CIO’s are under increasing pressure from the business to support BYOD initiatives. The reality for the vast majority of IT groups is that they need to play catch up as 20 to 50% additional devices that aren’t known nor controlled in the enterprise management systems are already present on the network – BYOD is already here, we’ve just chosen to collectively close our eyes. Make sure you’ve covered the basics in order to optimize your security investments.
What not to do
I’ve seen several reactions of enterprises to BYOD, the most common being outright denial. The IT group points to the fact that there are written policies against using unapproved devices on the network and that they’ve only received a couple of requests to configure an iPhone via the helpdesk. The reality is that it doesn’t take end users long to figure out that the same credentials they use to log in to their workstation, also work on their iPhone and they simply don’t ask.
Other organizations have leveraged access control solutions to lock down all ports using 802.1X and MAC address authentication. Without the right tools, this is a costly, time-consuming proposition and, while it meets the requirement of increasing security, it sacrifices the real benefits BYOD brings in terms of end user satisfaction and potential cost savings.
Both of these options suffer from the same shortcomings - turning otherwise trusted employees into “attackers” for finding creative ways of bypassing controls in order to do their jobs and not providing any means for IT to know that the controls have been bypassed.
Make BYOD work for you without sacrificing security while making it easy for your employees
- Get all stakeholders involved and agree to scope of BYOD within your organization including acceptable risks, tradeoffs, support policies, HR and privacy policies.
- Implement a continuous network monitoring and control architecture. This will allow you to make managing network level controls easier (802.1X, MAC authentication, role based access controls) and to leverage the real-time network monitoring information to optimize existing security and management infrastructure (vulnerability assessment, CMDB, NCCM).
Know what is on your network, and act on it!
The next steps
- Select and implement a MDM solution that provides advanced, multi OS control capabilities including remote wipe, encryption and corporate data sandboxing capabilities.
- Integrate existing technologies (vulnerability assessment, CMDB, etc.) with your continuous network monitoring and control solution to provide 100% compliance 100% of the time.
- Implement periodic policy reviews, security audits and, perhaps most importantly, get feedback from end-users to make sure you are reaching the goals you’ve set out.
The jury is still out as to whether BYOD will deliver all of the anticipated cost reductions by transferring the upfront purchase cost of endpoint devices to employees, as it is difficult to model exactly the impact it will have on things like IT support. What is clear is that IT departments can no longer ensure improved employee productivity by providing standardized corporate owned devices and they can’t just continue to ignore the problem. Their employees have already purchased (and connected) their own personal device that is faster and more intuitive to the way they work. At a minimum, BYOD will force us to re-think the assumptions we’ve made about the trust model at the core of our enterprise LAN architecture and move to an architecture that supports real-time monitoring and control.
Mancala Networks is exhibiting at Infosecurity Europe 2012 (stand C83), the No. 1 industry event in Europe held on 24th– 26th April 2012 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk