BYOD: Barbarians at the Gate?
Call this the network security challenge of 2012. On the one side, there is a stark reality: "It is untenable to deny network access to personal devices today," said Chris Clymer, SecureState's manager of Advisory Services.
When employees show up at work with iPhones, iPads, Kindle Fires, and Droids demanding access to their files, more often than not IT today does as Clymer suggests: it opens the gates. Then the ante gets upped "when you see senior executives with those devices in hand," said Jeff Schmidt, executive global head of Business Continuity, Security & Governance at BT Global Services.
Which, in turn, leads to many sleepless nights. "How can we control devices we don't own? That is the question," added Schmidt.
The good news is that there are options for giving workers the access they want without triggering too much risk. The bad news is the situation will never be quite as secure as it was when the organization exerted total control over the devices that had network access.
Tried and true ... mostly
But there remains much IT can do. Probably the single most prevalent security play today remains requiring devices to access the network via VPN, said Doug Louie, senior director of product marketing at Smith Micro Software. "VPN has been the preferred way to go. It's pretty much standard," but, added Louie, "we have seen some slackening of VPN use."
The reasons are loud and persistent user complaints about difficulties in using VPN with at least some mobile phones. A technology perfected for use with laptops, VPN has proven slippery to use with mobile devices and, be the gripes warranted or not, the plain fact is more organizations are rethinking the use of this technology.
Key to VPN is that its use typically gives the employee full access to the corporate network, but is that needed? Or wise? "Typically, with BYOD programs the devices are not granted full access," said Clymer.
And, once that decision is made, the debate kicks into high gear, said Schmidt. "What's the risk appetite of your organization? And what data are critical and where are they? Those are the questions we ask in developing access policies for devices."
Those questions drill a core into the heart of the discussion. Some organizations like health care or accounting firms have a very low tolerance for risk. Such organizations, suggested Schmidt, need to set their access policies accordingly. Increasingly, what that may mean with many organizations is giving users what they really want: access to their own email, calendar, and contacts.
"We see more organizations using ActiveSync to open Exchange. That gives the employee what they need" ... without giving them anything more, said Clymer.
Reducing risk by reducing access
Limiting the data made available to BYOD reduces risk. Smart companies are taking one more step, said Clymer. "A mature organization will ask its employees, before opening Exchange to them, to sign a written policy that sets out their responsibilities."
Usually, that means agreeing to keep the device updated and patched and to promptly notifying the organization in the event the device is lost or stolen. But Clymer's bigger point is that companies are asking employees for a quid pro quo as they open up portions of the network. In that light, most employees see these demands are reasonable.
"User education really remains the key," added Schmidt. "The weakest part of the BYOD security environment is the end user."
That's because, increasingly, the most worrisome security issue may not be access as such but rather the profusion of critical files that have come into a device as email attachments and subsequently saved on an unapproved storage service such as DropBox. "Once the documents are downloaded to the device, that is when the potential problems start," said Lurie.
In many companies, lost devices just are a much more common problem than are hacker attempts to gain access to the network via an employee's device. But employees are often reticent to say anything less they get into trouble.
Louie's solution? "Organizations need to recognize that they need comprehensive mobility management policies that are continuously modified, as circumstances change. You really need to review your policies on an ongoing basis."
That just may be the only real safety net; recognizing that, good as policies may be today, tomorrow they may be a liability. Keep that flexibility and employees will be able to continue to access the data they want without jeopardizing the core of the enterprise.
As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1,500 articles for many of the nation's leading publications ranging from Upside to the Harvard Business Review and The New York Times. He has covered mobility since the birth of the cellular industry and PCs since the 1980s. He writes often about networking and security issues. Somewhere in there he also files a regular "Mobility Matters" on mobile banking for the Credit Union Times. While he does most of his writing on a Samsung Chromebook, he admits to Macbook Air envy and owns four tablet computers.