New Ways to Secure Mobile Devices for BYOD
The discussion on BYOD centers on whether employees working more efficiently on their personal devices is worth whatever network security vulnerabilities are sown when enterprises allow numerous devices and operating systems to access their networks.
As a compromise between employees and employers that brings everyone onto the same page, a BYOD policy helps. But, it doesn't completely reconcile the interests of both employees and employers, as work efficiency and enhanced network security are far too often seen as mutually exclusive concepts.
That's why new technologies that could help employers to secure mobile devices are so appealing. So, what are these technologies, and do they really provide any greater benefit than existing BYOD policies and approaches?
A 'Kill Switch' Could Give New Life to BYOD
A new bill working its way through the California legislature would require mobile device manufacturers to equip their products with a "kill switch" that would allow users to remotely disable phones should they get lost or stolen. The thinking is that if potential thieves knew there was a chance a stolen phone could be rendered useless by a kill switch, they would have less incentive to steal one.
If that bill, SB 962, becomes law and begins a national trend, could it also make BYOD more appealing to enterprises? No, according to FierceCIO contributor Jeff Rubin. The problem with kill switches, as a supplement, or even a full-fledged alternative, to BYOD policies, is that they don't really place any power back in the hands of the enterprise. The device is still the employee's, as is the decision to disable it. Legally, the employer cannot compel the employee to pull the plug.
Separate Containers, Less Risk?
Alternatively, an enterprise could issue a mobile device that has two distinct operating containers. In that circumstance, one environment within the device would solely contain apps and information used for work purposes, while the other would be for the employee's personal use. In this scenario, IT departments would gain some degree of oversight and control over employee devices, and, as NetworkWorld points out, they'd be able to "enforce security such as authentication, encryption, data leakage, cut-and-paste restrictions and selective content wiping."
But, just like kill switches, containerization has been maligned as a catch-all BYOD solution by the tech media. Last summer, CITEworld's Ryan Faas wrote that the "dual persona" approach of containerization actually erases whatever advantage a user would gain from using their personal device at work. As Faas points out, containerization is simply a more extreme version of the pre-BYOD practice of giving employees “a locked-down and IT-controlled BlackBerry with just the apps on it that IT deemed necessary, and [letting] them carry their personal phone with them as well.” As an example, an employee with a dual-container device still couldn’t use, for work purposes, an app that hadn’t been approved by the IT department, even if he or she thinks doing so would make them more productive. Because the user is sacrificing control, they'll either be less productive (since they can't determine their own workflows or choose their own apps) or they'll just work around IT restrictions (creating network security vulnerabilities).
As NCP engineering’s Joerg Hirschmann said in a ZDNet article, “IOS and Android have started down a useful path by adding access controls… but these are far from a comprehensive in-depth security framework. The server operating systems, applications, databases, and networks must all be considered as well.”
This, Hirschmann believes, “leads to the requirement for careful planning, monitoring, and sophisticated firewalls and even to the use of virtual private networks. “
Defense In Depth: An End-to-End Alternative
A deeper critique of new mobile device security technologies like kill switches and containerization reveals that both approaches only partially address the security concerns associated with BYOD, and their benefits come with significant drawbacks.
A defense in depth strategy, on the other hand, helps to insulate organizations from attack through otherwise vulnerable endpoints, without robbing employees of the control and flexibility BYOD provides them. Through built-in redundancy, a defense in depth approach helps to prevent, and possibly even stop, attacks before they become destabilizing. Sophisticated firewalls and centrally managed VPN services, for example, create a secure, encrypted connection through which employees can access a corporate network. In conjunction with other mobile device security technologies and a BYOD policy that clearly lays out expectations to employees, defense in depth increases the resilience of network security.