Sunday, December 30, 2012

How does MDM, NAC based discovery/access control tools, & Containerization tools differ in managing enterprise security due to BYODs?

MDM or mobile device management solutions mainly focuses in the end device rather than the network and usually done by installing a client software on the device itself...........

On the other hand, Mobile Discovery & access control devices via NAC or network access control technology works mainly in the enterprise over the enterprise network. It can also detect all devices, types, kinds across all devices (cross-platform) irrespective of whether they are registered or not providing complete inventory of devices including OS, model, type etc. and all can be done without installing a client on the device...................

The third way of protecting data due to BYOD is the containerization of apps (app wrapping). Here the solution is around the data and the apps and not around the device per say. If you think holistically, there are four different types of apps, native apps which are supplied by the OS (say email client),...........................

Read more here…….

Manjunath M Gowda
CEO, i7 Networks - “Agentless BYOD Control

Monday, December 24, 2012

NAC: how does it work and how is it relevant to BYOD?

With the proliferation of BYOD (bring your own device), IT’s scope has been redefined and a new movement has taken place what is called the consumerization of the IT wherein 3rd party apps being used to access corporate resources and more & more consumers are making decisions on the apps and the device rather than the IT. Today IT’s primary concern is gearing towards security and integration of these apps and devices into company ecosystem.

IT needs to give a complete holistic approach for the network security due to the advent of BYOD onto enterprise network. Organization need to consider all parts of the BYOD ecosystem including following the device as well as following the information. IT needs to be sure that devices used by the employees meet company security policies and standards before connecting to the corporate network. IT should ensure the integrity and secure configuration of endpoint devices. IT should also secure the network by controlling access to resources based on pre-established corporate policies. Once the devices are taken care of, IT needs to look at apps. It needs to make sure that the apps being used over the corporate network are trusted, tested and internally vetted for security.

The integrity and secure configuration can be done via MDMs where in a client is installed on the device (privacy intrusion method) or a manual or a semi auto registration (laborious and need to be repeated and prone to error) or newer non-intrusion of privacy method which we call agentless method can also be used. 

Manjunath M Gowda
“Got BYOD? Get control…agentless”

Sunday, December 23, 2012

7 Tips to ensure security for allowing BYODs onto Enterprise network

BYOD security is still in its infancy and will consolidate over a period of time and until then one needs a multitude of security offerings to make sure the corporate IT infrastructure and the corporate data on the BYOD themselves are secure. While the security tools move towards maturation and standardization, one can still allow BYODs on the enterprise network to reap the rich benefits they bring along. Below are some of the tips which will ensure good security measures to allow BYOD to ply on the enterprise network.

Tip #1: Develop an acceptable use policy
Create an acceptable user policy addressing base-lining of devices to be allowed, rules on what can be accessed along with clear corporate expectations about corporate data on personally owned devices (BYODs). Have tools that ensure that base-lining is enforced and also that ensures tiered access to corporate data, servers and databases based on the device. Ensure again that no jail-broken or rooted devices are not allowed on the network and have tools that ensure that. Also address privacy issues of employees explaining how the solution being implemented will in no way track or log the employee online behavior or location during their non-office hours or when away from the office.

Tip #2: Educate users.


Manjunath M Gowda
“Got BYOD? Get control…agentless”

7 pain points to allow BYOD onto Enterprise network

Pain Point 1: as the name says, they are employee owned and all assumptions that IT made for company owned laptops falls flat. This means IT will have less control over the devices, their acceptable configuration, use & security

Pain Point 2: They are easily lost – they are small, light, very easy to use and your constant companion and you take it everywhere with you, be it to the café be it to the pub, be it to any personal function or meetings or even to the mall. (a statistic says that 48% were lost during lunch or dinner at a mall)

Manjunath M Gowda
“Got BYOD? Get control…agentless”

Thursday, December 13, 2012

Why industry will move away from MDM way of securing BYODs and why privacy intrusion will be of much bigger concern than information security?

