CIOs are under increasing pressure from businesses to support BYOD initiatives. The reality for the vast majority of IT groups is that they need to play catch-up as 20% to 50% more devices that are neither known nor controlled in the enterprise management systems are already present on the network—BYOD is already here; we’ve just chosen to collectively close our eyes. Make sure you’ve covered the basics to optimize your security investments.
What Not to Do
I’ve seen several reactions of enterprises to BYOD, the most common being outright denial. The IT group points to the fact that there are written policies against using unapproved devices on the network and that they’ve only received a couple of requests to configure an iPhone via the helpdesk. The reality is that it doesn’t take end users long to figure out that the same credentials they use to log in to their workstations also work on their iPhones—so they simply don’t ask.
Other organizations have leveraged access control solutions to lock down all ports using 802.1X and MAC address authentication. Without the right tools, this is a costly, time-consuming proposition, and although it meets the requirement of increasing security, it sacrifices the real benefits BYOD brings in terms of end user satisfaction and potential cost savings.
Both of these options suffer from the same shortcomings: turning otherwise trusted employees into “attackers” for finding creative ways of bypassing controls in order to do their jobs and for not providing any means for IT to know that the controls have been bypassed.
Make BYOD Work for You Without Sacrificing Security While Making It Easy for Your Employees
- Get all stakeholders involved and agree to the scope of BYOD within your organization, including acceptable risks, tradeoffs, support policies, and HR and privacy policies.
- Implement a continuous network monitoring and control architecture. This will allow you to make managing network-level controls easier (802.1X, MAC authentication, role based access controls) and to leverage the real-time network monitoring information in order to optimize existing security and management infrastructure (vulnerability assessment, CMDB, NCCM).
Know what is on your network, and act on it!
The Next Steps
- Select and implement an MDM solution that provides advanced, multi-OS control capabilities including remote wipe, encryption and corporate data sandboxing capabilities.
- Integrate existing technologies (vulnerability assessment, CMDB, etc.) with your continuous network monitoring and control solution to provide 100% compliance 100% of the time.
- Implement periodic policy reviews and security audits, and perhaps most importantly, get feedback from end-users to make sure you are reaching the goals you’ve set out.
The jury is still out as to whether BYOD will deliver all of the anticipated cost reductions by transferring the upfront purchase cost of endpoint devices to employees, as it is difficult to model exactly the impact it will have on things like IT support. What is clear is that IT departments can no longer ensure improved employee productivity by providing standardized corporate-owned devices, and they can’t just continue to ignore the problem. Their employees have already purchased (and connected) their own personal devices that are faster and more intuitive to the way they work. At a minimum, BYOD will force us to rethink the assumptions we’ve made about the trust model at the core of our enterprise LAN architecture and move to an architecture that supports real-time monitoring and control.
About the Author
Rory Higgins is co-founder and EVP Marketing at Mancala Networks.
Mancala Networks markets an innovative continuous network monitoring and control solution: the Mancala Network Controller. The Network Controller enables enterprises and managed service providers to cost effectively manage the complexity and risks associated with BYOD, deperimiterization, evolving trust models and the explosion in both the types and numbers of connected endpoints.
Mancala Networks is exhibiting at Infosecurity Europe 2012 (stand C83), the number-one industry event in Europe, held on April 24–26, 2012, at the prestigious venue of Earl’s Court, London. The event provides an unrivaled free education program, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information, visit www.infosec.co.uk.
Photo courtesy of meedanphotos