BYOD is one of the hottest and misunderstood topics, partly because BYOD is made up of 8 (yes 8) different scenarios, because it can be a device that someone uses that is managed as a corporate device or not. It may be allowed on the corporate LAN or not, and it may or may not even have access to corporate data.
|The eight types of BYOD|
Let’s take a look at each one.
The first one is easy. This is machines that are managed by corporate, connected to the LAN and access corporate data. Essentially exactly what we have now from a technical perspective. Frankly from a network and security perspective no change from what we have had for years. The only difference is how it is purchased, i.e., do you let the employee pick it out and pay them a stipend for it. Using network access control, authentication pretty much solves this group. In this case BYOD almost stands for Buy Your Own Device.
The second one isn’t too bad until you start looking at data protection. Since not all the data is corporate data, it’s important to know what is going out. Since they are on your LAN a good firewall like Palo Alto, network policy and a SIEM like Dragon solves any real security issues, or at least let’s you know they are going on so you can address them.
The next category are corporate owned and managed and access your corporate data but not on your network. These are the mobile devices that are accessing your cloud resources, or email or like Blackberry devices that can get through the firewall if you are using Blackberry Enterprise Server or BES. The best approach I’m aware of for these is a combination of mobile device management (MDM) and a cloud based identity management product, like Okta.
If they are not accessing corporate data, you are stuck with just MDM. Since they are corporate owned and managed devices you can dictate with a policy that they need to install your MDM product and give you some control over the device.
Now though we get into devices that aren’t managed by corporate and things get stickier.
The first one is devices on your LAN access your corporate data but unmanaged. Since you can’t manage the device you need to use a network based access control that can scan the device remotely to ensure it meets compliance, or just not allow it to connect. Since it’s corporate data, a SSO solution, in our case Okta solves that piece.
But what if it’s not corporate data? Can you really stop someone from using a dropbox account? Well you can if they are using your LAN. An IPS or application detection tool will detect it and alert you or can disallow it at the firewall or switch port.
If it’s not your device and not your network your only control point is authentication to the application. Okta fills our need for this and automatically de-provisions data when an employee is terminated. It needs to be done automatically or it takes too long and you will miss some. Automation is your friend with accounts and access.
The last problem is tricky. It’s not your data, not your device and not your network. The biggest risk with this is really someone saying something bad about you on social media. To some extent you have no control, well no technical control. For this I’d recommend something like Radian6 or Cymfony to be able to react quickly. Some people may argue this isn’t really BYOD but some companies will buy and pay for phones that are not really used for corporate use, or maybe the phone is but the smart phone portion is used for non-business pieces.
I’ve had some vendors try to sell me an appliance to protect against this, but since they aren’t on my network an appliance won’t work. For some reason me making that observation merely made the sales team try harder to sell it to me. Personally if I were the sales team, I would have cut the meeting short and not spent 45 minutes trying to sell me something I clearly didn’t want, but maybe that’s why I’m in IT not sales.
Consumerization of IT and the trend for BYOD isn’t going away. BYOD programs can be solved technically as long as you understand what type you are trying to use. Hopefully this helps and as usual we would love feedback!