page 2 Consumers soon found that the devices they used in their personal lives could also be used in their professional lives. They could access not only the internet, but their business network as well. They could work during their morning and evening commute. They could work at home. They could work anywhere. Lockdown! It used to be that if you asked a network manager how many computers they had in their environment and how many different configurations, those two numbers would have been the same. Users would naturally try to make themselves as comfortable on their computer as they could. Beyond changing screen appearance and wallpaper, many would install their favorite utilities, applications, and game software. Whenever an IT specialist was called to resolve the ensuing problems with malware or misconfiguration problems they would have to start by exploring that particular user s environment which could add hours to each support call. Network managers began locking down their desktops using a variety of techniques and specialized utilities. Users could still choose their wallpaper and a few other personal items, but they could not install new software, nor access most of their configuration controls. In many cases they could access data, but not save it to removable media. Over time the users became accustomed to working within the confines of the company s network standard configuration, and network managers found support call durations and costs dropping. Then everything changed Consumer devices became more powerful, more sophisticated, and more versatile. Consumers soon found that the devices they used in their personal lives could also be used in their professional lives. They could access not only the internet, but their business network as well. They could work during their morning and evening commute. They could work at home. They could work anywhere. Of course the people they worked for welcomed all of this! Getting more work hours out of employees without even asking for them? Extended access to their people at most any hour of the day or night, any day of the week? This blending of work and home life was an absolute boon for businesses. Not so much for the network managers Back to where we started, and worse Network managers found themselves suddenly back where they started, even worse. Now, not only did they not know what configuration issues they were going to encounter, they didn t even know what devices they were going to have to support. The advantage to the business was just too powerful to resist, but ultimately they knew it would cost the business dearly as malware was inadvertently introduced to the network, data was corrupted or stolen, and user support costs ballooned out of control.
page 3 What the Users Want vs. What the Business Needs Especially when using handheld smartphones or other smaller devices users want easy, ready access to everything. They don t want to have to keep re-entering their passwords. The less keyboard entry the better. They want complete visibility of all of their network resources so they can quickly do whatever they need to do. They are accustomed to personal apps that make everything as effortless as possible. The ultimate goal is to put the protection at the point where any device contacts the network, determine if that device is qualified to make access, determine if the user is authorized to make contact, and then carefully control what goes in or out of the network to the user. This, of course, flies in the face of the assurances network managers know they need to provide to their company. Access to the network must be controlled so only authorized users can enter and use resources. Data must be encrypted and protected both at rest in storage and in transit between servers and users, and between users and other users. In this new environment where the same device is used for personal and professional activities, personal data such as music files, photos, emails, texts and more must be carefully segregated from corporate data. Otherwise, corporate data ends up exposed and available from potentially hundreds of various devices that may become lost or stolen. A Change in Strategy Requires a Change in Tactics When network managers first figured out long ago that they would have to control their environments more effectively, they focused on the end-user devices; desktops and laptops. They carefully locked them down so users could not change them. They were still able to introduce new software, new upgrades, updates and patches, but users were not able to introduce anything. That strategy obviously cannot be applied in the age of BYOD when the devices aren t even owned by the company. The solution many IT providers have found focuses instead on the core of the network and controlling access there. The ultimate goal is to put the protection at the point where any device contacts the network, determine if that device is qualified to make access, determine if the user is authorized to make contact, and then carefully control what goes in or out of the network to the user. This white paper discusses the controls companies need to implement both on the administrative side with carefully enforced policies that users must follow, and also by putting the right technical controls in place to assure agile user access without compromising security. What You Need to Consider Before you Begin a BYOD (Bring Your Own Device) Initiative in Your Company The earliest computing environments consisted of a centralized head-end where all compute processing and storage actually took place with a distributed group of terminals allowing users to access the central system, or mainframe. This was often called a time-sharing environment because mainframe access was measured by the time actually spent using it.
page 4 In the late 1970 s and early 1980 s this model shifted to distributed processing and storage with the introduction of the microcomputer which brought the entire compute assembly to each desktop. It didn t take long, however, until the value of centralization reasserted itself. Since computer communications bandwidth was relatively slow, many products were introduced that would allow personal computers to access a centralized server that ran the actual applications and only communicated screen appearance and keystrokes between server and user. Today, we call this approach VDI, or virtual desktop interface. Many network managers have turned to VDI over the years as their strategy for controlling users desktops. Since each user s complete desktop experience is actually stored on the server, they can access it from basically any device they choose and the entire profile cannot be altered from anywhere except the server itself. Remember that the data assets that are at stake here are the most valuable assets your company owns and build your policy accordingly. As it becomes impractical, if not impossible to control the end user devices that are accessing the network, centralization reasserts itself as the ideal model from which to establish all the controls necessary to allow users to access the network from whichever device they choose. This does not mean that nothing needs to be done at the user end, but it does enable a strategy that can allow users the ready access they want while properly protecting the company s network and high-value data assets. BYOD Policy Remember that besides controlling the technology in use, you also have to provide controls for the people involved, which is a much trickier proposition. Unlike devices, people are unpredictable and often inconsistent. Your BYOD policy must be explicit, detailed, comprehensive, and clear about consequences. Remember that the data assets that are at stake here are the most valuable assets your company owns and build your policy accordingly. Issues and concerns to be sure are addressed in your BYOD Policy include: Permitted Data Access Even though you may know that your people are aware of what data entities they are and aren t permitted to access it is important to state them in your policy in case you are ever called upon to litigate against anyone who violated your rules. They may, for example, claim that their unauthorized access was unintentional. Given that you will be enforcing those rules electronically, any unauthorized access will require intent to compromise your security provisions.
