BYOD keeps expanding, and IT just has to deal with it

The debates about whether the BYOD (bring your own device) trend makes economic and security sense for enterprises raged on during 2012, and will continue through 2013 and beyond.

But the reality is that BYOD is expanding, not only because of the number of employees doing it, but also because the kinds of devices are expanding as well. Instead of just laptops and smartphones, there are now tablets and mini-tablets.

Mat Young, senior director of the products group for Fusion-io, was only stating the obvious when he observed earlier this week, “Many enterprise employees no doubt received new tablets this holiday season. And many are likely to bring them to work on Wednesday, Jan. 2, 2013 — perhaps the biggest day ever for the BYOD trend.”

So, for most enterprises the question is not whether to encourage BYOD or block it, but how best to cope with it.

[Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]

Ian Tibble argues at Infosec Island that the security of the devices themselves is almost irrelevant. “The place where security is at these days, isn’t a place where we can effectively manage user device security … we lost that battle,” he wrote. “The stance has to be based on an assumption that one or more devices in corporate subnets has been compromised.”

And Luke Philips at TechSling noted that Google’s new security feature called “application verification service” with the release of Android 4.2 is not as secure as advertised.

Citing a study by Xuxian Jiang, a computer science professor at North Carolina State University, he wrote, “the Google AVS is only effective in stopping 15% of known malware threats. This is a scarily low number for IT departments … IT departments, if they haven’t already, need to make enterprise mobility policy their top priority for the new year,” he wrote.

One idea came during a recent panel discussion of mobile security by CISOs at an event hosted by CSO magazine: Since the device is untrusted anyway, let users do as they like, but isolate corporate apps, data and network access from whatever else is on the device — “containerize” it.

But, the CISO acknowledged that it was still just an idea, not a product.

In the realm of reality, Gartner recommended after a major survey last year: “Enterprises should focus on mobile data protection (MDP), network access control (NAC), and mobile device management (MDM) tools to support their BYOD and new enterprise mobile platform efforts.”

Andrew Jaquith, CTO of Perimeter E-Security, agrees in part. “MDM can help ensure that the most essential mobile security policies are enforced, for example requiring a PIN and an auto-destruct policy,” he said.

“MDM can ensure that content, or full-device encryption, is enabled on platforms that support it, such as iOS and BlackBerry,” he added. “However, Android devices offer no guarantees about whether encryption will be present or not, so we generally recommend retrofitting Android devices with a lightweight encrypted container app.”

But Jaquith is not so enthused about NAC, which he calls “a fussy technology that doesn’t work well in dynamic environments.”

“The idea is noble: block any devices not known to IT from accessing the network,” he said. “But in practice, NAC is very brittle because it presupposes that IT can somehow know all of the devices that should be allowed to be on the network. With BYOD, they can’t — indeed, that is the point of BYOD.”

Jeff Wilson, principal analyst of security at Infonetics Research, said another problem with NAC is cost. “It’s not a reasonable investment for all sizes of company — it’s mainly aimed at larger companies,” he said. But he added: “Companies of all sizes do need to establish what devices are connecting to their network, and what they’re doing when they’re connecting.”

John Prisco, CEO of Triumfant, calls all three Gartner recommendations “superficial security checks.”

“We should be approaching BYOD security on a deeper level. What we really need is something that looks at the integrity of the endpoint,” he said. “NAC alone, for example, just gives the device access to the network — what good does this do on its own, especially when it has been easily spoofed by hackers in the past for entry?”

Wilson agrees with  the notion that employee devices need to be assumed to be unsafe. He said many companies can add an SSL VPN client to employee mobile devices to allow for corporate connectivity. “I think that for smaller customers, or customers looking for some lighter-weight MDM and MDP solutions, the SSL VPN client will be the way,” he said.

Prisco called for anomaly-based detection on mobile endpoints, like those on computer endpoints. “To do this, security professionals need to put an agent on the endpoint that will be able to collect all of the data entering the network no matter what kind of mobile device, tablet or laptop the employee brings to the enterprise,” he said.

Jaquith said explicit BYOD “Acceptable Use Policies” should be added in addition to technological fixes. Among the security policies he suggests: Require encryption for sensitive company information.

“Protect each device with a five- or six-digit numeric passcode,” Jasquith said. “When combined with a 10-wrong-tries auto-destruct policy, this is stronger than a typical desktop password policy, and easier to use as well.”