch's scalable architecture is the only platform capable of supporting 25,000-plus device deployments in the industry.

How to cope with BYOD

The cloud, mobile device management and virtualisation are riding to the rescue of organisations faced with the inevitability of ‘bring your own device'. By Rob Buckley.

For many organisations, bring your own device (BYOD) is a decision they don't have to make for themselves: employees are already doing just that. Instead, CIOs and CSOs have to choose either to put a ban on a practice already in motion, or embrace it. But although there are clear security issues to consider, these can be eliminated, or at least reduced to an acceptable level, with the right technologies in place.

Providing mobile access to corporate resources is something that requires supervision and, mainly, two different technologies, preferably integrated with one another: authentication and network access control (NAC). Authentication allows employees to prove they have permission to access the network and its resources, while NAC determines which devices can be used to do this.

A big advantage of mobile devices is that they can become an authentication mechanism in themselves, either through text messages containing one-time passwords or through applications that act as secure tokens. However, second-factor authentication systems, such as fingerprint and card readers, may not work, and not merely because there's no USB port for them to plug into.

“The first pillar of discussion has to be how you secure the network, who has access to what, etc. NAC technologies are key,” says Juniper Networks senior director of solutions marketing EMEA Paul Gainham. For compliance, he says, NAC systems can also maintain an audit trail that can be integrated with GRC or log management systems. Ian Foddering, CTO at Cisco UK and Ireland, adds that smarter solutions can also keep track of where people are accessing resources from. If someone accesses from a mobile device internally one minute, and then apparently tries to access data from another mobile device in another country a few minutes later, that access can be shut down.

NAC systems can also maintain a unified access policy whereby every device connects in the same way, requiring no additional training for the end-user.

The sticking point for most organisations, however, is corporate data. If a device containing sensitive information is lost, that's an obvious security issue that could cost the organisation considerably, either through direct financial loss or damage to reputation.

While most devices have encryption capabilities, older ones might not, and there is no guarantee that the employee will have chosen a strong passcode to lock their device, or that there is a short enough ‘time-out' to make it worthwhile.

There are three solutions to this and other BYOD problems: the cloud, mobile device management (MDM) and virtualisation.

The cloud and MDM
Garry Sidaway, director of global security strategy at Integralis, says: “The cloud is compelling organisations to look at the way they devise solutions. Anything with a network cable is going to be a legacy device next year – everything is going to this mobile environment. Security now needs to be embedded in the application, and the cloud means you won't need VPN access or anything else.”

With data, access and applications all in the cloud, the risk of data loss is significantly reduced and possibly even eliminated, Sidaway adds.

With an MDM solution, which typically includes aspects of NAC, it is possible to install software onto a device that determines whether encryption is enabled and working correctly – and fix the issue if it's not – and remotely wipes the device if it falls into the wrong hands. The organisation can either track the device so it can be recovered, or remove all the data from it so that it's no longer a security problem. It can also determine devices' operating systems, patches, anti-malware software, level of access, whether they have been ‘jailbroken' and more.

More advanced MDMs can also integrate with Active Directory and other technologies, so access can automatically be provisioned if a new employee joins and, if one leaves, not only will data be removed from relevant devices, but so too will access to the network.

The issues here are installation of the software and the fact that if the device is owned by the employee, it will also include personal data. Suitable NAC, access gateways or MDM software can force users to install the software themselves if they wish to be able to access the network, pointing employees to corporate or public app stores. One benefit of this over a corporate roll-out is that IT won't have to support this themselves, so is particularly useful for those with fewer resources – few devices support remote installation of patches or OS upgrades, for example, but employees using their own devices will be used to doing this themselves. In a corporate roll-out, the onus will be on IT to update devices.

However, one issue that a corporate device roll-out doesn't face is the merging of personal and corporate data on one device. Anyone leaving the organisation or losing their device will need to have their equipment wiped, while others may worry that the organisation is ‘snooping' on their personal data. Some MDMs tackle this by segregating data, so corporate data resides within one area of the device or within specific apps, and only this is deleted in the event of a remote wipe.

“With AbsoluteSafe, you can go to a client meeting, use an iPad as your main tool and IT will push out files to you,” says Absolute Software vice president of global marketing Stephen Midgeley. “You can have that on a five- to 15-minute timer, after which the app turns off and the data is no longer on the device.” Similarly, at the end of the device's lifespan, all data can be removed en masse, Midgeley adds.

This segregation is usually only available on certain types of devices or through alternatives to standard applications that may be unfamiliar to the user. However, according to Dimension Data security business manager Chris Jenkins, certain MDMs are now offering a degree of granularity in wiping: “You can specify which apps' data gets wiped.”

