Planning Considerations for BYOD and Consumerization of IT (Part 2)

by [Published on 27 Aug. 2014 / Last Updated on 27 Aug. 2014]

In this article, we’ll being our planning process by discussing a collection of solution requirements that cuts across all secure BYOD deployments.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to Planning Considerations for BYOD and Consumerization of IT (Part 1).

Introduction

In the first part of this series on planning considerations for security BYOD and consumerization of IT, we looked at the BYOD problem domain and discussed key aspects of planning and design. We finished up the article by looking at the structure of a planning frame work that you can use to guide your planning decisions. This framework included our problem domain, which is BYOD, and several subdomains that need to be considered when building out a BYOD enablement solution. Within each of the subdomains is a collection of technical capabilities that need to be understood and addressed, so that requirements for each of these can be defined and then used to carry out the design exercise.

In this article, we’ll being our planning process by discussing a collection of solution requirements that cuts across all secure BYOD deployments. This encompasses the technical capabilities that are required in all BYOD solutions. These include the following:

  • Access to corporate applications and data from almost any device and any location
  • The ability to manage these users and devices regardless of location
  • Protecting all corporate data stored on the managed BYOD devices
  • Simplify identity management for BYOD users
  • Support modern authentication mechanisms
  • Comply with government and industry security and privacy standards
  • Enable robust monitoring and reporting capabilities

Now we will drill down into each of these so that you will have a better understanding of each of the requirements and the intent behind each, to lay the framework for subsequent discussions regarding each of the various sub-domains.

Access to corporate data and applications from almost any location

One of the reasons that you might want to support BYOD devices is because it can help your users become more productive. How does BYOD contribute to higher productivity? In part, it’s about expectations and self-fulfilling prophecies. That is, users are more productive when they are using the devices that they believe make them more productive. Remember that BYOD devices tend to be mobile devices, so you want to make sure that your BYOD solution enables users to get their work done whenever and wherever they want to do it. BYOD, then, is all about user enablement, giving workers more flexibility so that they can become even more valuable assets to the company.

The requirement of access from almost any location might also make you think of cloud computing. In fact, if you’ve done your homework in that area, you know that “anywhere access” from virtually any device is one of the NIST Five Essential Characteristics of cloud computing. This isn’t the only commonality, either. You’re going to find that many of the principles and patterns that are used for a cloud computing solution will apply to anything that you build to support your BYOD users.

Before designing your BYOD solution, it’s important to look at how access will work in your organization. In general, users are going to need to be able to access corporate resources when they are on premises and also when they are off premises. Keep in mind that some users (and in some organizations, the majority of users) are rarely or never going to be on-premises and therefore a well-designed BYOD solution is going to have to make the off-premises experience be on par with the on-premises experience.

The ability to manage users and devices regardless of location

Users may or may not be on-premises at any given time and as mentioned previously, there are going to be a number of users who may never be on-premises. Because of that, you need to be able to manage the BYOD devices that connect to your network regardless of the user and device location. You can’t wait for users to locate themselves on-premises and then manage their devices. That’s an antiquated way of doing things and it could put your network at risk.

Device management was what drove the earlier paradigm where all computing devices that were used to access corporate resources were owned and managed by the company and the IT organization, and most of them were sitting on-premises where this was easy to do. This enabled IT to secure the devices and make sure that all devices had a common security configuration at all times. That worked great for IT, but often resulted in frustrated users. With the previous paradigm crumbling around the new BYOD paradigm, the device ownership has changed – but what hasn’t changed is the need to secure these devices and that means that you’ll still need to manage them, regardless of user and device location (and ownership).

As you’ll see later as we move through the planning process for BYOD, device management for BYOD devices can and will take on a very different meaning compared to your current conception of device management. Remember that the user owns the device that you’ll manage, and therefore your perceptions of command and control over these devices are going to need to change. For example, heavy handed approaches to incident response in the event of device loss will inevitably change – as you can’t necessarily just routinely wipe an entire device and all the data on that device, because much of that data will contain personal information that the user does not want wiped, in hopes that the device may someday be returned.