Before I say anything let’s see what people say it. Here are the results from the recent (2012) Harris survey to look at just that very issue. The survey revealed that employees are alarmed about employers’ ability to access and collect personally identifiable information through business-owned or employee-owned mobile devices.

The survey concluded that many employees are overwhelmingly concerned and would not want employers to have this access into their personal lives. The following provides a summary of what employees said about the issue:
  • 82% consider the ability to be “tracked” an invasion of their privacy
  • 76%  would not give their employer access to view what applications are installed on their personal device
  • 75% would not allow their employer to install an app on their personal phone which gives the company the ability to locate them during work and non-work hours
  • 82% are concerned to extremely concerned about their employers tracking websites they browse on personal devices during non-work time.
  • Only 15% are not at all concerned about employers tracking their location during non-work time
And this is what a US customer had to say:

“Privacy concerns are a major challenge for MDM and BYOD, as we found out at our hospital. We were looking to bring in a larger MDM system, but the doctors (who own the hospital) felt it was too intrusive since they all wanted to use their own devices, but didn’t want IT to have total control over them. Still, they wanted the ability to send HIPAA compliant patient info (mostly text messages) to admin and other doctors. We changed our strategy and started looking for individual apps to deal with the various security issues and the doctors didn’t feel it violated their ‘privacy’ which made it acceptable to them.”

If you look at today’s mobile device management solutions they have just replicated how the traditional IT used to work and that worked well. But there is a difference. Then IT owned the device and today they don’t own the device (BYOD). The rule is, “if you don’t own the device, you can’t dictate everything that is done on that device”. So enterprises have to deal with this whole issue of BYOD security with a new look.

Also with BYOD there is another new issue that needs to be addressed: privacy. Installing a client on a BYOD for monitoring should be a strict no-no considering all the privacy concerns it brings on. Whether the enterprise monitors them (devices) during their off-office hours or not is a separate issue but the concept of an employer provided monitoring client sitting on their device will definitely bother the privacy concerned employees which is north of 80%.

Not just privacy but you need to look into the legal aspect too. Lot of MDMs provides the ability to IT to track location coordinates of the device. In some countries there are privacy laws which prohibit doing this. Not just doing but having the ability to do so.

BYOD is bringing in a new era of consumerization of the IT. Devices belong to employees so does the apps which connects to the enterprise applications and servers and databases. What IT today should look into mainly is the security aspect of all. What IT should not do is never compromise the privacy of the employees and in my opinion will be much bigger (atleast the legal bills) issue than the information security. This is where the new holistic way of thinking is the need of the hour as far as security due to BYOD is concerned. I believe in this new thinking, one should follow the data and not the device. It is a hard problem but technology can come to help here and one should use it to make sure all features and controls are implemented such a way that we don’t need a client sitting on the BYOD (that is the easy way to go) and there is no intrusion in any way to the privacy of the employee especially in no way they are tracked be it location or be it heir cyber trail during their non-office hours.

That's why I think the industry will move away from MDM and toward agentless way of doing security with keeping employees privacy at utmost importance, which will help move the security focus from the device to the data and the applications--where it should belong in reality.

Manjunath M Gowda
“Got BYOD? Get control…agentless”

Sunday, November 25, 2012

BYOD, Gartner & re-birth of NAC

What is NAC and why it might find a revival? NAC the policy-based network-access control is a decade old technology which was proposed to manage mobile (as well as desktop) devices then (which was mainly laptops) mainly for endpoint security  to control, monitor what is there on those laptops and what can be allowed and not allowed into the corporate network. Would have made huge sense if enterprises allowed employee’s laptop into the corporate network  *but* there were not too many who wanted their personal laptops to be used for official work with many legal and liability issues, CIOs didn’t want that to allow either and started giving out corporate owned laptops with tightly integrated software and hardware combo and all was controlled completely by the IT on what goes on that laptop and what doesn’t. It was not uncommon at all for people have two laptops – one was company’s and other was personal. 

Fast forward to 2012, now almost everyone has their own device which we call a smart-device (the concept of BYOD) that allows people to mix both personal and official work and makes people smarter (?), very productive and is the dawn of the new work-life culture where your device and your work follows you literally everywhere be it pub, vacation, outing, your golf etc.

