Sunday, September 23, 2012

BYOD Usage in Federal Agencies in the US

Interesting numbers and I picked up from the press release of CDW-G report and have sort of summarized for easy reading. Below I have added the link for those who need to read the complete report. BTW the report is dated February 2012 – sort of 7 months old but I don’t think anything has changed since then rather than growing in the same direction.

CDW-G aka Government LLC, is a leading provider of technology solutions to government, education and healthcare customers, announced the results of its first Federal Mobility Report. The report was based on a survey done with 414 federal employees and IT staff across the country (across US). This report provides information on the current trends in mobility or the usage of BYOD across the federal employees and how agency IT professionals are managing mobile devices and the steps they are taking to secure Federal data.

Some of the numbers are really startling.  More than half of Federal employees use at least one mobile device at work, and many are using personal devices to accomplish work-related tasks. Nearly all Federal employees who use a mobile device for work believe the device makes them more productive, and the majority says increased mobility will improve citizen service. Mobility is no longer just a nice-to-have capability, CDW-G found: Nearly all 203 Federal IT professionals (99 percent) said they have deployed mobile devices to their agency workforce. More interesting fact is that 62 percent of those IT professionals said their agencies allow employees to use personal devices for work.

"Mobility is the 'new normal' for Federal employees," said Bob Kirby, VP of federal government for CDW-G. "Employees increasingly expect to be able to work anywhere and at any time. Agencies responded first by deploying mobile devices, and now they are enabling use of personal devices. And the Bring Your Own Device (BYOD) trend is likely to continue, following the Obama administration's November 2011 executive order that asked agencies to limit the number of IT devices they issue to employees, including mobile devices, in order to reduce costs."

When it comes to security of sensitive data, here are the numbers. 85% have undergone mobile data security policies. 82% of IT professionals said their agency deployed encryption for mobile devices, 54% said their agency protects mobile devices with multi-factor authentication, 45% said about remote lock and wipe and 39% said about data loss prevention software. 71 percent of Federal IT professionals say they include MDM in their security efforts, CDW-G found that most are not deploying a full suite of security tools to agency and personal devices via MDM, revealing an opportunity to improve agencies' security posture.

This is where I personally feel they should have a BYOD analytics tool first to see what is happening in the network, how many such devices are there in the network, complete logging of user usage of such devices including monitoring and also analytics to see what applications are using what services including monitoring how many devices have some form of MDM installed and how many are there with no such software installed (data encryption, remote lock & wipe, authentication software, some form of MDM etc).

The real worry especially in this industry or the segment (Federal agencies) is that they have access to wide variety of data from financial information to employee and taxpayer records to email/social networking accounts etc. With cyber threat getting worse and complex by the day and considering the fact that they target federal agencies and their employees fat more than any verticals it is imperative to find what is happening and what and how each one of the security hole needs to be fixed.

Author is the CEO of i7 networks which works on next gen analytics and intelligence related to bandwidth, security & BYOD

*Link for the complete report: Press Release for CDW-G report

CSA puts BYOD in focus with 17 key security areas

As mobile devices are becoming a mainstay in the enterprise, the Cloud Security Alliance (CSA) has identified 17 key elements as critical security measures for a full lifecycle security management especially for organizations.
These 17 are:
  1. Policy
  2. Risk Management
  3. Device Diversity/Degree of Freedom
  4. Configuration Management
  5. Software Distribution
  6. Enterprise AppStore
  7. Content Library
  8. Procurement
  9. Provisioning
  10. Device Policy Compliance and Enforcement
  11. Enterprise Activation/Deactivation
  12. Enterprise Asset Disposition
  13. Process Automation
  14. User Activity Logging/Workplace Monitoring
  15. Security Settings
  16. Selective Wipe/Remote Wipe/Lock
  17. Identity Management/Authentication/Encryption

One very key piece will be the “User activity logging and workplace monitoring” which is the critical aspect of the whole security and in fact rates the first to be implemented and based on the logging and the analytics, one can device what is the best security policy to apply and what tools are needed for your organization.
“Mobile devices are becoming an integral part of corporate networks, and as employees are increasingly using their personal device to access cloud-based applications and services, either via the allowed channel or some way or other and finding out who are on the network with what devices and what are the services they are accessing and logging of the same for a future audit and forensics is very critical and is step #1 for me”, said a CTO of a fortune 500 enterprise”

Also, with the growth in the number of applications, content and data being accessed through a variety of devices and because IT departments are now fully responsible for either company-owned devices or BYODs, organizations must look to adopt policies and practices to prevent any compromise in security. Most important, the report cites, is for organizations to include a system-centric functionality to secure and manage data and applications and more importantly to come up with smart solutions and tools driven by analytics.
While every company will have a different tolerance for risk and will adopt mobile technology in different ways, each one of them should be aware of what is going on in their network, what devices are running, what kind of applications are running and what are the threat levels of each of them.
There are several fundamental components that have to be considered and incorporated into policy and practice, the CSA noted. Each component falls into one of three major categories: software and hardware, inventory and security. The report provides implementation best practices as well as potential risks; along with a "Must Have" or "Optional" rating to help organizations better prioritize their security efforts.

