Managing BYOD endpoint security
This Security School is a free multimedia learning guide designed to help you understand and address the strategic and tactical implications of this topic.
This tip is part of SearchSecurity.com's Security School lesson, Managing BYOD endpoint security. For more information, visit the lesson page; for additional learning resources, visit the Security School Course Catalog page.
The appeal of the bring your own device (BYOD) strategy is undeniable. What enterprise wants to mandate that workers carry two handsets, one of which is perceived as clunky and hard-to-use? Why should organizations make huge capital investments in devices users view as unnecessary?
As it is more than possible to achieve cost-effective, secure operations with iOS and Android, why bother with anything else?
Similarly, why spend money on wireless service plans when end users already have an array of mobile devices and would be happy to accept partial reimbursement for an expense they have regardless? BYOD looks like a serious win-win if there ever was one.
But there are a number of clear downsides to BYOD as well. Aside from security -- assuring the security (and integrity) of sensitive enterprise information on devices not owned by the enterprise is an obvious and well-documented challenge -- chief among these are BYOD management and support. How can support (and lost productivity resulting from downtime during problem resolution) costs be minimized when users can bring their own handsets, tablets and even PCs to work?
Farpoint Group has long recommended that all IT mobility initiatives be gated by a deep commitment to overall organizational policies and objectives, including, of course, security. But the technological element here also demands attention, particularly with respect to the number and type of BYOD devices allowed in any given setting. Permitting any and all mobile devices creates a scenario in which IT support and information security teams could be overwhelmed by the sheer volume of mobile device alternatives and puts in place costly and, in fact, unreasonable requirements for technical knowledge, operational processes and tools, and training and support services.
Instead, we recommend allowing only a restricted set of device types, cleverly noting that BYOD does not mean "bring any device," which has the appropriate acronym BAD. It's important to understand that each device -- and, more properly, each device with a given revision of a particular operating system platform -- has its own set of costs in terms of capability and functional verification, user and device support, and any required mobility management tools. These tools include mobile device, application and data management systems, and the selection of the specific elements of any given product integrating these functions will depend upon the device-platform combinations supported. More combinations mean more opportunity for error, complexity and cost.
Most organizations have settled on iOS and Android devices as the default for BYOD initiatives because of their popularity with consumers, along with broad adoption within the mobility management vendor community. Those two factors -- an abundance of affordable mobile management tools and users who require minimal assistance -- make the choice to accept only iOS and Android devices a viable core BYOD strategy for many if not most organizations. It is also quite reasonable to insist that only the most recent revisions of these OSes be allowed on enterprise networks (noting once again that a specific device-OS-revision pair must be verified), so as to minimize the opportunity for problems due to old bugs and even malware. While significant exploits have been discovered in both of these platforms, newer revisions usually improve both reliability and security, not to mention performance.
Support for other BYOD platforms -- most notably BlackBerry 7 and the upcoming BlackBerry 10 -- and Windows Phone 7 and 8, however, is problematic. While both have at least some mobile device management (MDM) capabilities provided by their vendors, they have, at present, less adoption within the mobility management software community overall, and there is, again, a cost associated with every device-platform combination allowed within any given organization. The question dominating the discussion here at present is whether the Microsoft and RIM alternatives include any particular security or management features of demonstrable advantage to the enterprise, and this question must remain open until we have more experience with products that are only now appearing. Ditto for the other 10 or so mobile OS alternatives -- cost-benefit analysis is difficult and, since it is more than possible to achieve cost-effective, secure enterprise operations with iOS and Android, why bother with anything else?
Looking forward, though, a few other novel technologies now on the horizon have enticing potential. Virtualization on mobile devices may become a common and effective approach to sandboxing and protecting enterprise information. Two-factor authentication using a Bluetooth or other hardware token may further protect access to the mobile device. And with end-to-end security -- including automated enforcement of both data encryption and VPN utilization -- perhaps even disappearing into the woodwork, we may eventually realize the holy grail of mobility: convenience, productivity, transparency, ease of use and low support costs, all as a matter of course. In the meantime, almost all organizations will find that BYOD initiatives are best served with a restricted -- but still wildly popular -- selection of handsets and mobile operating systems.
About the author
Craig Mathias is principal with Farpoint Group, an Ashland, Mass.-based advisory firm specializing in wireless and mobile technologies, products, services and systems. Mathias is an internationally recognized expert on wireless communications and mobile computing, and has published numerous technical and overview articles on a wide variety of topics. He is a well-known and often-quoted industry analyst and frequent speaker at industry conferences and events, as well as in webcasts, webinars, podcasts and videos.