So NAC is now making a comeback because of the popularity of BYOD at workplace (88% companies in US and UK are allowing BYOD and more scary, more than 30% devices are not officially allowed but are plying in the corporate network – for complete statistics please refer to my earlier blog here & here) and seems the right technology for this kind of devices. (Full Disclosure: i7 networks products: BYOD-Secure (the BYOD access control tool) and Hawkeye (the BYOD visibility and discovery tool) both are using NAC technology). 

If I feel this is the right technology to use to monitor, policy manage, do access control and other security measures for BYODs, I am not alone. This is what Gartner has to say. Gartner, for one, is predicting the bring your own device (BYOD) phenomenon, in which employees are being allowed to use their own personal Apple iPads, iPhones, Google Android devices and other mobile-ware for business purposes, will lead to a revival of NAC. 

NAC was supposed to be used to provide computer (be it desktop or laptop) access to corporate networks doing many things like checking whether right updates are there, whether anti-virus has been installed etc. This technology looks ripe now for the usage of controlled access for BYOD. Many MDM are rushing to use NAC to provide complete control of BYODs (Full Disclosure: i7 is taking a different approach of providing agent-less non-intrusive way of detecting and controlling access of BYODs but also uses NAC technology).

We feel agent-less non-intrusive way of detecting all of BYODs that are on the enterprise network becomes very critical considering that fact that one third of devices are unofficially on the network and second read this quote.

Speaking at a roundtable organized by BT at the Infosec 2012 conference, Simon Wise, deputy head of the Ministry of defense (MoD)’s global operations security control center, said: “We have a bring you own device (BYOD) policy and it’s simple: Don’t!” “The key risk is unauthorized devices and the threat they pose to the rest of the network,” he said. The MoD currently has around 750,000 IP devices, he said. “We need to be able to detect if they have been brought into our systems so we only allow authorized devices.”

Detecting these unauthorized devices and allowing (access-control) only authorized devices and to access only authorized data/servers requires next generation technology of “non-intrusive agentless way” of detecting these devices and enforcing the access control (where NAC becomes very handy). NAC will ensure that all corporate requirements (OS level, anti-virus software, anti-malware, right patches etc) are met before they allow BYODs on the enterprise network.

"NAC has been around for almost 10 years," says Gartner analyst Lawrence Orans, who acknowledges the "first wave" of NAC crested with a fairly modest adoption, mainly by financial institutions and some high-security situations, plus a few universities.  But NAC is getting a second chance to go mainstream because of BYOD, and this time it will gain much more ground as a security approach, Orans predicts. "BYOD is an unstoppable trend," he predicts, with businesses in ever greater numbers allowing employees to carry enterprise data on personal tablets. 

NAC being forged into mobile security tools offers some advantages, says Orans, in terms of allowing IT managers to set policy-based controls on BYOD tablets and smartphones in the enterprise. In the mobile-device context, NAC might check to see if there's BYOD "containerization" in place, for instance, to make sure personal and business data is cordoned off in some way before granting network access.
Seems like, BYOD is surely here to stay and NAC will get a second breather – we @ i7 believe strongly so :-)

Let me end with a nice quote from the VP if IT @ Cisco (March 2012), “BYOD has delivered savings of around 20 per cent; We don’t pay for it [BYOD], and our users are happier.”

Manjunath M Gowda
“Got BYOD? Get control”

Sunday, November 18, 2012

BYOD : Visibility - Security - Data Protection – What does the market say?

My previous blog “I know BYOD but what is this BYOA or COPE? Being in IT should I worry about all these?” talked about the BYOD, BYOA & COPE and how it is changing the role of the CIO and how he needs to adapt else will finally lose control and un-necessitate the position itself to a larger extent.

In this blog, let me use statistics and survey results to show how real is the BYOD problem and why we need to address sooner than later the issue and end with what happens if you ignore the issues to you and your organization.

