May 18 2012

Steady Progress Toward BYOD

Governments take a measured approach toward widespread use of personal devices on public-sector networks.

Gastonia, N.C., is a small city with only 1,000 employees. But like many localities, it is steadily advancing its initiative to let its workers use their personal computing devices on city networks, a practice commonly referred to as “bring your own device,” or BYOD.

The city’s IT department, which also supports public-safety personnel for Gaston County (of which Gastonia is the county seat), began allowing employees and guests to use their own devices on the city’s network approximately seven years ago, when it installed an Aruba Networks wireless network.

Currently, users can access only the Internet via their own devices, connecting to the city’s wireless network using Aruba Networks’ ClearPass Policy Manager. ClearPass provides registration and profiling for iOS, Android, Mac OS or Windows-based devices, as well as endpoint health assessments and comprehensive reporting to automatically enforce user and endpoint access policies.

In addition, Network Engineer Robert Loveland  uses Aruba’s AirWave, a mobile device management (MDM) solution that keeps track in real time of which devices and users are on the network, what they are accessing, and how much bandwidth is being consumed by specific devices.

Although the city has sufficient technology for managing devices that connect to more than the Internet, it does not yet allow users to connect to the internal municipal network.

“It’s feasible, and it’s just a matter of time,” Loveland says. “I can see a time not too far from now, when we have the time and the personnel, where we would look at increasing access.”

BYOD provides valuable flexibility, but accepting users’ personal mobile devices in the workplace demands that IT shops shore up network security. Without that, IT departments can quickly lose control of who has access to data and applications and whether users’ devices are fully secure, leaving organizations vulnerable to unauthorized access to sensitive information.

For organizations that let users save or download data to their mobile devices, the first step is to implement some type of MDM solution. MDM monitors devices that are connected to the network and can remotely lock or wipe these devices.

Even if an organization doesn’t let users download or save data on their personal devices, security is still a priority, says Andrew Braunberg, research director for enterprise networks and security at Current Analysis in Herndon, Va. Many solutions can bolster network security for BYOD. The goal of mobile application management (MAM) products is to make apps more manageable and secure. Some solutions accomplish this with “wrappers” that control the use of the application. Others use containerization, which creates private “sandboxes” for sensitive apps.

Hypervisors, which create virtualized platforms that ride on top of the operating system, and data loss prevention technology also help protect the network against the risks associated with personal devices.

Delaware has big plans for BYOD. The state is in the midst of a major upgrade to its network infrastructure, which will allow its employees to access apps and features securely.

The percentage of organizations that allow users to access network resources via personal devices

SOURCE: SANS Mobility/BYOD Security Survey, March 2012

Since 2010, the state has allowed its 15,500 employees to use their own smartphones to access e-mail, the Internet and state-owned websites via Microsoft’s ActiveSync technology.

The next step is a game-changer. The state is implementing McAfee Enterprise Mobility Management (EMM), an MDM system that can identify, tag and assign policies to smartphones and tablets. It integrates with McAfee ePolicy Orchestrator for policy enforcement and compliance management while protecting devices and the network from malware.

With EMM in place, the state will unveil its own app store, complete with secure, pre-approved apps that employees can download on their personal devices.

“If our transportation department, for example, wants its employees to use certain applications, we can standardize those applications so they are easily downloadable and customized for the department,” explains Delaware CIO Jim Sills. “We have complete control over the security of the apps, who is downloading them, and the devices they are using to access the app store.”

The Fine Print

Organizations that grant employees the privilege of bringing their own mobile devices into the workplace must create policies that govern which devices are acceptable, how they can be used and what applications they can access, says Cesare Garlati, vice president of mobile security at Trend Micro. Garlati suggests other important elements of a BYOD policy:

  • Users must agree to install whatever security, monitoring or tracking software the organization requires.
  • All devices connecting to the network must be registered with the IT department.
  • Users must agree to password-protect the device.
  • Use of the mobile device must impose no tangible cost to the organization.
  • Use of the mobile device must not have an adverse impact on the user’s performance.
  • All devices must support IEEE 802.1X authentication.
  • Only approved apps may reside on the device. Blacklisted apps are generally considered security or productivity risks.
  • All devices must meet minimum specifications for hardware, operating systems and device management agents.

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.