Manjunath M Gowda, CEO i7 Networks “Listen to your bandwidth”
Author is the CEO of i7 networks which works on next gen analytics and intelligence related to bandwidth, security & BYOD

Saturday, September 22, 2012

BYOD on the Campus – Stats, Issues, & Concerns

Seems all enterprises keep worrying about the BYOD. Most articles and news on BYOD are all around how BYOD is becoming a major issue in enterprises. But everyone seems forgetting the impact of it on the Universities. From the data I was able to collect from many articles and surveys, seems there will be a bigger BYOD revolution soon in the campus – at least the numbers seem to justify it.
At the start of the semester, students now get more than books, clothes and furniture, a slew of bandwidth hungry devices to campus. Times have really changed. Almost every kind of device that exists in the world finds a way into the campus unlike in enterprises where you see pretty much standard devices.
A survey (conducted by Houston-based J Turner Research in partnership with Philadelphia-based Campus Apartments and Memphis, Tenn.-based Education Realty Trust (ERT) - which talked to more than 10,000 students across 130 campuses.) suggests that about 41% of students will have three or more devices connected to the Internet at one time. 76.4% of institutions surveyed are looking to reinforce their networks to support multiple devices. This is another interesting fact, a whopping 64 percent of students at U.S. colleges and universities say they would consider relocating to new housing if their campus apartment’s Internet speeds were slower than expected. The same survey shows that there is an increasing appetite for Wi-Fi connectivity and a willingness to pay rent premiums for higher bandwidth speeds
Says ERT VP of IT, Scott Casey, “They are leaving home with a laptop, a 60-inch flat panel TV, an iPad, an iPhone, an Xbox, and a PlayStation 3, They want to plug all of that in and be on the Internet blogging and Facebooking, and they expect the same bandwidth experience they have at home”.  “Everything is on the Internet,” Casey says. “And most importantly, they are communicating about their bandwidth experience at the same time via Facebook: 'Come live here because the Internet is great.' Or, 'Don’t live here because the Internet is awful.'”

Some interesting stats which I could pull out - 76% of Colleges Struggle to Meet Bandwidth Demands. 77% of the college reported that the increasing no of mobile devices & other BYODs has had a significant impact on their network. 1/3rd of schools provide more than 500 mbps and still they say that network chokes and clogs are the in thing. 90% of responding colleges said they expect tablets to consume the most bandwidth in the coming year. 50% of IT departments pay for bandwidth supplied for residential networks, but they do not recover the cost. The majority of colleges(75.9%) dedicate about 20%  of their annual  IT budget to residential computer networking.

As college-aged students rely on an expanded arsenal of web-connected gadgets, schools face an unprecedented growth of network bandwidth consumption. Campuses are struggling to provide enough bandwidth to satisfy all student bandwidth needs. Every year, students bring more and more mobile devices with them to campus. As these devices devour bandwidth, colleges and universities struggle to keep up.
If these are stats with the devices and bandwidth, the proliferation of every type of bandwidth hungry applications are creating similar issues. Some to name are Netflix (which is a huge user of bandwidth), YouTube (another huge bandwidth hog), online television and social networking.

This is a huge BYOD/Bandwidth issue problem for the universities. At one end no amount of bandwidth is enough to sate the appetite of these devices and the apps that run on them. Secondly BYODs create a huge security hole and the CIO is desperate to know what kind of devices and application that runs on the network. Another major issue is lack of data on what device and what apps are running on the network and which ones are security risks and to what level.

If bandwidth consumption and BYOD management are becoming a major issue to Campus, security is becoming another major issue. One of the survey says that the CIOs of universities want to have the intelligence first on what is happening on the bandwidth, who is using what, what apps and kinds of apps are consuming the most and what kind of devices are running on the network and where is the traffic going. Once the analytics are out, Universities like to make smart decisions to how to curb bandwidth usage or manage better and get a better ROI on their bandwidth investments. One of the CIO’s statements captures all – “there are slew of solutions but I don’t want to patch the wound without knowing where the wounds are. I need to know first and then apply the solutions accordingly”.

Manjunath M Gowda
Author is the CEO of i7 Networks which works on next generation analytics and intelligence related to bandwidth, security and BYOD.

Sunday, September 16, 2012

The BYOD conundrum – the fear, the inevitable embrace of it and the more critical inevitability of it, monitoring it

In all organizations large or small, there is a large wide spread usage of the devices such as iPads and other such devices (popularly known today in the industry as BYODs or Bring Your Own Device) irrespective of whether allowed or not in the corporate network. People have figured out on how to create shadow IT environment in their workplace to network in the BYODs. Their ease of use and sheer portability and usability of the device, coupled with the lure of free, fast and unmetered internet connectivity at the corporate make the presence of it and other employee-owned tablets and smartphones on the corporate LAN practically inevitability.

