manage byod painlessly and effectively
TRANSCRIPT
:i'l•l•l
• • •
• • • •
• • • • • • • • • •
MANAGE BYOD PAINLESSLY AND EFFECTIVELY
22
Security woes can turn the dream of BYOD into a nightmare, but the right management tools can help IT leaders sleep more easily.
The public's infatuation with
mobile devices is prompting more
users to bring their smartphones,
tablets and notebooks into an
ever-wider number of places,
including the workplace.
While users appreciate the
convenience and flexibility of having
their personal mobile devices with
them at all times, many state and
local government IT managers view
the bring-your-own-device (BYOO)
trend with trepidation, concerned
that it poses a major new threat
to their organizations' carefully
crafted cybersecurity strategies.
When the BYOO trend emerged
just a few years ago, many
organizations responded with device
governance measures, including bans
on users employing their personal
mobile d ~v ices at work or requiring
them to use only organ ization
supplied mobile apps while on the
job. These steps reflect ser ious
concerns about the security of BYOO
devices. Indeed, a 2014 report from
Webroot states that 95 percent of
employers are concerned about
security risks from users' personal
devices. Fortunately, a number
of mobile device management
(MOM) tools have emerged to
help state and local government
agencies deploy, secure, monitor,
integrate and manage a wide range
of personal mobile devices.
MOM solutions aim to strike a
balance: allowing users to enjoy
the convenience of work and
personal apps on a single device
while providing a comfortable
security blanket for government
organizations. "With BYOO,
there is increased risk that the
confidentiality, integrity and the
availability of sensitive state and
local government operational data
t '
or citizen data could be impacted,"
says Kevin McPeak, a Symantec
security architect. "A robust,
mature MOM software program
could greatly reduce those risks."
The Challenge
Once an organization has
decided to deploy MOM for BYOO
devices, it must make several more
important decisions regarding
device management, including what
types of devices and apps to allow,
how to provide secure network
access, how to protect government
data from theft and attack, how to
set boundaries between personal
and work data and how to address
privacy and liability issues. "There
are lots of different ways of thinking
about how you might want to do
BYOO, but it all depends on your
goals," says Joel Snyder, a sen ior
partner at Opus One, a technology
consu lting firm in Tucson , Ar iz.
IT managers must also carefu ll y
balance user preferences and
expectations against their agencies'
security and operational needs.
"One of the core issues with BYOO
is who owns the device- and the
word 'owns' here is not in the sense
of physical ownership, but who owns
it from a point of view of contro l and
management of the device," Snyder
says. "Any time you're ta lking about
BYOO, there is a tension between the
rights and needs of the user and the
rights and needs of the organization."
Further complicating the situat ion
is the fact that state and loca l
agencies often lack the budget
and staff resources necessary
to effectively implement and
monitor BYOO policies. Benign
neglect, however, can have
serious consequences, since
unsupervised BYOO activit ies
can lead to potentially cost ly
security and liability incidents.
Fortunately, with MOM solutions
now widely avai lable, managers
have access to a powerful family of
software tools specifical ly designed
to help organizations gain control
over BYOO and, ultimately, use the
technology to their advantage.
In fact, an MOM solut ion allows a
manager to approach B'YOD as an
opportunity rather than a threat,
providing a fast and pain-free
way to ga in a more connected,
productive and flexible workforce at
less cost than if the organization
acquired and distributed its
own mobile devices to users.
Tools for Managing Mobility
MOM solutions are essential for
enforcing crucial mobile policies
covering an entire range of device
management issues. An MOM
program allows an organization
to continuously monitor, organize >
23
24
and secure mobile devices based
on different operating systems and
deployed across various mobi le
service providers. Forrester reports
that approximately half of the
organizations it surveyed have
already adopted MOM technologies.
State and local governments have
many MOM solutions to choose
from. AirWatch by VMware, for
example, supports BYOO programs
by providing a flexible model for asset
management, policy enforcement,
and distributing profiles , apps
and content. Once end users are
enrolled and authenticated, profiles,
applications and content are
configured automatically based on
the user and device ownership type.
MaaS360 by Fiberlink, an IBM
company, aims to simplify and speed
MOM deployment by providing
comprehensive visibility and control
that spans across virtua lly all types
of mobile devices. MaaS360 offers a
unified console for smartphones and
tablets with centralized policy and
control across multiple platforms.
With the Symantec Mobility Suite,
agencies can choose between two
models to engage mobile users. Under
the first model, users are issued
mobile devices that are managed
via MOM. Mobility Suite can manage
devices, including setting device
security policies and wiping or
resetting devices. Under the second
model, users employ their own mobile
devices, which are not centrally
managed but instead have access to
a Mobility Suite "store." Through that
app store, users can download mobi le
apps and mobile content that have
0 00 00 00
I I I I I I ''1'''1 I ''11"
enterprise-grade security "wrapped"
around them. If a user 's mobile device
is lost or stolen (or if the user resigns
or is terminated), the "wrapped" apps
and content can be remotely wiped.
GettheNAC
A network access control (NAC)
solution works in close cooperation
with, and is sometimes integrated
into, MOM software to ensure a
secure BYOO environment. While
MOM so lutions are device-oriented ,
giving managers the ability to apply
various policies to mobile devices, NAC
solutions allow policies to be applied
to the network. In essence, NAC
technology lets government agencies
see what is connecting to their
networks and control which parts of
the network users can access with
their mobile devices. "A NAC is built to
look at the endpoints that are touching
the network, figure out what they are,
and really determine who's actually
trying to come in and whether or not
they are actual ly getting in," explains
James Plouffe, a solution architect
at mobi le security firm Mobi lelron.
