Enterprise BYOD: Bring-Your-Own-Disaster?

Share Post

For the past few years I have proposed the following: The inmates are taking over the asylum. Some say this phrase is attributed to a comment Charlie Chaplin made in the 1920s when actors began running movie studios. Now it seems that Charlie is right once again.

The consumerization of IT has a rather undesirable consequence; many of the concepts developed and technology deployed to protect our networks and sensitive data have become ineffective. The reason is quite simple – IT departments (wardens/curators) have lost visibility and control over who and what is in their asylum. Control has now shifted to employees (inmates) who are defining the infrastructure, supplying their own technology and doing so without asking IT for permission.

Spoiled by decades-old techniques, the typical approach to network security has been the bad guys (or girls) are outside the network and thus we must protect the perimeter from the angry hordes at the gates. Conversely anyone inside the company gates isn't heavily scrutinized, trust is assumed by default. Mobility forces us to change this approach and rethink trust and untrust.

In today's enterprise networks, just because someone is authenticated through Active Directory doesn't mean we should automatically trust them and their device.  Gone are the days where users (employees) logged into the network from a fixed location (their desk) on a fixed device (the company issued desktop). Employees and guests are hopping onto the network from all over the campus and all over the world, and they're doing so on devices IT no longer owns with apps IT never vetted.

The embrace of enterprise mobility, whether willingly or otherwise, presents some rather specific challenges from a security perspective:

  • Broken trust model – we can't trust anything anymore. Trust needs to be learned using context about users, locations and applications. Likewise we can't just authenticate anymore, we also need to authorize users and their devices and audit their sessions carefully. What's more, the modern AAA infrastructure must be tightly coupled with a robust policy engine that can leverage rich context for crafting the right policies to address the needs of mobile workers while giving control back to IT.
  • Limited device visibility - the lack of visibility today is staggering! What are the devices on the network – both authenticating and head-less? Which ones belong on the corporate network, which ones do we block, what belongs on the guest network? How do we differentiate between corporate versus personal devices and how do we enforce policies governing all this?Blog dog.jpg
  • Poor security enforcement – in modern mobile networks, enforcement needs to extend beyond the perimeter to the access layer. Policies should be enforced at the point the user and their device are touching the network, since we no longer know who or what they are. Having ACLs or non-stateful controls doesn't cut it anymore. A stateful enforcement tool (aka firewall) that uses context and role-based enforcement delivers better security than trying to extend VLANs or use multiple SSIDs to segment users, their devices and traffic.
  • It's not about blocking ports anymore – modern applications are too smart for that and can hide in other legitimate apps or dynamically hop through any open port. We need to think about how to enable the apps we want, anywhere and anytime for all devices, and utilize that knowledge to tune the network for optimal performance and availability while reducing risk.
  • Preventing threats – we can't just block the knowns, we need to block unknowns and targeted threats against all assets including mobile devices. Interestingly, though not surprisingly, new threats emerge daily targeting mobile OS's and apps in an attempt to either hijack data, devices or both. New threat vectors and unknown vulnerabilities leave the door wide open to a plethora of exploits.
  • Protecting data – when everything ran over a corporate owned device, it was easier to prevent unwanted activities (like downloading personal apps and comingling data). Usage was typically confined to a single employee (and perhaps a few of his/her children) and administrative privileges could effectively reduce the device to just a dumb terminal if need be. Not any more – personal devices are running work apps, downloading sensitive data, and being left in trains, planes and automobiles, and IT no longer has any control over where data goes.
  • Employee self-service – we are all IT gurus. We're setting up our home wireless networks and getting our streaming media devices and printers to all talk together. The ease of setting these things up at home emboldens employees into thinking that it will just work at the office the same way it does at home. The more roadblocks IT throws up to prevent this behavior, the more employees circumvent difficult procedures and further compromise security.

BYOD and mobility are no longer exceptions, they are expected – whole generations of mobile users are entering the work force armed with three or more devices. And, they are expecting a network infrastructure that will accommodate them, their devices and the way they want to work.

In the coming months, we'll explore some best-practice approaches to dealing with the issues outlined above, but have we covered all the major concerns? What other security issues are you dealing with as a result of enterprise mobility that weren't covered here? Join the discussion . . .