 Ø  There are very few people accessing the network using their personal devices

According to Blue Coat, nearly twice as many employees -- 71 % -- report accessing the network with their personal device than IT administrators believe are doing so. The IT administrator number is 37 %.

 Ø  BYOD security & visualization is more of an Enterprise issue and not for an SME

According to a survey carried out by B2B on behalf of software experts Kaspersky mainly targeting SMEs, claims that 33 per cent of firms are allowing their staff to access corporate resources from their smartphones. Furthermore, 23 per cent of firms admitted to having already lost company data through a misplaced or stolen personal phone.

David Emm, senior security researcher at Kaspersky Lab, said: "BYOD is a tricky subject for organizations. Whether they opt for BYOD or not, businesses should look to manage and secure the use of these devices."

The Faronics survey confirms it. It did a through survey of cyber threat and data breach experiences of small and medium-sized businesses (SMBs). U.K. respondents concerns were: 62% believe "proliferation of end-user devices" is a key issue, as well as "lack of security protection across all devices," (cited by 56%) and "unsecure third parties including cloud providers," (53 percent).

 Ø  BYOD is on decline and it is going down

The survey of 1,678 mobile workers at 1,100 worldwide enterprises was conducted between Sept. 27 and Oct. 19 by commercial Wi-Fi network provider iPass which conducts such a survey every quarter. The study revealed that the percentage of respondents using their own smartphones for work tasks has increased from 42% in the fall of 2011 to 46% in the fall of 2012. The company said that the percentage of phones provisioned by employers dropped from 58% to 33% over the same period.

For tablets, 59% of mobile workers said they expect to rely on tablets more in the coming year, and that iPad would remain the top preference of 54%.

Findings also indicate that the smartphone is "the center of the mobile workers' universe" because it ranks just behind wallets and keys as most important items in workers' lives.

 Ø  Should I worry only about iPads then?

Same iPass survey found that Apple's iPhone remains the most popular smartphone among workers, used by 53% of the mobile workforce, up from 45% in 2011. But Android phone use also increased to 34% of workers, up from 21%. Use of the Research in Motion BlackBerry smartphone decreased over the past year, from 32% of workers to 26%. Windows Phone-based devices were used by just 5% of mobile workers in the latest survey.

 Ø  With BYOD, security is the only issue I need to worry?

Yes organizations can now cut down lot of costs on procuring devices thanks to BYOD & BYOA but please don’t be very happy about the savings as most part of it will go to procure new BYOD visibility and security tools and that’s just not it. There is something called “bill shock” coming your way.

The iPass survey respondents ranked the cost of making a network connection as the least important factor when choosing a mobile network, which could create a "bill shock" for businesses without Bring Your Own Device (BYOD) cost-control policies. The rapid growth of BYOD is both increasing worker productivity and increasing corporate costs, noted Evan Kaplan, CEO of iPass. "This report shows [employees] are willing to connect with little regard for cost. This lack of cost sensitivity has the potential to dramatically impact corporate budgets."

This is where BYOD visualization becomes very critical and to know where the traffic is going.

 Ø  Ok I got that. But is BYOD security threat as big as made out to be?

According to the findings of a study sponsored by Webroot, which is based on a survey of endpoint and mobile-security decision makers in companies with 10 or more employees in the U.S., U.K. and Australia, found that more than half reported mobile threats, reduced employee productivity and disrupted business activities; 61% of survey respondents said they required additional IT resources to manage mobile security, resulting in higher costs.

The study also found an overwhelming 82% said they believe that mobile devices create a high security risk within the corporate environment. Results indicated that mobile security is a high priority for half the companies supporting BYOD, equating to increased help desk support and consumption of valuable IT resources. 45% reported lost or stolen devices in the past year and 24% experienced mobile malware infections, crippling productivity and potentially compromising company and customer data.

Blue Coat reported that 88 percent of employees think their mobile device is "somewhat or very secure from malware." Only about 22 percent of IT professionals, however, think the risk of malware spreading from employee devices to the corporate network is minimal or no risk.
Faronics, announced the results of its State of Cyber Security Readiness survey, which examines the cyber threat and data breach experiences of SMEs across US & UK. The respondents included executives from many levels of these organizations, ranging from the owner/partner to outside consultants, but were heavily weighted toward the director, manager, supervisor and technician levels.