Segregation can also be a problem when integrating with other applications: can a user open and work on a Word document they've been sent by email within their favourite app, or can they merely view the attachment? In the case of the former, what happens if that app is also capable of uploading the edited document to Dropbox rather than the preferred secure file exchange service? In the case of the latter, does that defeat the point of BYOD and corporate roll-outs if users can't work on their preferred devices or have access to the full range of apps?

Some organisations use MDM to lock down the device so it can't use certain apps. With a corporate roll-out, that may not be a problem, although it could reduce employees' efficiency if they are used to using certain programs. Zenprise chief marketing officer Ahmed Datoo says it's a mistake, at least with BYOD. “If you've spent £300 of your own money on a device, but the BYOD policy says you can't install Facebook and can only use corporate mail, you're not going to want to use it for work any more,” he says.

It's advisable to find out how users are intending to use their devices and seeing if secure methods of achieving the most popular workflows are possible.

The virtualisation solution
To a large extent, virtualisation can remove the problems of data loss. By having all data and corporate applications hosted on servers and merely giving users a ‘window' into these resources, IT can ensure no data ever leaves the organisation and can give mobile users the same level of access as exists on corporate devices.

Many virtualisation vendors, such as VMware and Citrix, are embracing mobile devices, so users can download free viewer apps and authenticate in the same way as other users without additional layers of security to go through. Indeed, the latest versions of some virtualisation tools include access and authentication gateways of their own so that no additional, mobile-specific technologies need to be added.

How well virtualisation works with mobile devices usually depends on the organisation and its employees. Some may not like using a Windows desktop on an iPad, for example – a reverse of the usual situation where a corporate application accessed on an iPad might not work well or at all, something that also needs considering by CIOs when rolling out a mobile device policy.

“The worst thing I ever saw was Windows 7 on an iPhone,” says O2 head of innovation Andy Roberts. “That's crazy. It's got to be a native experience. If you're using an iPad, it has to look like an iPad. I didn't want a clunky virtual desktop.”

According to Information Security Forum (ISF) global vice president Steve Durbin, many executives will also “swear blind” that they absolutely need to have data on their own devices, and not just on a virtual desktop. What's more, virtualisation will only work when there is unhindered internet access, which might not always be the case.

Morten Grauballe, European vice president of corporate development and strategy at Red Bend Software, points out that performance can be an issue for virtualisation software hosted on top of an OS. His company is going to pilot a virtualisation environment for Android phones that will run parallel to the OS through a hypervisor. “When CIOs hear about that, they're happy, because it's just what they're used to on the server,” he says. That option, however, won't be available until next year at the earliest, and won't be available for iPhones, BlackBerrys et al, making it a better bet for corporate roll-outs of devices that employees can also use as their own, rather than BYOD.

Another problem with virtualisation is potential shortcuts around the environment. If users are able to access corporate emails outside the virtual environment, that's at least one potential avenue of data loss that will need to be mitigated against separately, perhaps by deploying document-level security, suggests Terry Greer-King, UK managing director at Check Point.

So virtualisation is certainly not a panacea. Indeed, a hybrid approach between virtualisation and segregated devices could be necessary. “You need flexibility in the way you deploy that takes account of who it is, where they are and more,” says Fortinet director of strategic solutions Graeme Nash.

Thanks to its advantages, BYOD is likely here to stay, and with the right technical precautions, it's possible to implement it securely and effectively. But without those measures, it can prove a liability and potential area of difficulty for compliance and many other areas of corporate responsibility.

Nevertheless, says the ISF's Durbin: “You need to go into this with your eyes open. BYOD is never going to be 100 per cent secure. You're almost kidding yourself if you think MDM is going to make everything hunky-dory. By their very nature, mobile devices are designed for consumers, not for corporate use, so they bring with them inherent risk.”

Case study: Colt

According to Chris Hewertson, CIO of IT services provider Colt, the company never set out to implement BYOD – it “just stumbled upon it”. The company was in the middle of a major IT transformation programme, with a “perfect storm” of technology needing upgrading, including WAN, LAN, desktops, laptops and more. But rather than simply upgrading everything and looking at reducing costs, Colt chose to look at how best to help its employees.

Initially, the choice offered was simply one of when and where to work, but with the upgrade plan settling on virtual desktops running on VMware as the best way to upgrade everyone to Windows 7, employees were allowed to decide which devices they would like to use.

“By going down the virtual desktop route, we can provide that desktop on any device,” says Hewertson. IT then worked with Colt's HR and legal departments to develop a BYOD policy.

At the moment, 2,000 employees have the option of using their own device, and this will have expanded to 5,000 by the end of November. “We use two-factor authentication, with CryptoCard on the employee's phone and Microsoft User Access Gateway to provide secure access if they're not on the network.”

Without VMware, he says he wouldn't have been confident about BYOD. “I'm more confident that a laptop can be secured than I am that an Android mobile phone can, unless it has a nicely sandboxed secure application. [With VMware], I don't care what they put on that network.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events