Security Think Tank: MDM just one way to lower the risk of BYOD

With BYOD and the growth of the personal cloud being used at work, what security measures can IT take to ensure security of enterprise data and does MDM really have a role in security?

The threats to business are still, in essence, the same as they have been for many years – bad stuff entering the network and sensitive information (good stuff) leaving the network.

While bring your own device (BYOD) and growing personal cloud use in the workplace have not changed that, they have made the problem more prevalent and harder to police.

The key point for CISOs to remember is that giving user-owned devices access to a corporate network as part of a BYOD strategy is no different to allowing any other remote device or USB stick to be plugged in – it is an additional endpoint that needs to be monitored and secured, regardless of who owns the physical device. 

It is therefore important that access controls, policy enforcement and security countermeasures are put in place, ideally by being pushed to any new device connecting to the network, to maintain security standards and awareness of what data is being accessed by which endpoint.

Mobile device control

UK schools and colleges have struggled with the onslaught of BYOD for years, along with the need to limit student and outsider access to the darker areas of the web and sensitive data held within the network. Many soon realised that safeguarding data was far easier to stop through physical separation and limiting access to sensitive areas of the network.

Mobile device management (MDM) aims to secure, monitor and manage the use of mobile devices. The thought being that by controlling and protecting the data and configuration settings for all mobile devices, the business risks are reduced. However, this does not immediately cope with the BYOD trend.

To work effectively, a client agent needs to be placed on the unrecognised mobile device, which may not be practical or cost effective, depending on licensing models.

Imagine the cost to a college whenever a new year intake starts, or the cost to a business that is hosting a conference in its offices. The demand for new client licences could reach the hundreds in just one day if concurrent or unlimited licensing is not available.

Access control

Rather than offering devices carte blanche access to the network, some organisations prefer to ring-fence the network so that anything that is not a recognised and approved device only has access to certain parts of the network.

On top of this, many such solutions offer profiling capabilities so that different devices, and personnel, are allowed differing levels of access depending on their inherent risk profile of the user and the piece of hardware they are trying to interact from.

Devices that meet the minimum software, security and reporting requirements get access; everything else gets quarantined in a demilitarised zone (DMZ) with a separate internet connection and no direct access to core network services or repositories.

While no solution is foolproof, above are a couple of examples of how businesses can lower the risk profile of BYOD access and can insure themselves against the ever-present danger of bad stuff entering and good stuff leaving.

Phil Bousfield is general manager of IT operations at GFI Software.

Read more on Endpoint security