Building a BYOD policy?

Aug. 5, 2015
An SSL VPN appliance should be the foundational technology used in any security strategy

Bring Your Own Device (BYOD), the practice of allowing employees to use their personal mobile devices to access company applications and data stores, got off to a relatively slow start from its beginnings early this decade. However, the phenomenon now appears to be in full swing.

In its yearly Global IT Priorities report, industry publication Computer Weekly notes that 46 percent of IT managers worldwide are planning to deploy a BYOD initiative in 2015, with another 30 percent planning to deploy mobile applications. For network administrators charged with developing and deploying a BYOD strategy, there are literally thousands of articles, guides, blogs and other resources on the topic.

Most of the articles and other materials regarding BYOD seem to focus on the “device” side of the equation, with an emphasis on mobile device management (MDM), mobile application management (MAM) and other device-side technologies and strategies. Given the myriad vulnerabilities posed by mobile devices (such as malware and loss or theft), this device-centric focus is certainly understandable.

However, the “network” side of the BYOD equation deserves at least equal consideration. Given the unmanaged, and often unmanageable, nature of employees’ personal mobile devices, it is prudent to set in place technologies and policies on the network side to guard against rogue mobile devices.

The bedrock for network edge security has long been SSL VPN, which has been used for secure remote access by PCs and laptops for many years. Recently, SSL VPNs have evolved to offer a wide range of support and security for smart mobile devices as well. SSL VPNs are also uniquely located in the network–at the network edge, which affords visibility into all endpoints (PC, laptop, or mobile device), and with the ability to enforce policy-based control over access to network resources.

Through these factors, an SSL VPN appliance is perfectly suited to serve as the first line of defense for a BYOD policy – the foundational technology, in other words.

Most SSL VPN solutions provide granular access controls based on user, role, and other factors. Host checking can verify device and user identity as well as a wide range of parameters on the device itself, such as whether anti-virus, anti-spyware or personal firewalls are enabled, or if the device’s operating system is one of the allowed versions, patches and service packs (typically the more current mobile OSs are more secure than earlier versions). If additional access control is desired, built-in or third-party authentication can add an additional layer of security, especially in the case of loss or theft of a mobile device.

Many of the enterprise-class SSL VPN appliances also offer a mobile client, which can provide secure access for native business apps (such as Exchange, Oracle, SAP and the like) and HTML5 apps via a secure browser. These apps can be authorized for specific users, and automatically installed on the users’ devices from an integrated enterprise app store. There is a great deal of control over the apps themselves, as well – mobile VPN connections can be enabled per application, and applications can be authorized per user.

Oftentimes, a mobile client will include a secure container in which all data associated with enterprise apps is stored—thus securing against data leakage. These secure containers can be remotely wiped if a mobile device is lost or stolen, further securing data against falling into the wrong hands. Controls can also be put in to place to prevent lost/stolen devices from accessing the network via SSL VPN, using device-based identification.

In addition, some SSL VPN appliances offer some form of remote desktop access, which allows mobile users to access and use their familiar desktop environment. This capability greatly reduces training and support requirements, because employees are accessing and using the same desktop interface they use every day on their company-provided PC or laptop. This option can be even more attractive in circumstances where regulatory (HIPAA, PCI-DSS, etc.) or other compliance requirements are in force. Because the data never leaves the network, it cannot be compromised.

SSL VPN appliances may also offer virtual portals, which can be customized to the device type that an employee is using to access the network. A virtual portal for mobile devices, for example, can be customized to better fit the smaller screen size of these devices, and streamlined to make interaction easier.

As mentioned previously, an SSL VPN appliance occupies a unique position at the network edge, and this vantage point allows the solution to provide protections specifically for network assets as well as the mobile devices. For example, an SSL VPN appliance may provide DDoS protection, reverse-proxy network separation, and passive/active Layer-7 content filtering. All of these (and other) capabilities combine to provide an additional layer of protection to essential network elements and data.

Other BYOD-supportive technologies bear mentioning as well:

  • Server-based computing – this technique revolves around running applications in the data center, and delivering them to client devices on demand. While this method has the benefit of bypassing the need for native apps, and of ”locking down” data so that it never leaves the network, it also bears a very high cost for software, servers, licenses and deployment. These latter factors have been a deterrent to deployment of this method.
  • Virtual Desktop Infrastructure (VDI) – similar to server-based computing, VDI seeks to reduce operational support and allow management from a central infrastructure. However, the costs for VDI quickly mount up, including servers, licenses, additional bandwidth requirements and storage.
  • Mobile endpoint protection – while antivirus, anti-spam and other protective solutions exist, typically they are not centrally manageable and carry additional processing overhead for the mobile devices themselves. In essence, without central control of endpoint protection software, the network administrator has no assurance that the end-users are using it, have configured it correctly, or are installing updates when needed. In addition, they often do not protect the data itself or the connection to the network.
  • Mobile device management – a number of the solutions offered are not designed to implement policies for data control. High cost is also often cited as a drawback to this technology, and IT administration costs can quickly add up. However, depending on your budget it may make sense to deploy as an adjunct to an SSL VPN appliance.

Summary

If you’re considering a BYOD policy for your organization, look carefully at all the options available to you. You may well find that an SSL VPN appliance will provide the network-level and device-level protections needed to serve as the foundation for a successful BYOD deployment.

About the Author: Paul Andersen is the Director of Marketing at Array Networks (www.arraynetworks.com). He has over 15 years’ experience in networking, and has served in various marketing capacities for Cisco Systems, Tasman Networks and Sun Microsystems. Mr. Andersen holds a Bachelor’s Degree in Marketing from San Jose State University.