Comment: A Tiered Approach to BYOD Fulfillment

Enterprise mobility presents new IT challenges and security threats regarding end point management, safeguarding network resources and protecting sensitive data. You can’t ignore the iPad here, the Android smartphone over there, a consultant with a tethered laptop or the occasional personal WiFi access point blip – it’s the tip of the IT consumerization iceberg.

I define Bring Your Own Device (BYOD) as the extent to which an IT organization prohibits, tolerates, supports or embraces the use of personal mobile devices, as well as the technical and non-technical controls that enable and enforce the policy. There are a variety of non-technical controls – such as issuing an acceptable use policy (AUP) – that outlines parameters for mobile device use by employees and third parties.

There is no one-size-fits-all answer for BYOD and technical controls. While mobile device management (MDM) tools are among technologies that have captured the BYOD limelight, the best practice of employing a layered security model can and should be applied to BYOD.

The IT department should determine specific cases that are more susceptible to security issues, have high data leakage risks, or pose a greater threat of violating access control policies. Putting things into perspective, one should ask if syncing email to personal mobile devices is significantly riskier than syncing email with corporate-provisioned PCs. If so, then at what cost can an organization afford and administer such protection? More likely, the organization will conclude that it should apply the right level of security based on user, device, application, network, data, risk and cost – a tiered mobile security strategy.

For some organizations, this involves network access control (NAC) and wireless access points (WAPs) for guest management. Other organizations may employ NAC, WAP and virtual desktop infrastructure (VDI) as a means to control contractors’ use of their PCs while ensuring that apps and data stay within tighter corporate control. On the application front, organizations are employing mobile application management (MAM) and mobile application protection (MAP) tools to reduce application-level security threats.

While plenty of these three-letter technologies exist, let’s examine the relationship between NAC and MDM as applied to a tiered security strategy. NAC identifies and classifies network devices and applies access control policies to network resources based on a variety of security criteria. More so, NAC is able to identify unmanaged devices and apply policies, ranging from guest management to MDM enrolment. As a result, NAC serves as a foundation for BYOD to ensure that:

• Unknown or prohibited mobile devices do not connect to your network;
• Network-based controls remain intact to complement device controls; and
• Security teams gain visibility and control across all types of devices and use cases.

Next-generation NAC can apply similar, or even greater, mobile security controls to smartphones and tablets as they apply to PCs. Mobile security compliance can include: password strength, configuration, activated encryption, email and other applications, acceptable wireless access points, as well as wipe and lock. This ‘mobile NAC’ functionality often addresses the majority of an organization’s BYOD requirements at a low administration impact and cost.

Many enterprises are exploring, or have already deployed, an MDM system to gain end-to-end mobile device lifecycle management and stronger device-level application and data protection. An MDM solution offers an integrated set of functions to manage corporate or personal mobile devices that includes: device provisioning/de-provisioning, over-the-air configuration, certificate management, email and app management, app portals, document management, security management and expense management. Nevertheless, a NAC/MDM combination has significant advantages, including:

• Unmanaged mobile devices: MDM tools can only see what they are managing. NAC can provide visibility into personal mobile devices that are not managed.
• Enrolment: NAC can automate the enrolment process for new devices, saving time and resources and also improving the security of the network by ensuring that only enrolled devices are admitted.
• On-demand profiling: MDM systems routinely check if the configuration of a mobile device matches a defined policy. This profile scan is done at various intervals so that battery life is preserved. This opens up a security risk gap between when a device is on a network and when it was last scanned. NAC can trigger a fresh MDM policy scan the moment a mobile device tries connecting to a network.
• Unified visibility and policy management: With NAC and MDM, a security operator who may be involved in both MDM purchases and policy creation, but does not have daily operational access, can now see and control everything in one console.

The following scenario is an example of how a tiered level of service for BYOD could work. A user has a personal iPad that they bring into the workplace. The employee attempts to access the corporate network using their existing authentication credentials. The NAC security system automatically identifies the user and system as they attempt to access a corporate Wi-Fi connection. The browser session is hijacked and the user is presented with a guest registration. At this point, the user’s device is automatically placed on a segregated network.

After agreeing to an AUP, the user is prompted to install a security applet. Once installed, the company’s mobile security policy is in effect, blocking the use of a rooted device, enforcing the use of stronger passwords, assuring proper activation of encryption, associating corporate email access with a corporate profile, and so on. The user would then be moved out of a guest VLAN, and be granted additional access to network resources.

In the end, IT security and risk professionals are tasked with serving business interests. Employees and authorized third parties want to use the devices they love. Management wants to enjoy productivity gains. Information security must serve and protect in this BYOD era. By examining use cases, prioritizing threats, establishing polices and exploring a tiered service approach to secure enterprise mobility, organizations can realize the benefits of IT consumerization and manage the risks.

Scott Gordon, CISSP-ISSMP, is the VP of Worldwide Marketing, for ForeScout Technologies