Without going into many details, a short look at most visible aspects of using Your-Own device at work.
At first, let’s agree on definition. “A policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications” (Forrester). By itself, it would not be much of a trouble if this one was not present: “to access privileged company information“.
Below are few thoughts about approach to BYOD.
Summary for those who like management summaries
- “If you cannot stop it,- lead it” (с)
- Easiest way to give BYOD access to corporate data is through internet-exposed web portals.
- Safest way to keep documents accessed by BYOD is to modify and store them centrally on a portal instead of keeping local copies.
- Choose Web SSL VPN over IPSec VPN. It allows per-application control and is supported by all web browsers.
- Development and support departments will have the knowledge shift towards web domain,- because a lot of services will be consumed by HTML.
- Security needs to be re-evaluated, starting from the definition of a “perimeter” and ending up with new user authentication schemes.
BYOD as trend
Facts mentioned by numerous observers are obvious and make us accept the general tendency of people consuming more and more services online, through their personally owned, internet-enabled gadgets and computers:
- BYOD is a universal trend, but adoption rate differs per industry;
- BYOD is a security concern and requires mindset change;
- BYOD demand will keep up.
Access from BYODevice to information
Either on organization’s “guest wireless network” , or somethere on Internet, a client requires access to the corporate data.
- Option A. We cannot predict what kind of device a client will be using, so we stay device-agnostic and must use protocols and features supported everywhere. The most obvious choice – Web portals powered by HTML5, secured by SSL.
- Option B. We rely on platform-specific applications to deliver the best user experience. Therefore, specialized apps are developed for all major platforms: iOS, Android, Linux, Windows, etc.
Option B is considerably more complex in development and therefore can be afforded by big organizations only… and as development needs to be continuous, the support cost will also be higher. I would go for Option A. I guess that startups in the field of HTTP portals may benefit a lot.
For obvious reasons, storing corporate documents on unknown device is a security concern. A device can be lost; employees change jobs.
- Option A. We try to store all documents on the portal, like for example, Google Docs, or SkyDrive, or Evernote do. Ability to modify documents online almost eliminates the need to have offline copies.
- Option B. We allow for local encrypted storage and provide sync functionality.
Option A seems to be simpler in development. Also, there are many people (or rather job functions) that do not need to store anything offline. A company may start with them before making BYOD a corporate-wide policy.
In the traditional security model, a lot of privileges are granted to user by location-dependant security policy. Connected to internal corporate network?- good lad, here is your access. Located outside?- sorry, we don’t know you. There were reasons for creating Jericho security architecture, and BYOD concept makes them very visible. Here is a simple slide :
The percentage of laptops vs desktops constantly grows in all sectors. Mobility causes users more and more often to be outside company physical perimeter. With BYOD coming into the picture, users are on Internet or equally untrusted “guest wireless” network. This requires serious adjustment to the way the security measures are implemented.
Alex Mavrin, CCIE #7846
Visit http://www.apteriks.com and use FREE ONLINE tools for network professionals.
 http://www.slideshare.net/Rinky25/jericho-an-alternative-approach-to-security –> Slide 7