Gartner report (June 2012) says “the bring your own device (BYOD) trend is here to stay, so enterprises need to bolster security policies. The bring your own device trend has created new opportunities for businesses looking to increase productivity from mobile employees and remote offices, but security remains a top concern for IT departments in the enterprise”. Gartner also says that “we found 86 percent of enterprise respondents are planning to purchase media tablets like an Apple iPad this year”.

Unfortunately BYOD comes out with its security risks. Some of them worth mentioning are,
  • -         BYOD infecting the network and exposing the organization to the threat of cyber-attack from inside out
  • -         Employees downloading corporate sensitive data to their devices and hence exposing the same for cyber-leak when they take the devices out of corporate network
  • -         Using these devices to connect to film and video streaming at work clogging up the network in the process
  • -         Using applications that are not per say security threat tested and intruders finding easy way into the corporate network

Just to mention a few.

Also BYOD brings rampant use of insecure cloud services like Dropbox. Sixty-six percent of respondents said that they or their companies used some service like Dropbox to store their data. These commercial cloud storage and backup providers can present security risks to corporate data, since data is in the hands of a third party. Even when cloud repositories are encrypted, it's often that third party not their customers who hold the encryption keys.

According to the Gartner survey, the security top issues included the use of privately owned devices and deployment of new enterprise mobile platforms. Gartner recommended focusing on mobile data protection (MDP), network access control (NAC), and mobile device management (MDM) tools. Survey results also indicate enterprises are providing support for BYOD programs, offering technical support for 32 percent of smartphones, 37 percent of tablets and 44 percent of laptops.

But in another survey by MokaFive, there is a clear mandate across all organizations and across the globe that BYOD is here to stay, like it or not. Eighty-eight percent of respondents said their companies had some form of BYOD, whether sanctioned or not. They also said that specifically speaking of MDM that it is too intrusive and would not like to install the same on their device even if the corporate enforces it. 77 percent of respondents had strong negative words to describe their feelings about the use of the software (MDM), including “I don’t care for it,” “Violated!” and “Not acceptable.”
Trying to stop the usage of BYOD in some form of policy or installing some intrusive client on it is like trying to stop the inevitable or is like stopping the rain. One can certainly try but the end result will be surely inevitable. People who get their devices are real smart people (most of them “J) and they know how to make their devices connect to the corporate network. You can certainly try to prevent them from connecting but the end result seems relatively inevitable. People are and will continue to bring their devices to work for various purposes.

"Healthy growth in smartphone and media tablet shipments over the next five years will enable a much higher level of IT consumerization than is currently possible," Chae-Gi Lee, research director at Gartner, said in a prepared statement. "Enterprises should recognize this and look to 'mobile enable' their IT infrastructure for employees to meet the growing demand for mobile device use in the enterprise IT environment."

So it is better for forward-thinking organizations to let these devises connect to their network and figure out non-intrusively how many devices do run on the network at any point of time, who and all it belongs to, what all applications are active and how many of them belong to say higher threat level for the corporate and what all are the bandwidth usage of the devices. These analytics will throw a lot of light into the usage patterns of the devices, gives powerful analytics on what tools and methods to deploy to make sure bandwidth is not hogged per say and secondly and most importantly what tools and methods to employ to secure the network and the data. The deep packet level analytics with the ability to drill down deep into the packet level allows us to see exactly what is happening. The clear and complete allows organizations to take fast and accurate actions to correct the situation. All the analytics, usage patterns, type and kind of applications used – al such information is right there in front of them. Network security is critical, but security without visibility is like patching the wrong leaks, a disaster waiting to happen.

Visibility and Analytics will give IT clear and immediate answers to the most critical and paramount questions:
  • What devices are running in the network?
  • Who does these devices belong to?
  • What kind of applications are running actively?
  • Which of them are security threats?
  • Do we see any issues in the network?
  • Whose device is causing the issue?
  • What areas of the network are impacted?
  • When did this issue start or if it has happened, when did this happen?
  • Where does the problem exist?
  • Why did it occur?
If all the packet information of traffic are recorded and if one can give a real-time and retro analysis of every event including the ones which were security issues, one can do a complete forensic analysis on how the security issue happened and why it happened and what was the security hole that made this happen. Once such a forensic analysis done, one can come out with a powerful insight and intelligent solution that provides a fast and reliable resolution.

There's a strong perception that BYOD is a battle that organizations will ultimately lose and should be happy to accept and concede the same. The line between home and work is getting more and more blurred and tough policies on the usage of these BYOD in the corporate network will be counterproductive. Moreover organizations that enforce hard policies and intrusive clients (MDM Client) will find struggling to implement the same, and more over employees will easily find ways to bypass all these to connect anyway to the corporate network (one google search on how to yields 100s of such methods of doing it J). Moreover in today’s world, such hard core policies will find themselves struggling to attract talent. Of course you can also find the middle ground by meeting half way between the organization and the employees but just make sure all your actions are analytics based and just make sure you have got the visibility to do it.

Manjunath M Gowda, CEO “i7 Networks
Author is the CEO of i7 Networks which provides network traffic analytics engine called EagelEye which sits on the periphery and provides complete real-time and retro network traffic analytics.