author photo
By Shamoun Siddiqui
Thu | Sep 5, 2013 | 1:49 PM PDT

We sure love our acronyms, don't we? These days you need a veritable glossary to keep up. Well, behind each of those innocuous, and often cool, three- or four-letter acronyms lies a massive headache—for most information technology and information security professionals.

I don't know about you, but in my years of being a security professional I cannot recall a bigger headache than that brought on by Bring Your Own Device (BYOD) considerations. It seems to me that within the past year or so, BYOD has suddenly exploded on the scene to an extent where every single vendor worth its salt is now claiming a solution in this space.

Every conference that I have been to recently has been overwhelmed by BYOD conversations. At RSA this year, one particular BYOD presentation required an encore. We are witnessing a veritable revolution brought about by the consumerization of IT.

Unfortunately, with all the hype surrounding BYOD and all the discussions and all the vendors claiming a silver bullet, there really isn't a solution that by itself offers a true BYOD environment for anything other than a very simple enterprise. Here is the problem: employee owned devices can include smartphones and tablets, with iOS, multiple versions of Android, Windows Mobile and Sembian etc. They may include personal Blackberrys. They certainly include Windows PCs and Apple Macs with multiple versions of the operating systems. Corporate resources, that these devices may need access to, include Exchange services (email and calendar) as well as Sharepoint, file servers, internal websites and applications.

Finding a solution that encompasses all of these varieties of devices and the combination of resources, is a challenge, to say the least. Certainly, Blackberry is an outlier at this time and stands on its own. There are efforts underway to bring it under a single umbrella of BYOD or MDM but for now the proprietary nature of the Blackberry Enterprise Server limits its incorporation. So let's leave Blackberrys aside for now and focus on a strategy for the generic Android, Windows Mobile, and iOS devices.

For most organizations, the headache centers around managing the proliferation of employee owned smartphones and tablets that are being used, for the most part, to access the company's Exchange environment via ActiveSync. The connectivity, in general, is through a 3G or 4G cellular network even while on campus. This "invisible network" adds to the burden on the Exchange servers, for example and therefore adds to the IT operations costs.

Increasingly, employees with personal devices are asking for connectivity to the corporate wireless network. After all, they have wireless Internet access at home, at Starbucks, in Hotels and in other public places. Why is it that they cannot have wireless Internet access for their personal devices when they are at work? This seems like a valid request. The problem is that most corporate wireless networks may not have been designed with enough capacity to handle the additional load. Adding wireless capacity to provide an enhanced user experience may not be at the top of the CIO's list of priorities.

From a security perspective, the single biggest concern around employee-owned devices in a corporate environment centers around data leakage. The presence of company data on non-company devices may violate customer or client contractual requirements and even local laws. Furthermore, in the event of a breach and an ensuing forensic investigation, the chain of custody could extend to the employee owned devices and to the employee's home resulting in significant costs to the company.

It is, therefore, obvious that in order to mitigate some of these risks a technology solution is required. Luckily there are multiple options available for a Mobile Device Management (MDM) solution. An MDM solution could quickly rationalize the "invisible network" and bring order to the chaos of an open door policy - allowing IT Operations to control and manage these devices easily and effectively.

Here is what to look for in a typical MDM solution:

  • User device self-enrollment / registration
  • Certificate based device authentication
  • Policy enforcement (PIN/Password policy, device lock timeout, remote wipe etc)
  • Containerization
  • Encryption

The first three items are security centric while the latter two are privacy and compliance centric. Containerization allows company data to be stored and accessed separately from personal information. Encryption of this container provides safe harbor from breach notifications and customer contractual requirements.

Currently, most MDM technologies do not allow the management of employee owned laptops and Macs. For a true BYOD environment, laptops and Macs must be accounted for. This is where Network Access Control (NAC) comes in. NAC goes as far back as 2003 and is making the rounds these days in its second or third incarnation having failed to deliver on its much hyped earlier promises. The modern NAC appears to be elegant and far more functional than its predecessors. Properly implemented, a NAC solution would allow the intelligent determination of employee vs corporate assets whether on the wire or on a WiFi network and then, based on the health or categorization of the connecting device, determine the level of access to be granted.

