Creating Security Best Practices to Support BYOD Strategies
Today’s infrastructure calls for more flexibility and better adaptation around the end-user. Better technologies have allowed organizations to move their environments offsite and into the cloud. From there, IT administrators are able to deliver entire workloads from a cloud-based environment down to the end-user. One of the biggest changes over the past few months has been the demand by the user to incorporate personal devices. This practice has been named the Bring Your Own Device (or Computer… or Anything) initiative. Already adopted on work phones with tools like email – users are asking for even more from their IT departments.
In the past, adopting a BYOD plan could be seen as expensive and very clunky. Now, however, advancements in bandwidth, hardware technologies and delivery methodologies have allowed IT environments to deliver more than just email to the end-user. Virtual applications and even desktops can now be pushed to almost any device, anywhere, at any time – given an Internet connection.
A recent article from INC.com pointed out that there are two important and related trends which are already having a significant impact on day-to-day operations at a rapidly growing number of businesses are BYOD (bring your own device) and BYOA (bring your own application). Market researcher Gartner Inc. predicts that almost four in 10 organizations will rely exclusively on BYOD– meaning they will no longer provide any devices to employees– by 2016, and 85 percent of businesses will have some kind of BYOD program in place by 2020.
Furthermore, as enterprise bring your own device (BYOD) programs continue to become more commonplace, 38 percent of companies expect to stop providing devices to workers by 2016, according to a global survey of CIOs by Gartner.
“BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades,” said David Willis, vice president and distinguished analyst at Gartner. “The benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction, and reducing or avoiding costs.”
With this type of demand in the BYOD space, one of the biggest questions on the minds of IT managers is security. Here, we take a look at some best practices revolving around security when an organization decides to move with a BYOD platform.
- Control User Experience. Controlling the user experience means understanding what is being delivered down to the end-user. Applications with sensitive information should not be delivered down to an unknown device. This can be done at an application monitoring level or by using a tool which locks down apps being delivered over the WAN.
- Create a Controlled Device List. Do not make BYOD a free-for-all. This is one of the most important aspects of making a solid BYOD policy. Have a set list of approved or supported devices and provide that list to the user. From there, IT administrators will only need to worry about delivering a client to the end-user and nothing more.
- User Firewall Rules and Policies. Many of today’s security devices are known as “next-gen” appliances. These security devices are able to conduct end-point scans, policy checks, and geographically identify a user. Based on the needs of the organization, BYOD rule-sets can be built around good security device policies. Firewalls and gateway appliances can be set up to detect what type of device is connecting in and then intelligently direct the traffic to the appropriate landing page.
- Create a Usage Policy. Much like a computer usage policy, it’s important for users to understand that the data they are accessing is still corporate owned. Users who wish to user their own devices must do so responsibly. The usage policy will make the end-user aware that although their devices will not be monitored, the data being delivered will be – which brings up the next point.
- Monitor Activity. Whenever an organization is delivering data across the WAN to an end-point device, that information must be monitored and controlled. Active monitoring protocols ensure a proactive rather than a reactive environment. Data monitoring tools can go above and beyond just monitoring activities of the user. Controlling the types of data being delivered is also important. For example, locking down credit card numbers or Social Security information via policy is a common practice. So, if a user tries to access or distribute information in an xxx-xx-xxx format – they are immediately flagged and the leak is stopped.
- Secure the Data. Although BYOD certainly focuses on the end-user, securing the data at the server level is very important. Using IPS and DLP systems will help prevent data leaks. Furthermore, ensure that all traffic is sent through HTTPS/443 and that end-users are connecting through a secure means. Internally, data must be secured on servers which are fully patched and have an appropriate AV running on top of it. When creating a BYOD program, gateway appliances are able to read the headers of the client which is coming in to request the data from the data center. By knowing the type of device, administrators are able to route the right type of data to the end-user. For example, a certain set of data may be available only to mobile phone users while more can be provided for users entering with an iPad or tablet device.
There are many ways to secure an environment. Now, the need is to expand that security to devices not owned by the organization. Remember, even though the device isn’t under the company’s control – the data is. Using intelligent tools to help secure internal environments can go a long way in delivering a sound and secure BYOD platform. Simple internal procedures such as securing desktops (even virtual ones) with intelligent antivirus programs and monitoring activity of the workload will help IT administrators have control over the environment.