The top three threats to their organizations listed by U.S. respondents included "proliferation of unstructured data," (69 percent), "unsecure third parties including cloud providers, (65 percent) and "not knowing where all sensitive data is located, (62 percent). U.K. respondents had a slightly different set of concerns: 62% believe "proliferation of end-user devices" is a key issue, as well as "lack of security protection across all devices," (cited by 56%) and "unsecure third parties including cloud providers," (53 percent).

 Ø  Are people implementing BYOD security in their organizations? Why or Why not?

From the same survey, While 46% of BYOD companies have implemented mobile security, only 40 percent of companies with fewer than 100 employees have mobile security. Despite having access to more IT resources, larger organizations--those with 500 or more employees--are at even higher risk.

According to the study, 67% had dealt with lost or stolen mobile devices and 32% had experienced mobile malware infections, creating widespread concern about the business impact of employee-owned devices within the enterprise. Overall, 67% agree that the management of mobile-device security is a great burden on IT resources.

 Ø  What issues are keeping organizations from making it completely BYOD secure?

"Although organizations have become more aware of potential threats, they do not seem to accurately perceive the repercussions associated with data breaches," said Dmitry Shesterin, vice president of product management at Faronics. "Findings indicate that organizations do not understand the full costs and damages they will suffer as a result of a data breach. These organizations need to become more proactive about their security programs in order to minimize the damage they will inevitably experience from one, if not more, data breach."

Faronics' survey found just 9% among U.S. respondents and 4% in the U.K. admit security is not taken seriously because their organization is not perceived as being vulnerable to attacks. 64% of U.S. respondents and 75% of U.K. respondents cited "insufficient people resources" as a primary barrier to achieving effective security. 62% of U.K. respondents consider "the complexity of compliance and regulatory requirements" as a key barrier. 55% listed "lack of in-house skilled or expert personnel". 50% of U.S. respondents noted "lack of central accountability" and 41% listed "lack of monitoring and enforcement of end users"

 Ø  So what should we do as far as access is concerned? Complete access or restricted access?

Most organizations haven't yet solved the "my phone, my rules" challenge, according to Blue Coat. IT may have higher, stricter expectations for security controls on personal devices, but employees are making them meet in the middle, which has resulted in the creation of flexible policies that implement security only when corporate assets are at risk.

Not surprisingly, far more IT staffers (37 percent) than employees (12 percent) want to allow restrictions on the type of sites or content that can be accessed, as part of a corporate policy.

 Ø  What is the impact of security breaches?

From the same Faronics survey, when queried about the impact of data breaches on their organizations, more than half of U.S. and U.K. respondents cited the loss of time and productivity most frequently. Both U.S. and U.K. respondents also listed damage to their organization's brand second most frequently. According to the findings among companies that experienced a data breach:

42% of U.S. respondents and 38% of U.K. respondents stated they "lost customers and business partners"
41% and 34% of U.S. and U.K. respondents, respectively experienced an increase in the "cost of new customer acquisition”
35% of U.S. respondents and 31% of U.K. respondents "suffered a loss of reputation"

Results seem to indicate that companies tend to seriously underestimate the potential damage to brand and reputation, revealing a great data breach perception gap. Misconceptions about the consequences associated with a data breach are preventing organizations from implementing the necessary financial tools, in house-expertise and technologies to achieve cyber readiness.

 Ø  What factors influenced IT buyers to buy BYOD visualization, security and related tools?

Survey findings uncover that IT managers made security and data protection investment decisions based on ease of deployment and ongoing operations as well as low purchase costs.
73% in the U.S. and 78% in the U.K., seek products and solutions that enable easy deployment. U.K. teams further indicated the importance of minimal maintenance effort with 62% of respondents listing the "ease of ongoing operations" as a key factor influencing security investments, followed by 58% seeking "low purchase cost" and 52% seeking low total cost ownership (TCO). U.S. teams indicated a greater concern with costs, as 65% of respondents listed "low purchase cost" as a primary influencer over the 60% who listed "ease of ongoing operations" and 30% listed "low TCO."