page 5 Personal Responsibility for Data Protection It is critical that your people understand and appreciate their own participation and responsibility for the protection of your company s data. As an example, a user may easily defeat the lock on their own smart phone or tablet and then leave it where others can access or steal it. Similarly users may leave their laptop logged in and unattended. It must be emphasized that users must take every precaution. If your employee chooses to consume inappropriate content, that s their business and their right. However, when the device they do that on connects to your network it becomes your business. Expectation of Privacy When most people send an email, they aren t thinking about the privacy of the information they re sending. They are therefore surprised when an executive from their company asks to speak with them about an intercepted email. If that discussion leads to embarrassment or termination they may decide to sue for wrongful termination. If they have confirmed receipt of a policy which states that they cannot have a reasonable expectation of privacy because email is a corporate asset they have no legal grounds to sue. In cases where there is no such policy in place the damages paid have been in the millions. Employee BYOD Exit Strategy When developing your BYOD policy it is crucial to make decisions about what will happen when an employee leaves the company. If there are any corporate apps or data on their device you will want to remove them, and so you may request that they submit their device to you for that removal. But what if they refuse? You may be able to perform a remote wipe of the device if they leave it on and accessible to you long enough for you to do that, but then you are also destroying their data assets, including personal photographs and purchased apps. If you ve backed those up and can return them to them you shouldn t have much trouble, otherwise they may pursue you for damages. If you can t perform the remote wipe you may have to litigate to compel them to destroy your property located on their device. This can become very difficult and very complex. Regulatory Compliance Issues Regulatory compliance usually has implications far beyond the technology. Users must understand their roles and responsibilities in maintaining compliance with whatever regulations your business is subject to. A simple example is the deletion of an email. This may be completely against your company s retention policy. Unless your system prevents users from completely deleting any email from the server you may be held responsible for being unable to produce required documentation in an ediscovery. Make sure your users understand what is required of them.
page 6 While you clearly will be supporting your corporate apps, exercise care when announcing your BYOD support strategy. You d like to be able to say that you will support all apps on all devices, but this is likely to be impractical. Does the company have the right to access personal data while supporting Suppose one of your users submits their personal smartphone or tablet for repair or upgrading by your IT department. While performing the required service your technicians inadvertently find evidence of illegal activity on the part of the user. What is your responsibility to report this? Are you even allowed to report this? Obviously only your attorney can properly answer these questions, but including this in your statement that the user cannot have a reasonable expectation of privacy can help protect you. Integration of BYOD Policy with Acceptable Use Policy If your employee chooses to consume inappropriate content, that s their business and their right. However, when the device they do that on connects to your network it becomes your business. If, for example, an employee downloads prurient photographs and then emails them where your employees can see them you may be held liable. Even if the intended recipient does not find the material objectionable, if another employee passing their cubicle sees it, you may still be held liable. BYOD Issues on the Client Device Side Approved Devices While the goal is to provide any user access with any device, this may not be practical from a support or security standpoint. If you know there are devices that cannot be properly managed to safely access your network, forbid them in your policy as well as in your network access control technology. Similarly you ll need to state what levels of support your users can expect from you vs. their own provider. You may, for example, limit your support to devices on major platforms like Android, ios, and Windows Phone. Approved Applications One of the technical issues that must be wrestled with is whether or not you can achieve containerization of personal data and apps separate from corporate data and apps. Especially if this is NOT the case in your environment yet you must be very clear about forbidden apps. Some are capable of downloading malware from the internet and uploading it from your users to device to your network. Constant diligence must be exercised in finding these apps and notifying your users. Who Owns the Device and its voice and data services In a BYOD strategy, it is anticipated that the employee owns their own device and the bandwidth contract that enables it. Some companies may elect to reimburse the employee for part or all of the recurring monthly expense as a perk, others may not.
