While research varies, most organisations are only aware of 70-80 percent of the devices on their networks. Enterprise mobility presents new IT challenges and security threats with regards to managing endpoints, safeguarding network resources and protecting sensitive data. You can’t ignore the iPad here, the Android smartphone over there, a consultant with a tethered laptop or the occasional personal WiFi access point blip – it’s the tip of the IT consumerisation iceberg.
Bring Your Own Device (BYOD) is defined as the extent to which an IT organisation prohibits, tolerates, supports or embraces the use of personal mobile devices as well as the technical and non-technical controls to enable and enforce that policy. There are a variety of non-technical controls such as issuing an acceptable use policy (AUP) that outlines mobile device use parameters for employees and guests.
When it comes to BYOD and technical controls, there is no one-size-fits-all answer. While mobile device management (MDM) tools are among technologies that have captured the BYOD limelight, the best practice of employing a layered security model can and should be applied to BYOD.
IT should determine specific cases that are more susceptible to security issues, have high data leakage risks, or greater threat of access violation. To put things into perspective, one should ask if syncing email to personal mobile devices is significantly riskier than syncing email with corporate provisioned PCs. If so, at what cost can the company afford and administer such protection? More likely, the organisation will conclude that it should apply the right level of security based on user, device, application, network, data, risk and cost – a tiered mobile security strategy.
For some organisations, this involves Network Access Control (NAC) and Wireless Access Point (WAP) for guest management. Other organisations may employ NAC, WAP and Virtual Desktop Infrastructure (VDI) as a means to control contractors’ use of their PCs while ensuring that apps and data stay within tighter corporate control. On the application front, organisations are employing Mobile Application Management (MAM) and Mobile Application Protection (MAP) tools to reduce application level security threats.
While plenty of three-letter acronym technologies exist, let’s examine the relationship of NAC and MDM as applied to a tiered security strategy. NAC identifies and classifies network devices and applies policy to allow, limit or block access to network resources based on a variety of security criteria. More so, NAC is able to identify unmanaged devices and apply policy from guest management to MDM enrolment. As a result, NAC serves as a foundation for BYOD to ensure that:
- Unknown or prohibited mobile devices do not connect to your network
- Network-based controls remain intact to complement device controls
- Security teams gain visibility and control across all types of devices and use cases.
Next generation NAC can apply similar or even greater mobile security controls to smartphones and tablets as they apply to PCs. Mobile security compliance can include such items as: password strength, configuration, activated encryption, email and other applications, acceptable wireless access points, as well as wipe and lock. This “mobile NAC” functionality often addresses a majority of an organisation’s BYOD requirements at a low administration impact and cost.
Many enterprises are exploring or have already deployed an MDM system to gain end-to-end mobile device lifecycle management and stronger device-level application and data protection. An MDM solution offers an integrated set of functions to manage corporate or personal mobile devices which includes: device provisioning/de-provisioning, over-the-air configuration, certificate management, email and app management, app portal, document management, security management and expense management. However, a NAC / MDM combination has significant merits, including:
- Unmanaged mobile devices: MDM tools can only see what they are managing. NAC can provide visibility to personal mobile devices that are not managed
- Enrolment: NAC can automate the enrolment process for new devices, saving IT time and resources and also improving the security of the network by ensuring that only enrolled devices are admitted to the network
- On-demand profiling: MDM systems routinely check to see if the configuration of a mobile device matches a defined policy. This profile scan is done at various intervals so that battery life is maintained. This opens a security risk between when a device is on your network and when it was last scanned. NAC can trigger a fresh MDM policy scan the moment that the mobile device tries to connect to your network
- Unified visibility and policy management: With NAC and MDM, a security operator who may be involved in MDM purchase and policy but does not have daily operational access (often owned by Infrastructure & Operations) can now see and control everything in one console.
The following scenario is an example of how a tiered level of service for BYOD could work. A user has a personal iPad tablet that he brings into the workplace. He attempts to access the corporate network using his existing employee credentials. The NAC security system identifies the user and system automatically as he attempts to access a corporate Wi-Fi. The browser session is hijacked and the user is presented with a guest registration. At this point, the user’s device is automatically placed on a segregated network.
After agreeing to an AUP the user is prompted to install a security applet. Once installed, the company’s mobile security policy is in effect to block the use of a rooted device, enforce the use of a stronger password, assure proper activation of encryption, associate corporate email access in a corporate profile, etc. The user would then be moved out of a guest VLAN, and be granted additional access to network resources.
In the end, IT is tasked with serving business interests. Employees and guests want to use the devices they love. Management wants to enjoy productivity gains. Information security must serve and protect in this BYOD era. By examining use cases, prioritising threats, establishing polices and exploring a tiered service approach to secure enterprise mobility, organisations can realise the benefits of IT consumerisation and manage the risks.