CIO’s are under increasing pressure from the business to support BYOD initiatives. The reality for the vast majority of IT groups is that they need to play catch up, as 20% to 50% of devices that aren’t known nor controlled by enterprise management systems are already present on networks.
BYOD is already here, we’ve just chosen to collectively close our eyes. Make sure you’ve covered the basics to optimize your security investments.
What Not to Do
I’ve seen several reactions of enterprises to BYOD, the most common being outright denial. The IT group points to the fact that there are written policies against using unapproved devices on the network and that they’ve only received a couple of requests to configure an iPhone via the helpdesk. The reality is that it doesn’t take end users long to figure out that the same credentials they use to log into their workstation will also work on their iPhone.
Other organizations have leveraged access control solutions to lock down all ports using 802.1X and MAC address authentication. Without the right tools, this is a costly, time-consuming proposition and, although it meets the requirement of increasing security, it sacrifices the real benefits BYOD brings in terms of end-user satisfaction and potential cost savings.
Both of these options suffer from the same shortcomings – turning otherwise trusted employees into ‘attackers’ for finding creative ways of bypassing controls. They do so to execute their jobs more effectively, yet these employees do not provide any means for IT to know that the controls have been bypassed.
A More Effective Strategy
The key is to make BYOD work for you without sacrificing security, while also making it easy for your employees. Migrate to a continuous network monitoring and control architecture that enables you to easily detect new employee-owned devices as they initially connect to the network. This enables you to guide them through the configuration process, including that for network connectivity, mobile device management (MDM) enrollment, and acceptance of corporate terms of use. It ensures that your controls cannot be bypassed (manual configuration or compromised MDM agents), but also that they don’t constitute a barrier to employee productivity.
Continuous network monitoring and control architecture can be achieved by integrating next-generation network access control solutions with MDM solutions, as well as existing IT infrastructure. This includes vulnerability assessment and asset management tools so as to ensure that devices don’t escape controls.
Whichever solution is selected, it should provide flexible deployment options, easy integration into the enterprise architecture, and complete, real-time visibility of all networked devices, as well as advanced correlation and policy capabilities.
The Foundation
The first step is to get all stakeholders involved and agree to BYOD’s scope within your organization, including acceptable risks, tradeoffs, support policies, HR and privacy policies. Then you can move onto implementing a continuous network monitoring and control architecture. This will allow you to make managing network level controls easier (802.1X, MAC authentication, role-based access controls) and leverage the real-time network monitoring information to optimize existing security and management infrastructure (vulnerability assessment, CMDB, NCCM).
The foundation for this is simple: Know what is on your network, and act on it!
The Next Steps
After you have laid the foundation for your BYOD strategy, the next steps are selecting and implementing a MDM solution that provides advanced, multi-OS control capabilities, including remote wipe, encryption and corporate data sandboxing capabilities. It’s then necessary to integrate existing technologies (vulnerability assessment, CMDB, etc.) with your continuous network monitoring and control solution to provide 100% compliance all of the time.
Implement periodic policy reviews, security audits and, perhaps most importantly, get feedback from end-users to make sure you are reaching the goals you’ve set out.
The Net-Net
The jury is still out as to whether BYOD will deliver all of the anticipated cost reductions by transferring the upfront purchase cost of endpoint devices to employees. It is difficult to model exactly the impact the trend will have on things like IT support. What is clear is that IT departments can no longer ensure improved employee productivity by providing standardized, corporate-owned devices, and they can’t just continue to ignore the BYOD problem. Their employees have already purchased (and connected) their own personal device that is faster and more intuitive to the way they work.
At a minimum, BYOD will force us to re-think the assumptions we’ve made about the trust model at the core of our enterprise LAN architecture and move to an architecture that supports real-time monitoring and control.
Mancala Networks is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24–26 April 2012 at Earl’s Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. Visit the Infosecurity Europe website for further information. |
Rory Higgins is co-founder and EVP marketing at Mancala Networks.