Sunday, March 10, 2013

BYOD 101 and the Productivity and Security implications for an Enterprise

(Reproduced with permission from i7nw)

This blog talks about mainly BYOD, the new phenomenon to hit enterprises by surprise and the implications of it especially the productivity and the security aspect of it. Also discusses in brief what does other buzzwords in this space mean, which you might have heard, and wondering what it means.

BYOD stands for Bring Your Own Device to work. A movement called “Consumerization of IT” is taking place wherein more & more workforce is deciding what device and what Apps to get to work rather than the IT and hence creating a huge challenge for IT to manage such a workforce, especially the security of the corporate network and its data.

Today whether you allow personal smartphones and tablets into the enterprise or not, people have found a way to use them. According to many surveys, north of 70% of people are already using it and north of 80% of companies have already adopted the BYOD trend in some way or other. Analysts have clearly told that this is a movement, which cannot be stopped, and their message has been very strong, adapt it or lose out in the competition.

Productivity Gains

According to a survey conducted by one of the cloud infrastructure companies (VMware), which was conducted across 10 countries in the Asia-Pacific region, including India found that employees find them more productive at workplace getting their own smartphones & tablets  (72%) and in India it was 77%.

In India of all the people surveyed, 72% claimed to be more productive working the devices of their choice, 70% claimed to be happier in their role when they are allowed to work using their own device and 66% said that life and work was less stressful when they had a choice of what device they use.

Security Threat

Biggest challenge in adopting this BYOD trend has been the security. Today BYODs if not checked can create havoc in the corporate network. Compromised devices can infect malware into the system via back door, or data resident on the device when lost can be compromised, or data in transit can be meddled into. Again in all surveys, IT has agreed that this is the problem #1 to solve.
Another popular study, which focused on mobile security decision-makers in the United States, United Kingdom and Australia, found an overwhelming 82 percent of respondents believe that mobile devices create a high security risk within the corporate environment. Results show that mobile security is a high priority for half of the companies supporting BYOD, equating to increased help desk support and consumption of valuable IT resources. In addition, 45 percent reported lost or stolen devices in the past year and 24 percent experienced mobile malware infections, crippling productivity and potentially compromising company and customer data.

However, larger organizations, those with 500 or more employees, are at even higher risk. According to the study, 67 percent had dealt with lost or stolen mobile devices and 32 percent had experienced mobile malware infections, creating widespread concern about the business impact of employee-owned devices within the enterprise.

According to the survey more than 60% of the organization allows BYOD and they are not aware of pitfalls of allowing accessing critical corporate resources via smart devices without proper access control.

According to Bluecoat survey, a whopping 77 percent of IT managers see the risk of malware spreading to the corporate network from mobile devices as moderate to very high. A more recent study by Harris Interactive, primarily focused on users in the US, found that 55 per cent of companies had already experienced a security breach as a result of personal technologies being used in the workplace.

Now the Buzzwords!!

BYOD security is provided in various forms and segments and is an evolving market with huge potential. There are MDMs, which stands for Mobile Device Management and there are many vendors who look into mainly device management while providing few security features for enterprises. They install a client on your device and make that client connect to a server in the enterprise and control what your device can do and cannot do and more importantly if the device is lost or misplaced, this has the capability to wipe out the entire device.  They pretty much control every aspect of the device and to give an example, They can even switch off/on the camera in your smartphone when they want. MDMs are considered more of a device control than security per say but they do provide a lot of security features such as what apps can be installed and what cannot and what can be used etc. This solution is recommended in highly regulated industries such as insurance & finance. Of course they do have issues such as intrusion into privacy of employees, too intrusive and provisioning takes a long time as it is client-server architecture and of course they manage what are known devices and there are lot of unknown or unauthorized devices, which many of them are unsecured and hence can create a security hole. Seems the best solution if enterprise provides the device but for a personal device this can be too intrusive and steps on ones privacy.

While MDMs look into device aspect, MAM’s are what are called Mobile Apps Management does a similar stuff w.r.t apps management on your device and makes sure the data is encrypted in the transmission and allows only those apps that are listed and denies access on those that are not listed etc. They pretty much work the same way that MDM works and usually has a client installed on them too and suffers from the same disadvantages as MDMs and also generally cannot make out if the device has malware or if OS is vulnerable and has been compromised.

Next come the NAC devices (Network Access Control). This to a large extent keeps away from the client and controls the access of devices in the enterprise. Their way of doing is by registering the device via a self portal or via a client (a transient one), collect all the info and recognize these devices and put them on a separate virtual LAN based on the corporate criteria. This way you will actually put the devices on a separate LAN and hence forcefully in a way control the access for device. Some of the issues with NAC is that very tough to deploy, cannot create differential access on the same vlan as say your laptop and always puts it on a separate vlan as a way to control. Also they have no way to detect unauthorized devices nor they can recognize network traffic and identify malicious traffic and device. They also cannot wipe out a device if it is lost or stolen.