page 7 Who s Going to Support the Device Personal Apps as well as Professional While you clearly will be supporting your corporate apps, exercise care when announcing your BYOD support strategy. You d like to be able to say that you will support all apps on all devices, but this is likely to be impractical. With the plethora of apps constantly coming out, and new devices introduced regularly, anyone would be hard pressed to support them all. You must consider your support budget, your support staff, and reasonable expectations of turnaround time. You must also consider that your employee s device may also be used by their family, in which case damage can be caused at any time. Again some separation of personal from professional use is best when determining how each device will be supported When a user attempts to connect to your network they must authenticate themselves to confirm that they are qualified to make access. The same must be true for the device they are using to make that connection. Authentication & Authorization Required Access Security Measures to Use the Device When a user picks up their smartphone or their tablet their expectation is that they will quickly and easily be able to start using it. A keycode or gesture-based lock should not pose a problem. Imposing two-factor authentication, such as a SecureID token, just to use the device may be seen as overkill. If all corporate apps and data reside on your servers, this may not be an issue. Simply require the second factor when logging into the network. Users may still balk, but you have to balance their ease of use against corporate security. Remote Wipe or Bricking When a device such as a smartphone or tablet is lost or stolen the cost of the device is negligible compared to the cost of corporate data on the device. The usual solution is to remotely wipe out all content on the device, a process often referred to as bricking the device because it basically turns it into a completely unintelligent brick. In a BYOD environment it is important to remember that you will be wiping out all personal data on your employee s device too. While you may not be legally responsible for their content, it will contribute highly to employee morale when you can restore their personal content to their replacement device as well as corporate apps and data. Remember also that remote wipe can be easily defeated by disconnecting the device from the network, so employees should know to contact your IT department first the moment they discover a lost or stolen device.
page 8 Data Containerization vs. Virtual Desktop Usually a user runs an application on their device which accesses data from your network. That data is transferred to their device during use. A virtual desktop (VDI) interface on your user s device allows them to connect to your network but the application is actually running on a network server. The user sees the screen and can send keystrokes and mouse movements, but no application other than the VDI is running on their device and no data is transferred from the server to the device. This completely isolates the user device from the network resources creating a very distinct separation between the two. Since no corporate data resides on the user device there is far less exposure for the company. Many IT professionals have been working on methodologies to containerize private data and corporate data separately on the device to keep them from intermingling, which will also create that separation, but still allows corporate assets to remain on the user s device which creates greater exposure. While it is always best practice to provide solid protection from a respected provider, it becomes even more critical when each user device becomes a potential conduit of disaster to your network. Encryption Each user device must be able to support the company s data encryption strategy. If a device cannot encrypt and de-crypt data sent to and received by your network it cannot be accepted as a BYOD candidate. BYOD Issues on the Centralized Server Side Network Access Control When a user attempts to connect to your network they must authenticate themselves to confirm that they are qualified to make access. The same must be true for the device they are using to make that connection. Network Access Control interrogates the device to determine if it can support the necessary protocols, has required anti-malware measures in place and functioning properly, and is configured properly to access the network. This is a critical system to have in place to prevent damage to your network. Application Delivery The goal is to provide a consistently excellent user experience. Users accessing the network from their own device want to work at the same speed and with the same facility as if they were in the office sitting at their desk. Wireless access, however, doesn t always provide enough bandwidth to accomplish this. Especially when working with smartphones and tablets many have chosen VDI, virtual desktop interface, to minimize the amount of data actually travelling between the user and the network. VDI only transmits screen appearance, keystrokes, and mouse movements. No large amount of data crosses the network. Since there is less data transfer the responsiveness of the device to the user is much faster. This also keeps corporate data at the server and not on the user s device where it is more vulnerable.
page 9 Malware Protection No computing device is exempt from being attacked by viruses, Trojans, worms and other malware. While it is always best practice to provide solid protection from a respected provider, it becomes even more critical when each user device becomes a potential conduit of disaster to your network. Providing protection both at the device level and at points where the device connects into the corporate network is crucial. Providing protection both at the device level and at points where the device connects into the corporate network is crucial. Data Encryption at Rest and in Transit Many think that encryption of data is something you do when transferring it from one place to another, and this is certainly an important security provision. Protecting data at rest in storage is also important. Malicious individuals can easily work to access or corrupt data in storage. Also, the government can subpoena data from storage providers without informing you. By using an encryption strategy where the keys are not available to the provider, the government must make you aware of the subpoena to obtain your encryption keys. From a user-device standpoint, every device accessing your network will have to be able to support your encryption strategy. DLP Data Loss Prevention If your network doesn t include provisions for monitoring and enforcing rules around proper data use, your BYOD initiative should absolutely motivate the addition of it. Data Loss Prevention provides visibility into who is using what data entities for what purpose and enables you to quickly act to prevent potential compromises.
WHAT TO CONSIDER BEFORE YOU TELL USERS THEY CAN BYOD page 10