 Ø  What tools are they using today?

65% and 75%, respectively of U.S. and U.K. respondents employ firewalls and other perimeter security technologies. 36% of U.S. and 53% of U.K. respondents turn to blacklisting and/or whitelisting tools to identify content with vulnerabilities. A significant plurality of IT teams relies on enforcing strict data policies, cited by 33% of U.S. and 45% of U.K. respondents.

I hope these surveys reveal important things that are happening in the BYOD market today. How is it trending and what does Gartner say, will try to cover in the comings blogs!! Any questions or concerns or trends regarding BYOD visibility or security, drop me an email and will be happy to answer.

Manjunath M Gowda
ceo, i7 Networks
“Got BYOD? Get control”

manju.m (@) i7networks (.) in

Friday, November 16, 2012

I know BYOD but what is this BYOA or COPE? Being in IT should I worry about all these?

Today, whether you like it or not, whether you allow it or not, every organization has employees accessing office information via BYODs (“Bring Your Own Device”). Allowing access obviously opens up security flood gates that many IT may not be aware of at all. Let me discuss a bit about what is happening in the world today and briefly touch upon visibility of BYODs, talk about the new trend what is called BYOA and COPE, and then talk a little about the security for these BYOds.

A survey conducted by B2B International in July 2012 reveals that 33% percent of companies allow their staff unrestricted access to corporate resources from their smartphones or tablets. 38% of companies apply some kind of restriction on smartphone use: these include bans on access to certain network resources. A further 19% have a complete ban on the use of mobile devices for work activities. But only 11% of companies currently use some kind of BYOD management tools to ensure compliance with corporate security policies. 34% of those surveyed think that the use of personal devices presents a threat for business, and another 55% frequently think about how to reduce the risk. This increased focus on mobile devices from IT specialists is probably explained by the fact that 23% said they had faced the loss of business data due to the loss or theft of mobile devices.

Despite all the risks involved, only 9% of companies are planning to introduce a strict ban of their usage (and another 91% will be looking at solutions on how to manage these BYODs and the risks and the security issues better). . Interestingly, 36% of the IT specialists surveyed are sure that, irrespective of any new measures, the number of user devices in the workplace will only increase.

If this is all about BYOD, there is a new thing coming up called BYOA or what is called “bring your own applications”. BYOA cuts costs, reduces training requirements since users already are familiar with their apps and it will be relatively easy to integrate the apps into the organization's IT infrastructure. Agrees Edwin Schouten, IBM's Cloud Services Leader for Global Technology Service and sees lots of positives. Whether the IT likes or not there will be a plethora of applications running on corporate network driven by the employees or the consumers rather than IT – something IT needs to adopt, accept and move on and work more on how to secure my network inspite of BYOD and how to integrate user apps into the IT infrastructure securely rather than trying to put restrictions on the usage or option of the software or the apps. Basically consumerization of IT will be an unstoppable of change. This (BYOA) will be very familiar to the original impetus of BYOD. Infact the BYOA trend also is getting traction in Europe. The Telegraph takes a look at the issue. To quote telegraph on this, “Bring or choose, the trend is for employees to use such tools for storage note-taking and free apps such as Skype for voice communications. The numbers are already impressive. Yammer has more than five million corporate users, Google apps has 40 million active users and Dropbox has more than 50 million users”

While we are still digesting the BYOD and BYOA, another new concept is coming up which is called COPE or what is “Corporate Owned Personally Enabled”.  In this scenario, the device itself is owned by the organization, but apps come from the employee. COPE , ReadWrite Enterprise has a story essentially works like this: the organization buys the device and still owns it, but the employee is allowed, within reason, to install the applications they want on the device, be it smartphone or traditional computer.