Then comes the Containerization where is the apps in question are wrapped or contained within another layer or a box which is totally encrypted. This provides an additional layer of security for the critical apps and the sensitive data. All communications from this app to the server in the enterprise will be encrypted and also if/when the device is lost, this server will wipe out the entire app and the data associated with it. Many companies provide the framework for this so that those enterprises that go for their own app store and their own apps can wrap them up with this secure layer. This solution is also called app wrapping. Advantages are that you have an extra layer of security but some of the disadvantages are that again it leaves a footprint on the device, very resource intensive (for how many apps and how many versions will you create this wrapped up version). Also tough to wrap the 3rd party apps (which are more popular and are being used more frequently and are enterprise ready) is very difficult and to enforce the usage of wrapped-version is going to be pretty tough.

Then comes the virtualization, which we are all used to for our desktop. By this process, one creates a complete wrap up for the phone itself and not just the apps in question. This way you need to work, you can always flip to the work space and then when you need to do your personal things, just flip to your personal profile and these two are disconnected and hence generally very safe for enterprises to use this. Of course this has its own share of issues. Many people don’t feel convenient to flip to work. It is not so easy to divide what is official and what is personal. Does Facetime, Facebook, Skype, Evernote, and lot more such apps, are official or personal? what is office and what is personal? Whan a call comes where does it go? What about texting (SMS)? There can be only one contacts database and where does it go? Impossible to decide? People will start using just one of them when such confusion exists and the solution will fail. Also mobile processors are not that powerful to support a full-blown virtualization and hence performance suffers.

Then comes the MEAP or what is called the mobile enterprise application platform (MEAP). It is a comprehensive suite of products and services that enable development of mobile applications. Cross-platform considerations are one big driver behind using MEAPs. For example, a company can use a MEAP to develop the mobile application once and deploy it to a variety of mobile devices (OS) such as iPhone, iPad or android devices,  with no changes to the underlying business logic. A MEAP solution is generally composed of two parts: a mobile middleware server and a mobile client application. A middleware server is the solution component that handles all system integration, security, communications, scalability, cross-platform support, etc. No data is stored in the middleware server – it just manages data from the back-end system to the mobile device and back. The actual apps can be thick or thin depending upon the complexity of work executed and they all connect to the server for security and management. MEAP is mainly good for development of corporate apps especially when you know that you will be deploying across multiple OS/Devices and provides a good security layer for those apps. Some of the issues again are that already popular enterprise ready apps that are available via 3rd party cannot be managed using this and also cannot provide complete security and also cannot control the malicious or compromised device coming into enterprise and more of a way to develop/deploy and control corporate apps and provide security around them.

Then there is dynamic discovery and health check of these devices that are connecting to the network and then provide policy enforcement based on the integration & health of the device. This detects all the devices that are trying to connect to the enterprise either via the regular authorized way or via unauthorized means such as spoofing, hot-spotting and various others way (it is estimated that 1/3rd of the devices that connect are unauthorized) and many among this unauthorized are unsecured ones, creating a huge security hole in the enterprise. These solutions actually detect and bring all these unauthorized and unsecured devices to corporate management fold and in a way providing the safety net to enterprises. They also check the health of the device whenever they connect to corporate network such as whether is it compromised, is it malicious and also whether they are jailbroken or rooted and then provide device based differential access say based on the device type, class, location, branch-office etc. (This is where our i7 PeregrineGuard plays). One good thing is that since all of it is done without installing a client or an agent on the device, this zero-footprint solution will be very powerful when you are dealing with multiple device kinds and OS and when you are worried of any security hole an unmanaged unauthorized and an unsecured device can create. Of course they also don’t provide you with a total solution and they need to integrate with a MDM solution or MS EAS to provide the wipe-out feature.

In summary, BYOD is here to stay and “Consumerization of IT” will be the next wave and along with that there will be huge security implications with enterprises trying to secure their network and data. Many vendors look at this issue in many different ways and they are generally classified as MDM, MAM, Containerizations, Virtualizations, NACs, Dynamic Discovery and Health Checks, & MEAPS.

I have explained very briefly how they all work. Hope I was able to do justice to the topic. If you liked it, or hated it or whatever, please do drop me an email with your suggestions, critiques and feedback and will be very thankful for that.

Manjunath M Gowda
CEO, i7 Networks,  “Agentless BYOD Discovery & Control”, @i7networks,
blogs on BYOD:

No comments:

Post a Comment