As with MOM technologies, various
vendors offer many NAC solutions to
choose from. With Aruba Clear Pass
Policy Manager, for instance,
state and local governments can
central ly manage network policies,
automatically configure devices
and distribute sec~rity certificates,
admit guest users, assess device
health and even share information
with third-party solutions on any
network and without changing their
current infrastructure. "End users can
self-configure smartphones, tablets
and notebooks for use on secure
enterprise networks," says Trent
Fierro, director of security solutions
marketing at Aruba Networks.
"A built-in certificate authority
allows for IT to forego login and
passwords in favor of certificates,
which are more secure- there 's
no longer any threat of man-in
the-middle password theft."
Network security is also a
valid concern for organizations
with BYOO users, such as public
works and safety employees,
who need to access data stored
on organization systems while
working in the field. Users who
connec t to a public hotspot
or other type of commercially
operated network can potentially
compromise security. NAC solutions
fully address this situation, too.
Cisco Identity Services Engine
(ISE), for example, is a security policy
management platform that unifies
and automates access control to
proactively enforce role-based
access to enterprise networks
and resources. The solution offers
protection no matter how a user
chooses to connect- by wired
or wire less networks or virtual
private network (VPN). "Agencies
ca n enforce profiles that allow
mobile devices to connect only
to trusted or approved wireless
networks," says Stephen Orr, a
distinguished systems engineer at
Cisco Systems' U.S. Public Sector
unit. "They can enforce a remote
access VPN if they are using cellular
data or an open wireless network,
since data-in-transit encryption
should always be required. "
Source: 'Tech Pro Research, "Wearables, BYOD and loT: Current and Future Plans in the Enterprise," January 2015
( (
( (
Integration and Evaluation
Not only does an organization need to
take into account which MOM solution to
utilize, but also whether that technology
wi ll be able to successfu ll y mesh with the
existing IT infrastructure. This is an especiall y
important consi derat ion for organizations
struggling with the cha llenges of operating
and maintaining older IT systems.
" Not all MDM softwa re can effectively
integrate w ith an existi ng infrast ructure,
so it 's important to first evaluate which
infrastructure systems may need access
to the data the MDM provides," says
Aruba Net wo rk s' Fierro. "Open application
programming interfaces are needed to
ensure th at work flows can effecti vely be
~ustomized per business demands- network
access, traffic inspection and so on."
Fierro also advises investigating the leve l
of cooperat ion between the MDM vendor
and the infrastructure's operat ing system
vendor. " Longstanding relationships are
important, as software updates need t o
be tested prior to users downloading and
updating dev ices," he says. "The key is
understanding how changes wi ll affect
network performance and vu lnerab ilities."
Symantec's McPeak notes that to avoid
adding complex ity and administ ra ti ve
overhead to an ex ist ing IT infrastructure, an
organization might want to consider using a
cloud-based MDM solution, which does not
re ly as heav ily on in - house hard ware and
software. Dan Qu intas, a solution engineer
at AirWatch, agrees. " MDM is a relatively
lightweight archi tecture, so it's not uncommon
for it to be deployed in the cloud," he says.
To ensure full interoperability with ex isting
IT resources, as well as to zero in on the
MDM technology that most closely matches
specific needs and preferences, state and
local agencies should also consider eva luating
one or more solutions in a tr ial deployment
"We would recommend conduc ting a
proof-of-concept on site with t r ial license
software," McPeak says. " If several
so lutions are evaluated, then a 'bake off'
evaluation should occu r where the ven dors
are invited in to ass ist in the compet it ion." •
--Five Guidelines for a Successful BYOD Policy
State and local governments considering a bring-your-own
device policy shou ld follow several steps to improve
their chances of su ccess.
1. Specify permitted devices: BYOD policies must be written
clearly, allowing users to fully understand what types of devices
can and cannot be used while on the job. Some government
agencies, for instance, permit users to bring virtually any
type of mobile device to work , while others limit the choices
to specific brands or models. New users must be made aware
of any device rest ri ctions during the onboarding process.
2. List permitted or banned apps: An agency's mobile
policy should identif y applications that are required
for specific tasks as well as who should provide the
application (the agency or the user). Many organizations
also prohibit users from instal ling certain apps, or types
of apps, that could potentially affect security.
3. Set liability guidelines: A mobile policy should include specific
gu idelines that limit an organization 's potential li ability for
information that is lost or stolen via mobile devices. Particularly
important are stipulations that affect how users obtain,
employ and communicate information on their devices.
4. Establish firm data access rules: Users in a BYOD program
must know which types of data they are allowed to access,
over what kinds of networks and using what types of
devices. In most cases, mobi le device data access rights can
safely mirror office desktop computer clearance levels .
5. Create a user exit plan: Enforcing the removal of access
tokens, emai l accounts, work data and other proprietary
applications and information from the mobile devices
of departing users is essential. Some organizations
now make a complete wipe of BYOD mobile device an
integral part of the employee exiting process.
To learn more about how to keep your agency's mobile devices safe and secure, visit CDW·G's Mobile Security webpage.