Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: [email protected].
The introduction of laptops and proprietary mobile devices into the corporate IT ecosystem 10 years ago allowed organizations to extract more value from their employees by extending the office both physically and mentally in the minds of employees. Over the years, these have become learned and expected behaviors for nearly all employees of companies in North America and Europe that rely on speed and technology to deliver a product to market. In theory, the IT department had total control of how the system or device was configured, which applications were installed and what resources it could access on the corporate network, although it didn’t always happen that way.
Those days, however, are long gone. The rise of the smartphone in the last five years – perhaps due in part to the popularity of the iPhone and now tablets – have added yet another dimension to the way people interact with corporate resources. The balance of computing freedom and choice quite literally shifted overnight from corporate IT into the hands of the consumer employee.
The question is why did companies allow this to happen? And the answer boils down to two key benefits – huge cost savings on IT budgets and maximized employee productivity. Who, in this day and age, hasn’t answered corporate e-mail at 11 pm before going to bed?
However, everything in the garden of bring-your-own-devices is not rosy. The complexity of supporting a myriad of devices within the network infrastructure, in addition to granting network access to devices not owned by the organization, doesn’t work well for many organizations. But overall, the No. 1 issue organizations are now concerned about is the security risks relating to lost devices, theft of data or viruses. As consumer technology products continue to permeate into the corporate IT ecosystem, BYOD access to corporate assets and the internal network has become a critical concern for many organizations. While the productivity gains were immediately apparent, security was once again considered an afterthought in many early BYOD initiatives.
There are many different schools of thought on how to handle the BYOD challenge and three main technology contenders claiming to solve the problem. Unfortunately, in corporate networks one size never fits all and organizations are already finding out that a combination of two or all three methodologies is said to be the most effective defense. It all boils down to how much an organization value’s their data or understands what the impact would be to the business should that data be compromised.
Originally considered a cost saving, BYOD is quickly becoming a cost, IT resource and management framework headache. Whatever the answer is for your corporate network, the marriage of mobile device management or mobile application management combined with the underlying management of network access itself appear to be the clear leaders in solving the BYOD issue. With over 70-plus MDM/MAM vendors positioning themselves as a BYOD solution, expect to see a lot of consolidation as vendors buy up market share and technology with procurement costs slowly coming down.
Let’s look at some of the options. In general, MDM systems provide centralized visibility to the devices and users connecting to the corporate network. MDM allows IT staff to manage BYOD devices by applying policies to ensure compliance with internal policy. Un-managed, infected or jail broken mobile devices can be blocked from accessing e-mail or other corporate resources. In turn, corporate procured mobile devices removed from a predefined physical location can be wiped of sensitive data using geo-fencing if they are removed from the network as it violates a predefined policy control – for example, hospital staff using iPads to access medical records.
MAM can be considered an overlap or extension technology to MDM and handles BYOD devices and the concept of data security differently. When an employee brings a personal device into the enterprise, MAM enables the corporate IT staff to provision the device, download approved corporate applications and control access to back-end data sources. If the device is lost or stolen, or if the employee leaves the company, IT staff can remotely remove any confidential applications or data. Ultimately, implementing a MAM solution depends upon the organization and how many mobile-enabled applications they feel are needed to best serve the workforce.
The perpetrator of an IT breach or compromise from the wireless network isn’t necessarily the physical owner of the BYOD device, but it can invariably be the source. While MDM and MAM can be used in conjunction with each other to provide an effective BYOD solution, neither of the solutions address the primary source of security compromise, unfettered network access between the wireless and the wired corporate network. The use of BYOD mobile devices in insecure public networks such as municipal Wi-Fi networks and wireless hotspots can expose these devices to various kinds of worms, viruses and other malicious code. When these devices re-enter the enterprise network environment, the lack of any security access control can leave the corporate network and associated resources open to propagation of malicious code and attack.
Networks continue to increase in complexity and “who” has access to “what” is perhaps the biggest challenge of all and wireless access compounds that problem significantly. Almost 95% of all security breaches are a result of mis-configurations in the devices granting access to the network, such as firewalls, routers, load balancers and mobile device controllers. Managing the access between the wired and wireless networks to enforce exactly what access is allowed to BYOD devices has to be the first step in any wireless initiative – before any thought of managing the mobile device can be considered. Once access has been defined, an ongoing monitoring program needs to be in place to identify violations that would allow unauthorized mobile devices to access wired corporate resources on a regular basis.
From cross-platform malware that infect everything in the network to confidential corporate e-mails and attached files, organizations need to get a grip on their ballooning BYOD security challenges to reduce the overall attack surface and the incidence of network and corporate compromise. That “grip” is never going to be 100% on the BYOD device. That “grip” has to be on something the organization owns and has complete control of … network access.