Basically general consensus in the CIO world is that IT should stop controlling BYOD or BYOA or COPE but start working on how to take advantage of this to reduce costs and bring in new tools to make sure the organization is secure and the consumer apps are well integrated. Many IT organizations probably can say that employees are not allowed or not deploying their personal devices (BYOD) on company’s network but according to the survey, 84% of smartphone users are also using their devices at work. While BYOD could mean increased productivity for your employees, it also is a potential threat to your overall network be it performance or security or the delivery of the applications running on it. According to ESG, 88% of enterprise organizations today allow for BYOD and personal use of devices while at work. Also mobile workforce enablement was ranked as a top ten IT priority by respondents to the ESG 2012 IT spending intentions research survey. Furthermore, additional ESG research shows that 88% of enterprise organizations with BYOD initiatives surveyed allow for mixed personal/work use on employee owned devices.

So what are the effects of allowing BYOD without checking? Yes there is a huge gain in productivity, drastic cut is costs, employee friendly etc. but leaves open a huge security hole, huge risks, excessive bandwidth load and in all impacting performance and security of business critical applications. If you are not ready for this additional network bandwidth consumption, these devices will actually start impacting negatively on productivity and revenue. Imagine all of your employees watching Netflix, or YouTube or downloading video or books or music or watching anything live at business hours. Due to this, performance of the corporate network can drastically come down impacting the performance of the corporate applications and employee productivity. For example, just one employee watching an HD Video (streams at 1.5MB/sec) could consume an entire T1 link.

Equally problematic, these BYOD devices have the ability to transfer items out of the enterprise. Not that it cannot be done via other computing devices but just the way apps are integrated into BYODs and the ease of use has made life much easier and sharing that much simpler.  New applications such as Dropbox or iCloud enable employees to share files and content outside of the enterprise. This represents a potentially serious security threat depending on who is sharing information and what information is shared. Organizations need to get a handle on what is going on in their BYOD environment be it related to risks, network and application performance, potential data breaches, or lost employee productivity.

Some of the things NOT recommended are first to blindly upgrade or double your bandwidth and second, to buy any security tools without knowing where the hole is. When applications run slowly, the network typically gets blamed. Without any visibility into the network, and hence not knowing what actions are performed and by who etc., organizations tend to increase the bandwidth and hence run into higher operating costs. Worse, it does not take much time to clog the new bandwidth!! Without visibility and a baseline network performance, BYOD initiatives could prove to be detrimental to the network and the business.

Same goes with BYOD security too. Without visibility that is without the info such as what is happening, who are accessing what, how many devices and what types and who have access to what and what devices are connected via corporate network and what security holes they are creating, don’t deploy the tools else you will be band-aiding the wrong places. You need to know many things such as where are your sensitive files are, who are accessing them, who are accessing cloud services, who are using services such as Dropbox and what files are loaded and shared, is someone or some device accessing sensitive information etc. Visibility gives you the power of quickly identifying all these and the problem sources, data security holes and can make informed intelligent decisions on how to protect and what tools to buy. Once you are monitoring the environment, administrators will know exactly what is happening, organization can intelligently implement policies to ensure right people have access to right sites and files and effectively enforce and monitor the access.

The summary J

To handle various computing devices (BYOD) and numerous apps (BYOA), organizations first need to have visibility into the network and on these devices and the apps that are running on them. This granular information will enable organizations to understand which users, which apps, what access are being used or abused across the corporate network and corporate resources. Based on this visibility, organizations can implement policies regarding the right usage of recreational and business use of these devices and also get in the right security tools to ensure corporate critical info is protected. Failing to gain this visibility could lead organizations to unnecessarily overprovision network capacity to support employee recreational use or put tools which might not really fix the underlying security issue. As they say “knowing is everything”.

There are many companies that offer BYOD visualization and security tools (both intrusive agent and also non-intrusive agentless) and by deploying such tools, organizations can say yes to BYOD & BYOA and still retain control, ensure higher employee productivity, lower cost and make sure no productivity distraction happens nor any security holes left.

“Happy BYODing” J

Manjunath M Gowda
 “Got BYOD? Get control of it”