During the mid-2000s the primary focus of NAC was to allow a mechanism for Guest access (vendors, consultants, contractors etc- wired or wireless. This requirement may still exist for most organizations. However, now the added consideration is about employees and their personal laptops and macs. For the most part, the three large categorizations are:

  1. Employees with corporate assets

  2. Employees with personal assets

  3. Non-employees with non-corporate assets

NAC provides the ability to distinguish between these classes of users (and more) and then based on defined policies, provides a certain level of access and services over the wire or over the corporate wireless network.

As may be obvious from the above discussions, MDM and NAC focus on the device side of the equation. Both technologies are designed to control devices on the network and to enforce policies. Both technologies are agnostic of the data being accessed or processed by the end points.

This is where Data Loss Prevention (DLP) comes in. For most organizations that process large amounts of consumer or client personal information or credit card information, there is a need to know where the data is flowing. Even with a good MDM and a NAC solution in place, it would be crucial to know if Personally Identifiable Information (PII), Payment Card Industry (PCI) Data, Protected Health Information (PHI) or other sensitive information is moving to an end point that is not a corporate asset and to be able to control or prevent the flow of such information. State and Federal laws and, increasingly, client and customer mandates, are discouraging the storage of sensitive information on non-company assets. In situations where this is not controlled, the loss or theft of a device containing sensitive consumer or client information could necessitate breach notifications or credit monitoring services in accordance with the local laws. This could be a very costly exercise for most companies.

Therefore, for companies with strong data privacy needs, it is crucial that a technology solution be implemented to monitor the flow and storage of sensitive information on non-corporate end points.

Data Loss Prevention technologies have become fairly mature over the past few years and there are several very strong commercial offerings that are highly effective in monitoring and controlling SMTP, HTTP/S and FTP traffic flowing inside and across the company's perimeter.

There is already some DLP integration available at the MDM and NAC levels and at least one major vendor seems to be offering a marriage of DLP with MDM. However, it is only a matter of time before these technologies merge seamlessly.

Finally we come to Virtual Desktop Infrastructure (VDI). I like to think of VDI as the one possible silver bullet for a true BYOD strategy from a data loss perspective. Virtual desktops are the only mechanism by which the end point can be completely decoupled from the corporate network thereby eliminating any concerns around data storage and leakage from a non-corporate asset.

Obviously VDI is not without its own challenges although some of the more recent incarnations of VDI appear to be highly functional as well as easily manageable and deployable. Virtually any device can be now used to connect to the virtual desktop infrastructure and the state of a user's desktop environment can be maintained between sessions and even between devices.

For those unfortunate road warriors who spend an inordinate amount of time in airports and in planes with no network connectivity, the state can be "downloaded" onto their devices so that they can continue working offline. The state is a self-contained and encrypted container that does not allow information to cross over to the user's personal space on the device. When network connectivity is established, the "state" is synced with the corporate systems, all changes are uploaded and the local container is wiped out.

As attractive as VDI can be for a true BYOD environment, for most organizations it may be a dream beyond reach. VDI can require some significant capital dollars initially and the ongoing operational expenses may not offset any savings that result from allowing employees to bring in their own devices. Furthermore, a virtual desktop infrastructure may require a different breed of administrators to support end users resulting in additional costs due to education and training. A CIO looking for a return on investment (ROI) may not be able to justify this expense.

In conclusion, a true Bring Your Own Device (BYOD) initiative would require that several complimentary technologies be implemented concurrently to address each of the disparate requirements. If the intent is to just rationalize the unmanaged proliferation of employee owned devices, then a suitable MDM solution would suffice. If there is a need to manage vendor and guest access and to allow wired/wireless access from non-corporate laptops, then a NAC solution may be required. If the company stores, processes or transmits PCI data, PII or PHI etc, then a DLP solution may be a mandatory requirement. If ultimate nirvana is required then a VDI with an appropriate MDM may be the answer.

The industry appears to be recognizing these challenges and vendors appear to be complimenting their core skills with some of these supplementary technologies. At least one major player in this space appears to be offering a limited marriage of their MDM solution with their DLP offering. Others are catching up as well. The space is maturing very rapidly. Whether you wait or implement one or more of these technologies now, you can be sure that in the coming months and years you will see single vendor solutions that will start to encompass all of these moving parts.

This is such an exciting time for us information technology and information security folks!

Comments