Tackling BYOD: What Tools Do You Need?
Taylor Armerding at CSO Magazine just published a story on bring-your-own-device (BYOD) strategies: “BYOD keeps expanding, and IT just has to deal with it“. He contacted us as a source for his story. He had three questions for us:
Gartner recommends mobile data protection (MDP), network access control (NAC) and mobile device management (MDM) tools. Do you agree?
Is there anything else IT departments should be doing?
The debate is ongoing about the economic and security benefits vs. disadvantages of BYOD. Where do you come down on it? Should enterprises embrace it or discourage it, and for what reasons?
These are all important questions that CISOs must answer. You can see Taylor’s published story here, in which I was briefly quoted. As a service to our customers, however, I thought it might be fun to show you the full text of my email reply to him:
1. Gartner recommends mobile data protection (MDP), network access control (NAC) and mobile device management (MDM) tools. Do you agree?
I do agree, but with some caveats. Gartner’s recommendations cover a broad swath of IT devices, so it is important to understand which kinds of “bring your own” devices a company wants to protect: (1) laptops (which are “mobile devices” in the sense that they are portable PCs) or (2) Post-PC devices like smartphones and tablets?
For laptops, Gartner recommends using MDP tools, which basically means buying full disk encryption hardware and software, along with management tools. This is good advice; company sensitive information should always be encrypted at rest.
However, companies might want to take a look at what they already have before they buy a third-party product. For example, if the company has a modern PC fleet running the enterprise versions of Windows 7 or Windows 8, the built-in BitLocker full-disk encryption feature might be good enough. But most employees who bring their own PCs are not likely to bring in a Windows machine; it will probably be a Mac. In that case, Apple’s built-in FileVault 2 full-disk encryption feature, which is very good, might be enough if the Mac runs Lion or Mountain Lion. That said, companies who want a FIPS-validated solution or something that integrates with PC-based encryption management tools should look at vendors that provide Mac support such as Sophos or Symantec.
For smartphones and tablets, mobile device management (MDM) tools are essential. (Disclaimer: Perimeter offers a cloud-based MDM service). MDM can help ensure that the most essential mobile security policies are enforced, for example requiring a PIN and an “auto-destruct” policy. MDM can ensure that content- or full-device encryption is enabled on platforms that support it, such as iOS and BlackBerry. However, Android devices offer no guarantees about whether encryption will be present or not, so we generally recommend retrofitting Android devices with a lightweight encrypted container app such as Nitrodesk’s TouchDown product. TouchDown will provide encrypted storage for email, tasks, calendars and contacts when used in conjunction with MDM and ActiveSync. (It’s a type of “lightweight” MDP, I suppose, because it covers just part of the device.)
Gartner recommends NAC, but NAC is a “fussy” technology that doesn’t work well in dynamic environments. The idea is noble: block any devices not known to IT from accessing the network. Sounds nice, but in practice NAC is very brittle because it presupposes that IT can somehow know all of the devices that should be allowed to be on the network. With BYOD, they can’t — indeed, that is the point of BYOD. For most companies, NAC doesn’t bring much benefit, and adds a lot of hassle.
Instead of NAC, companies should use MDM in conjunction with their email systems to block devices not managed by MDM from accessing email. This is done via an ActiveSync proxy that integrates with MDM; every device that tries to get email is referred to MDM to see if it is enrolled. If not, the device is blocked. Nearly every MDM product has an ActiveSync enforcement proxy. This is a much simpler process than NAC, and it makes sense because everybody needs to get their email. So why not use it as a chokepoint?
2. Is there anything else IT departments should be doing?
Technology can only get IT so far. To manage BYOD effectively, managers need to address two other components: policy and law. The law increasingly dictates what companies can (and cannot) do with employee-owned devices, which in turn drives the policies. Companies should:
- Create an explicit Bring-Your-Own-Device oriented Acceptable Use Policy
- In the AUP, clearly spell out data protection obligations; support roles and expectations; reimbursement; data collected while the device is under management; employer rights to monitor, confiscate and wipe devices (and under what conditions); data ownership; and what happens when the employee leaves the company.
- Require employees to sign off on the AUP when bringing their devices to work
- Create simple, common-sense IT security policies. For example, always require encryption for sensitive company information in motion and at rest. Protect each device with a 5 or 6-digit numeric passcode; when combined with a 10-wrong-tries auto-destruct policy, this policy is stronger than a typical desktop password policy, and easier to use as well.
- Minimize the data you collect from employee-owned mobile devices; the less the better
- Use MDM to enforce your polices through technical means whenever possible
[Note: I didn't mention it in the email reply to Taylor because it would have been crassly commercial, but you should know that Perimeter's Cloud MDM service was built for BYOD. We provide out-of-the-box policy templates that enforce best-practice security policies for passwords, encryption, email and data collection. We also provides a Model Acceptable Use Policy template, co-developed with a leading international law firm, that companies can use as the basis of their Acceptable Use Policy for employee-owned devices. The Model AUP is written in simply worded but legally correct English, and specifies the twelve key policies and practices that every BYOD program should have. We wanted companies to be able to enjoy the benefits of BYOD, and get them as close to zero effort as possible. That's why we don't just offer an MDM technology product, but a total solution spanning the disciplines of technology, policy and law.]
3. The debate is ongoing about the economic and security benefits vs. disadvantages of BYOD. Where do you come down on it? Should enterprises embrace it or discourage it, and for what reasons?
For PCs, I am not convinced that BYOD makes sense economically. It makes more sense to simply procure the devices employees want, within reason. For example, if your developers want Macs, you should buy some for them. If a company is small, you can manage the security aspects of the Mac centrally (through Active Directory policies), and let employees go to the Apple Store for break/fix. Larger companies will want to bring some of the Mac break/fix competencies in house. But regardless, on the economic and security questions, there is much less ambiguity if IT keeps the devices company-owned.
For smartphones and tablets, the BYOD ship has already sailed. Most companies that allow ActiveSync access already have a BYOD problem; they just might not know it yet. BYOD is not a question of “if,” but of “when.” The advantages of BYOD are clear: more choice and a happier workforce. What companies need are answers and solutions to ensure that costs and risks are properly managed.
For smartphones, IT can make a very clear economic case for BYOD. If the employee pays for some or all of the data plan, those savings can be used to pay for MDM. Imagine that an employee wants to move from BlackBerry to iPhone. Suppose the combined savings from (a) not paying for BlackBerry data service and (b) letting the employee cover some or all of the data plan, is $35 per month. MDM costs range from $3 to $10 per month. Even if you add in some “soft costs” to run set up the BYOD program, the savings far outweighs the costs. It’s a no-brainer. From the security perspective, the risks can all be managed using the strategy I’ve described above.
Trackback from your site.