Cracking the BYOD Security Nut

While so-called BYOD isn’t necessarily new — IT departments, after all, have been supporting mobile road warriors since the 1980s — the rising tide of end users seeking the use and support of their own consumer devices is something quite different.

It’s so different that IT departments are grasping for any standard or proven approaches that make Bring Your Own Device access of enterprise resources both secure and reliable. The task is dauntingly complex, and new and unforeseen consequences of BYOD are cropping up regularly — from deluged help desks, to app performance snafus, to new forms of security breaches.

This podcast aims to bring clarity to solving the BYOD support, management and security dilemma through an exploration of some of the new and more-effective approaches for making BYOD both safe and controlled.

Offering their insights are Jonathan Sander, director of IAM product strategy at Dell Software, and Jane Wasson, senior product marketing manager for mobile security at Dell Software. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.

Listen to the podcast (45:52 minutes).

Here are some excerpts:

Jane Wasson: Industry analysts are now seeing that more than 50 percent of workers are using personal mobile devices in some capacity to access business networks. Increasingly, they’re asking to access not just email and calendar, but also enterprise apps and resources. IT did a great job of supporting mobile workers with laptops and early mobile devices for quite some time, but much of that was with IT-controlled systems.

What we’re seeing now that’s a little bit different is increasingly those mobile workers like the ease of use and the speed at which they can get to their email and their calendar apps with their own mobile devices. They now want IT to extend that so that they can get the same access to enterprise apps and resources on mobile devices that they’ve enjoyed on their IT-controlled laptops over the years.

That creates a new challenge for IT. All of a sudden, rather than having a controlled set of devices and a controlled environment that they can manage, they have a variety of devices that end users have purchased. IT had no control over that choice and what’s already loaded on those devices.

They’re trying to figure out, given that environment, how to securely enable access to enterprise apps and resources and give those end users that speed of access that they want and the ease of access that they want, but still maintain security.

They don’t want their back-end networks infected with malware. They don’t want to have rogue users finding laptops or mobile devices and being able to access enterprise systems. It’s a huge challenge for IT support groups.

Dana Gardner: It seems that there are unintended consequences here. What’s happening now that we have this pull in the BYOD direction?

Jonathan Sander: There are a lot of consequences, and understanding all of them is still in process. That’s part of the problem. Of all the problems that people are going to have as a result of BYOD, [many] are TBD. One of the ones that’s most apparent right away is security. The approaches that people have taken in the past to lock down anything that’s related to mobile have all centered on exactly what Jane pointed out. They were in charge of the device in some fashion. They had a foot in that door, and they could use some kind of lockdown.

I was sitting with someone at one of the big financial firms in New York City the other day. We asked them about their BYOD strategy and he took a humorous approach to it. He said, “Yes, we have a really well-defined BYOD strategy. As long as the device is the one we assign to you and uses the software that we approved and control all the policy on, you can bring it.” I think that that’s not too uncommon.

A lot of the firms that are very security sensitive have worked it out. On the other end of the scale, I’ve talked to people who say that BYOD is not something that they are doing but rather is being inflicted on them. That’s the language they put it in. It relates back to that security problem, because when they’re looking at trying to understand how their data is going to be present on these devices and what impact that will have on their risk standpoint, it’s almost impossible to quantify.

If you look at the history of breaches, even with the controlled laptops that they had, you had laptops being stolen with tons of data on them. You know what happens the first time you get one of those breaches stemming from someone leaving their cellphone in the backseat of a taxi cab? These are the things that are keeping people up at night.

Add to this that a lot of times the security approaches they have taken have all been leveraging the fact that there is a single vendor that is somehow responsible for a lot of what they do. Now, with the explosion of the variety of devices and the fact that they have no control over what their employee might purchase to bring in, that notion is simply gone. With it went any hope of a standard — at least, anytime soon — to help secure and lock down the data on all these different devices.

Gardner: Another aspect of this is the diversity of the variables. There is Web access, native apps, a variety of different carriers, different types of networks within those carriers, and all these different plans.

I suppose it’s difficult to have just a standard operating procedure. It seems like there have to be dozens of standard operating procedures. Is that what they’re finding in the field, and how does any organization come to grips with such diversity?

Sander: You’re absolutely right. Diversity, first and foremost, is the challenge. There are also a lot of other trends that are bringing more diversity into IT at the same time, and then BYOD just becomes one dimension of diversity.

You mentioned Web control. If you’re assuming that this is a Web application that they’re rolling out on their own, that’s one thing. If it’s a cloud app, what happens when you have somebody using a cloud app on a BYOD device? How do you insert any control into that scenario at all? It gets very complex, very quickly.

Gardner: Let’s look at some specific types of starting points, putting in the blocking and tackling necessary to start to get a handle on this. Jane, what should companies be doing, in terms of setting up some building blocks, the means to tackle the reliability, security and diversity?

Wasson: The good news is that being able to support remote workers is not new, because most companies already have policies in place to manage remote workers. What’s new is that rather than the devices that are accessing the enterprise apps and resources being IT-controlled, those devices are no longer IT-controlled.

Very often, the policies are there. What they need to do is rethink those policies … . You have to be able to know which devices are connecting to the network. Are those devices harboring malware that could infect your network? Are those devices locked down, so that authentication is necessary to get into your network?