Wrestling with the BYOD quandary

April 1, 2013
VPNs provide a way for organizations to strike a balance between security and mobility

It’s hardly a secret that BYOD (bring your own device) is the dominant trend among employees, in small and large businesses alike. Gartner predicts that by 2015, there will be nearly 300 million tablets and two billion smartphones used by workers. IT teams have discovered that it is impossible to buck this trend and they are learning to embrace and manage it. The employees’ main motivation to use their own devices is both the comfort level with their personal devices and anytime, anywhere access to information from their organization’s databases and servers. Among the remote access technologies that are contributing significantly to solve these issues is virtual private network (VPN) technology.

The benefits of BYOD are well documented. Employees enjoy increased mobility, ability work on a preferred device, and have anytime/anywhere access to information and applications. However, the downsides have also been well publicized . A recent survey conducted by Osterman Research found that during a typical month, 4.3 percent of network endpoints become infected with viruses or malware, which translates to 52.1 percent of endpoints over the course of a year. The average time to remediate a single endpoint is 72 minutes and 5.2 percent of IT staff time during a typical week is spent on email security management alone, the study found.

Why is it that employees’ own devices present such a big risk for the company IT? IT teams are unable to centrally manage them, as they don’t belong to the company. For this reason, IT is unable to implement pre-existing security policies; especially those that foresee an administrator personally managing the devices, loading it with security software, etc. New security policies, which take into account that the employee doesn’t particularly want to have his own device remotely controlled by an administrator, are available but have to be implemented. Innovative remote access solutions already resolve a large part of the problem on the technical level, so that the user need not be too strongly restricted.

For small and medium businesses, and enterprises alike, where employees must connect to a local network, VPN is the critical technology. Tunneling into local area networks (LANs) across a VPN enables users to access files and/or control the applications on in-office equipment that are required to complete daily projects regardless of device or location. Only an Internet connection is required.

Allowing BYOD introduces vulnerabilities at many layers within the network, and as a result, there are many ways IT teams must address these risks. The first step is to reduce the risk of a device becoming infected and transmitting the malware into the company network. Some organizations require that a user’s device have specific antivirus and management software installed before it is allowed to connect to a network. Enforcement is sometimes difficult when the device belongs to the employee. Modern remote access solutions protect the company network effectively, without having to intervene on the employee’s device. They can, for example, check files for viruses, and if necessary, remove them while these files are being downloaded.

Another part of this initial step is ensuring that personal devices can only connect to a network via a VPN versus a direct connection, even when the user is on site. IT teams can also prevent a user from opening a second, parallel Internet connection as long as the user is connected with the company network. This effectively prevents malware from using this way to enter the company network.

The secure tunnel of a VPN is a must since it prevents cyber thieves from gaining access to any information as it travels between locations. Employees working from personal devices may be tempted to email documents, but the security of this email can never be guaranteed. Emailing documents also requires employees to store content on their personal devices, exposing that material to theft. VPNs can allow the employee to access, work on and store their content on the local network without any data ever being stored on the used end device.

Different VPN types for Different Situations

Different VPN types exist that fit to different network architectures and user needs. Each has benefits and weaknesses IT teams should consider before selection and deployment.

Internet Protocol Security (IPsec) VPNs

IPsec VPN solutions are very widely used and for many years were the standard remote access solution. They are especially well suited for fixed connections, for example, from the enterprise network to branch offices or suppliers and customers. They allow complete network access and are considered to be secure and reliable.

When using IPsec VPN technology in combination with BYOD, this technology exhibits a major drawback: An IPsec VPN client has to be installed on every end device. To do this, installation and administrator rights are needed. Not every employee is prepared to grant the corporate IT these rights to his own device. If the employee is to set up the client himself, then he could be faced with complex configuration work, e.g., the target networks, which may be more than he can handle.

Secure Socket Layer (SSL) VPNs

SSL VPNs have gained in popularity because they are "clientless," meaning the remote device doesn’t need to have a client pre-installed to connect to the corporate network. In many situations, an SSL VPN tunnel is created when a remote user opens a web browser and connects to a pre-defined URL. The VPN then prompts the user for a user name and password. Once authenticated, the user is often taken to a company’s individual webpage, which includes several options for network access or company applications.

An SSL VPN allows full network connectivity, as does an IPsec VPN, but can be deployed more easily to remote users since neither installation nor administrator rights on the client are needed. This makes SSL-VPN solutions, especially as regards BYOD, attractive for enterprises.

Selecting the Optimal VPN Solution

For the most part, the solution IT teams select depends on the needs remote access must address. If it is a matter of a fixed connection to branch offices, then an IPsec VPN would be the first choice. The technology is tried and proven. There are appropriate gateways for all possible amounts of users and requirements. The only prerequisite: an experienced IT administrator must be on site to configure the connections and manage the devices. Access rights and installations on the employees’ devices can be agreed upon and company-specific solutions can be implemented.

If employees don’t give their approval for access to their devices or if IT teams want greater flexibility, then SSL-VPNs are the preferred choice. As only central administration is required and no installation or administrator rights on the end device are necessary, the time and expense for IT is greatly reduced. This is an effect that becomes clearly visible when each user works with different devices to access centrally stored data and applications. These devices don’t have to be managed anymore.

Access is available from any device, regardless of the client’s OS, (e.g., Windows, OS X, Linux, Unix, etc.) to any target in the enterprise, from WTS (Windows Terminal Server) to legacy systems. All the user needs is a Java-capable browser and an Internet connection.
Modern solutions perform many security-relevant actions centrally, which then don’t have to be implemented on the client. BYOD and the best possible protection for enterprise data are thus no longer mutually exclusive.

VPN technology is a core component of a comprehensive cyber defense infrastructure and has come to the forefront as BYOD has taken root in many businesses. Despite many advances in network security, robust VPNs remain critical to ensure remote employees and employees using their own devices can enjoy the convenience of anytime, anywhere connectivity and IT teams can ensure date integrity.

About the Author: Klaus Brandstaetter is chief executive officer of HOB, a software company that develops and markets remote access solutions worldwide. He studied electrical engineering at the Friedrich-Alexander University of Erlangen in Nuremberg, Germany. With this knowledge and expertise, Brandstaetter set up the IT department at the company Geobra during his studies. He worked at Nixdorf Computers and later IBM. Since 1981, Brandstaetter has been the managing director of HOB GmbH & Co. KG, mainly focusing on development.