BYOD, or Bring Your Own Device, refers to the trend in enterprise IT to rely on users to supply their own computing hardware in the form of smartphones, tablets, and, to a lesser extent, laptops. While there is an ostensible cost savings to be had in capital expenditure, and businesses can realize productivity in making it as convenient as possible for employees to always be connected, BYOD is mostly just a response to an external reality: as smartphones become more capable, consumers use them for almost all computing tasks side from “heavy” content creation (e.g. programming; video editing). Plus, while checking work email can be a primary task for a consumer smartphone, even on the weekend, the latest generation of users communicate via SMS, Facebook, and Twitter. All of those communication needs are met using public, free apps.
In that context, providing knowledge workers with a separate, corporate-managed, mobile computing device is moot. Nobody needs it.
But if you’re responsibilities include IT security management or compliance then you should already be squirming. There’s a balance to be struck, and it’s unlikely to be the same for any two businesses. On one hand, you have to support the latest communication, collaboration, and information exchange modalities if you want to attract and keep the best people and stay ahead of your competitors. On the other hand, there is a fiduciary obligation to deploy security control systems that, at minimum, help keep honest people honest when it comes to data storage and exchange.
Recent competition in the mobile sector has really paid off for consumers: the latest devices from Apple, Google, and Samsung are incredibly cutting-edge and yet incredibly usable. That impressive combination is in fact an inspiration for us security folks. One one hand, heterogeneity is hard for the IT security manager, since disparate mobile platforms expose different security controls. On the other hand, the raw power and extensibility present in these devices mean that the sky is the limit, both for the IT security manager in terms of developing and applying controls, as well as for the business manager in terms of dreaming up new scenarios for increasing business capability and velocity.
So how to secure all those mobile devices for corporate data access? Let’s use the Four Pillars of Endpoint Security model as a guide:
Endpoint Hardening – technologies such as platform attestation allow server-side resources to extract high-assurance security claims from mobile devices . This helps to keep sensitive data off of malware and rootkit infested devices and can also be used to enforce client attributes such as the use of hardware-based disk encryption. The latest generation of mobile devices supports a variety of high-integrity security features, including TPMs, SIMs, and other hardened cryptographic and data protection features.
Endpoint Reliability – the ability to make mobile devices self-healing is still a work in progress, but all of the major platforms have recognized the increased support cost, and negative user experience, that comes from supporting a wide-open application ecosystem in which discerning good software from bad is impossible for the layman. Curated app stores help endpoint reliability, although they don’t guarantee it. This is moving in the right direction, but enterprises with sophisticated security needs must still necessarily distinguish between managed (e.g. a AD domain-joined laptop) and unmanaged (typical smartphone) devices when it comes to granting information access. Enforcing patching and platform updates is key to maintaining endpoint reliability; technologies exist to do this across all platforms.
Network Prioritization – link encryption is a must-have. All web applications should enforce TLS; all clients support it. Don’t waste bandwidth on unencrypted or untrusted requests.
Network Reliability – many of the same proven security technologies and practices apply equally across traditional enterprise computing assets: routers, servers, laptops, and desktops. Don’t forget that (a) they need to be utilized and (b) they’re constantly increasing in sophistication. This applies whether the assets are mobile, private cloud, or public cloud.
In summary, BYOD security is a tenable problem. Contact JW Secure for a demonstration of our BYOD security solutions.