The threats to business are still, in essence, the same as they have been for many years – bad stuff entering the network and sensitive information (good stuff) leaving the network.
The key point for CISOs to remember is that giving user-owned devices access to a corporate network as part of a BYOD strategy is no different to allowing any other remote device or USB stick to be plugged in – it is an additional endpoint that needs to be monitored and secured, regardless of who owns the physical device.
It is therefore important that access controls, policy enforcement and security countermeasures are put in place, ideally by being pushed to any new device connecting to the network, to maintain security standards and awareness of what data is being accessed by which endpoint.
Mobile device control
UK schools and colleges have struggled with the onslaught of BYOD for years, along with the need to limit student and outsider access to the darker areas of the web and sensitive data held within the network. Many soon realised that safeguarding data was far easier to stop through physical separation and limiting access to sensitive areas of the network.
Mobile device management (MDM) aims to secure, monitor and manage the use of mobile devices. The thought being that by controlling and protecting the data and configuration settings for all mobile devices, the business risks are reduced. However, this does not immediately cope with the BYOD trend.
Read more on BYOD and MDM from the Security Think Tank
- Governance should determine strategy for BYOD
- Embrace BYOD, but be wary of the risks
- BYOD security: policy, control, containment, and management
- MDM is no BYOD silver bullet
- BYOD – key tenets and best practices
- BYOD means the map is no longer the territory
- BYOD – a challenge and an opportunity
- Management is key to secure BYOD
- Cloud, BYOD and security – lock your doors
To work effectively, a client agent needs to be placed on the unrecognised mobile device, which may not be practical or cost effective, depending on licensing models.
Imagine the cost to a college whenever a new year intake starts, or the cost to a business that is hosting a conference in its offices. The demand for new client licences could reach the hundreds in just one day if concurrent or unlimited licensing is not available.
Rather than offering devices carte blanche access to the network, some organisations prefer to ring-fence the network so that anything that is not a recognised and approved device only has access to certain parts of the network.
On top of this, many such solutions offer profiling capabilities so that different devices, and personnel, are allowed differing levels of access depending on their inherent risk profile of the user and the piece of hardware they are trying to interact from.
Devices that meet the minimum software, security and reporting requirements get access; everything else gets quarantined in a demilitarised zone (DMZ) with a separate internet connection and no direct access to core network services or repositories.
While no solution is foolproof, above are a couple of examples of how businesses can lower the risk profile of BYOD access and can insure themselves against the ever-present danger of bad stuff entering and good stuff leaving.
Phil Bousfield is general manager of IT operations at GFI Software.