Protecting all corporate data stored on the managed BYOD devices

In addition to the dilemma created by dual ownership of data – some of which is company data and some of which is personal data – we also have the complications that arise when these different types of data are stored not only on the device itself, but in various other physical locations. In a cloud computing driven world, the concept of security is evolving. In the past, most people would equate security with the network firewall that created a hard boundary or “edge” between the corporate network and “outside” – which typically meant the Internet. If you had strong perimeter controls in place, you were considered “safe”. Whether or not that was really true, that was how many IT pros, even security experts, felt.

In today’s cloud computing environment, we can’t afford to hang onto that naïve belief. The borders that separate the corporate network from the outer world are much more fluid. Users and data may be located in a variety of places. Managing the perimeter doesn’t really ensure much if the data is spread out across corporate file servers, public cloud email providers, web hosts, a variety of “boxes” (OneDrive, Google Drive, Dropbox, etc.) and on a multitude of end-user devices. Instead of just thinking about “network security” (driven by firewall security), you now have to think about a non-perimeterized world where the security focus is squarely on what needs to be protected: the data and the servers that generate and manage that data.

This also has an influence over the decisions that you make when it comes to managing and securing the BYOD devices. In the past, when company owned and the IT department managed the computing devices that users used to get their work done, every aspect of a device could be managed. The operating system, the applications, the data, authentication and authorization schemes, network access and more were all controlled by corporate IT. In the BYOD world of cloud computing, the amount of overhead that would be involved with applying the same model is unlikely to work, and even if it were feasible, it is unlikely to enable the users of the devices to accrue the benefits desired from a BYOD implementation.

This is why any BYOD solution must have a primary focus on securing the data accessed by the BYOD devices. You need to prevent that data from getting into unauthorized hands. Data leakage protection becomes a pivotal concern. Along the same lines, you need to make sure that there is no unauthorized access to the data, which also means that you have to make sure that there is no unauthorized access to the BYOD device itself.

This is of critical importance because BYOD devices tend to be, at least in a physical sense, more “loosely coupled” with the owner of the device compared to the days of desktop and big laptops. Desktops and beefy laptops where much less likely to be lost or stolen than the tiny devices that users use for their BYOD needs. Smart phones, tablets, slates, mobile screens, wearable devices and more are small and are easily and frequently misplaced or stolen. Even more problematic than the small form factor BYOD devices are the storage media that are inserted into these devices. A micro-SD card is smaller than a dime and weighs even less – but on the microscopic storage device can be over a hundred gigabytes of corporate information. Preventing unauthorized access to this data thus becomes one of the most critical requirements of any BYOD solution.

Summary

In this article, we began the process of planning for your BYOD solution by defining certain core requirements that should be enabled in any BYOD solution. While your planning process will include assessment of many different technical capabilities that can be included in a BYOD solution, your design decisions around those technical capabilities will vary in terms of which technical capabilities you want to enable, and how you will enable those technical capabilities. That means for some or many of the technical capabilities you’ll decide that you don’t even want to enable them and thus you won’t make them part of your requirements.

In contrast, in this article we began with a discussion of technical capabilities that are required in all BYOD solutions. Thus, in contrast to the subdomains and technical capabilities included in the BYOD sub-domains, the solutions requirements that we have discussed in this article, and will continue to discuss in the article that follows, will be included in all BYOD solution deployments.

In Part 3, the next article in this series, we’ll finish our coverage of the BYOD solution requirements and the meaning and intent behind them, and then we’ll move on to examine each of those sub-domains that we listed in Part 1. Please join us as we navigate through this complex and sometimes confusing process of planning for and designing a secure BYOD deployment.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to Planning Considerations for BYOD and Consumerization of IT (Part 1).

Advertisement

Featured Links