Is BYOD a legitimate strategy or a network security nightmare?
Why a "Bring Your Own Device" approach to mobile access security may not be such a bad idea.
When you ask Chief Security Officers for their nightmare scenario, they invariably mention either a network outage or an intrusion. For years, the enemies were known and relatively limited in number, but today we live in one open network, threats are more diverse, and the old “Maginot line” strategy is outdated. Times have changed, haven’t they? Well if you put yourself in the shoes of an enterprise network security professional, limiting access to internal resources might still be your holy grail. Unfortunately though, you now have more than just the one perimeter to deal with; you are now in charge of dozens, hundreds, maybe thousands of small and mobile networks: your users.
The rise of mobile devices in Europe
In Europe, over the last decade, we’ve seen an incredible adoption rate of high throughput networks and mobile devices. It started at home, with affordable DSL Internet access, where competition between ISPs has forced prices ever lower, while available bandwidth has increased by orders of magnitude. In France today, for example, €30 ($44) a month can buy you up to 100Mb/s.
This abundance has set an appetite for technology. European countries are right behind the US in terms of consumer mobile phone adoption and tablet usage, but as always, the enterprise market has moved at a slower pace. One reason for this is that for a while, the big European ISPs maintained high prices for enterprise connectivity, in a desperate attempt to finance the huge infrastructure costs required by the Internet’s mass adoption.
Combined with the late awareness of network security threats, Europe has directly switched from isolated networks to massive numbers of mobile users. Yet Europeans still lack the necessary, proven tactics to adopt these new tools without putting their business at risk.
Bringing your home to work?
So, while the difference between home and office equipment is still significant, employees will bring their home devices to work. They use their personal computer on the enterprise network, mainly because it is unlocked, and might even embed software dedicated to avoid the company’s web filtering policy.
This issue is not really new, but it is overwhelming. For years, preventing unauthorized access to individual devices has been enough of a challenge: blocking USBports, CD-ROMs, unwanted network file transfers, preventing the antivirus being switched-off, etc. The list is almost as endless as the imagination and ingenuity of a user intent on winning that all-important e-bay® auction bid.
What can we do? The most obvious and - let’s admit it - “comfortable” - solution is to come back to the Maginot line tactics. It is a common, and valid, security policy to admit only company devices and to block access from everything else. The only problem with this is that it doesn’t work! There are just too many device changes and too many requests for remote access. How can you say “no” to your VP of sales who demands you give him access to his “damned e-mails” while traveling overseas? You can’t. He is an Apple fan and doesn’t want your obsolete 3GS for which you’ve negotiated a good deal? It seems that your security policy is in trouble right away.
The reality is that IT professionals don’t have a choice; they can fight the wave and lose, or try to surf it. Application-level security policy should replace device-based access-lists - whatever the device is - personal or corporate. Despite what some security vendors may tell you, this does not mean you have to forget the devices completely. You just need to have the ability to recognize it and apply different security profiles accordingly. Technology can help. A unified security gateway should be able to manage local and remote access, automatically identify the applications and devices in use, and apply different security inspection strategies based on this information.
Tracking the different usages and automatically adapting your security policy gives you an all-important advantage over a simple blocking strategy: you know what’s happening. This enables you to act on the most important link in the overall security chain: your users.
Photo courtesy of Niels Heidenreich
Director of Product, NETASQ