Protecting Your Network in a BYOD EnvironmentBy Bob Violino | Posted 2014-06-27 Email Print
Allowing employees to use their personal mobile devices to access the corporate network can increase productivity and morale, but it also increases risks.
For a growing number of organizations, bring your own device (BYOD) has become an undeniable fact of life. Few enterprises these days want to tell their employees that they can't use their personal smartphones or tablets for work purposes.
And, to be fair, BYOD does deliver benefits. For instance, employers don't need to invest in as many company-owned devices to distribute to mobile workers. And employees get to use their device of choice to access data, collaborate with colleagues and perform a variety of tasks—and that can lead to increased productivity.
On the negative side, BYOD clearly comes with information security risks. While the security of the devices themselves is important, organizations also need to make sure they effectively protect their networks against threats.
"Because BYOD means a large range of devices could be connecting to your network, you have to create policies that are very specific to individual roles or responsibilities," says Christian Kane, analyst for enterprise mobility, Infrastructure & Operations, at Forrester Research.
Companies need to consider strategies such as network segmentation, whereby different mobile users are permitted various levels of access depending on their roles. Some are restricted from network access altogether.
Other technologies such as certification, mobile VPN clients and mobile device management (MDM) software that includes secure browsers can provide additional protection when mobile workers have access to sensitive information or are working from locations that might not be as secure, Kane adds.
"We see MDM evolving to enterprise mobile management, and those solutions tend to be a cornerstone of any mobile security [strategy]," Kane says. "Often, they will be integrated with VPN clients or certificate management offerings."
Many organizations launching BYOD programs will initially grant a good number of users access to a guest network. "That's usually because most of the [BYOD] programs start pretty small and then slowly expand," Kane says. He adds that users will then ask for access to the corporate network, and most companies will agree to that provided the employee has a legitimate need for access.
What's the risk of not doing anything about network security in the BYOD age? Kane describes it like this: "If you have a device compromised in some way and you don't have monitoring capabilities, you've given that device access to other things, and it's very possible it could get access to sensitive information or compromise your network in some way."
Grappling With BYOD Security Issues
Like many educational institutions, the Fashion Institute of Technology (FIT) in New York is grappling with BYOD security issues.
"As a school, we have little control over devices owned by students and faculty," says Gregg Chottiner, vice president of IT and CIO at FIT. "On average days, we have several thousand devices on campus accessing the wireless infrastructure."
When selecting a new wireless LAN (WLAN), FIT looked for a solution that would deliver secure, reliable network access for students and staff, as well as easily managed guest access, he says. It was also essential for the WLAN to be robust enough to support the often high-bandwidth educational applications that FIT uses in its classrooms.
FIT has deployed an Aruba Networks WLAN with the vendor's ClearPass Access Management System at its New York City campus. The WLAN is designed to deliver secure, campuswide access, as well as guest access and management.
The ClearPass system scans devices that have the Apple iOS and Windows operating systems for active and updated antivirus clients. "All devices must be authenticated before accessing the FIT network," Chottiner says. "Wireless devices are blocked from directly accessing critical systems."
Establishing these policies has provided a layer of security that protects the network. "We have established multiple wireless segments for various populations," Chottiner says. "The dorms, guests and contractors have special wireless networks that utilize policies to manage access to various services. We are experimenting with application policies to enable and/or block access based on location or time of day." For example, the institute can block Facebook access during class times.