Sunday, November 25, 2012

BYOD, Gartner & re-birth of NAC

What is NAC and why it might find a revival? NAC the policy-based network-access control is a decade old technology which was proposed to manage mobile (as well as desktop) devices then (which was mainly laptops) mainly for endpoint security  to control, monitor what is there on those laptops and what can be allowed and not allowed into the corporate network. Would have made huge sense if enterprises allowed employee’s laptop into the corporate network  *but* there were not too many who wanted their personal laptops to be used for official work with many legal and liability issues, CIOs didn’t want that to allow either and started giving out corporate owned laptops with tightly integrated software and hardware combo and all was controlled completely by the IT on what goes on that laptop and what doesn’t. It was not uncommon at all for people have two laptops – one was company’s and other was personal. 

Fast forward to 2012, now almost everyone has their own device which we call a smart-device (the concept of BYOD) that allows people to mix both personal and official work and makes people smarter (?), very productive and is the dawn of the new work-life culture where your device and your work follows you literally everywhere be it pub, vacation, outing, your golf etc.

So NAC is now making a comeback because of the popularity of BYOD at workplace (88% companies in US and UK are allowing BYOD and more scary, more than 30% devices are not officially allowed but are plying in the corporate network – for complete statistics please refer to my earlier blog here & here) and seems the right technology for this kind of devices. (Full Disclosure: i7 networks products: BYOD-Secure (the BYOD access control tool) and Hawkeye (the BYOD visibility and discovery tool) both are using NAC technology). 

If I feel this is the right technology to use to monitor, policy manage, do access control and other security measures for BYODs, I am not alone. This is what Gartner has to say. Gartner, for one, is predicting the bring your own device (BYOD) phenomenon, in which employees are being allowed to use their own personal Apple iPads, iPhones, Google Android devices and other mobile-ware for business purposes, will lead to a revival of NAC. 

NAC was supposed to be used to provide computer (be it desktop or laptop) access to corporate networks doing many things like checking whether right updates are there, whether anti-virus has been installed etc. This technology looks ripe now for the usage of controlled access for BYOD. Many MDM are rushing to use NAC to provide complete control of BYODs (Full Disclosure: i7 is taking a different approach of providing agent-less non-intrusive way of detecting and controlling access of BYODs but also uses NAC technology).

We feel agent-less non-intrusive way of detecting all of BYODs that are on the enterprise network becomes very critical considering that fact that one third of devices are unofficially on the network and second read this quote.

Speaking at a roundtable organized by BT at the Infosec 2012 conference, Simon Wise, deputy head of the Ministry of defense (MoD)’s global operations security control center, said: “We have a bring you own device (BYOD) policy and it’s simple: Don’t!” “The key risk is unauthorized devices and the threat they pose to the rest of the network,” he said. The MoD currently has around 750,000 IP devices, he said. “We need to be able to detect if they have been brought into our systems so we only allow authorized devices.”

Detecting these unauthorized devices and allowing (access-control) only authorized devices and to access only authorized data/servers requires next generation technology of “non-intrusive agentless way” of detecting these devices and enforcing the access control (where NAC becomes very handy). NAC will ensure that all corporate requirements (OS level, anti-virus software, anti-malware, right patches etc) are met before they allow BYODs on the enterprise network.

"NAC has been around for almost 10 years," says Gartner analyst Lawrence Orans, who acknowledges the "first wave" of NAC crested with a fairly modest adoption, mainly by financial institutions and some high-security situations, plus a few universities.  But NAC is getting a second chance to go mainstream because of BYOD, and this time it will gain much more ground as a security approach, Orans predicts. "BYOD is an unstoppable trend," he predicts, with businesses in ever greater numbers allowing employees to carry enterprise data on personal tablets. 

NAC being forged into mobile security tools offers some advantages, says Orans, in terms of allowing IT managers to set policy-based controls on BYOD tablets and smartphones in the enterprise. In the mobile-device context, NAC might check to see if there's BYOD "containerization" in place, for instance, to make sure personal and business data is cordoned off in some way before granting network access.
Seems like, BYOD is surely here to stay and NAC will get a second breather – we @ i7 believe strongly so :-)

Let me end with a nice quote from the VP if IT @ Cisco (March 2012), “BYOD has delivered savings of around 20 per cent; We don’t pay for it [BYOD], and our users are happier.”

Manjunath M Gowda
“Got BYOD? Get control”

Sunday, November 18, 2012

BYOD : Visibility - Security - Data Protection – What does the market say?

My previous blog “I know BYOD but what is this BYOA or COPE? Being in IT should I worry about all these?” talked about the BYOD, BYOA & COPE and how it is changing the role of the CIO and how he needs to adapt else will finally lose control and un-necessitate the position itself to a larger extent.

In this blog, let me use statistics and survey results to show how real is the BYOD problem and why we need to address sooner than later the issue and end with what happens if you ignore the issues to you and your organization.

 Ø  There are very few people accessing the network using their personal devices

According to Blue Coat, nearly twice as many employees -- 71 % -- report accessing the network with their personal device than IT administrators believe are doing so. The IT administrator number is 37 %.

 Ø  BYOD security & visualization is more of an Enterprise issue and not for an SME

According to a survey carried out by B2B on behalf of software experts Kaspersky mainly targeting SMEs, claims that 33 per cent of firms are allowing their staff to access corporate resources from their smartphones. Furthermore, 23 per cent of firms admitted to having already lost company data through a misplaced or stolen personal phone.

David Emm, senior security researcher at Kaspersky Lab, said: "BYOD is a tricky subject for organizations. Whether they opt for BYOD or not, businesses should look to manage and secure the use of these devices."

The Faronics survey confirms it. It did a through survey of cyber threat and data breach experiences of small and medium-sized businesses (SMBs). U.K. respondents concerns were: 62% believe "proliferation of end-user devices" is a key issue, as well as "lack of security protection across all devices," (cited by 56%) and "unsecure third parties including cloud providers," (53 percent).

 Ø  BYOD is on decline and it is going down

The survey of 1,678 mobile workers at 1,100 worldwide enterprises was conducted between Sept. 27 and Oct. 19 by commercial Wi-Fi network provider iPass which conducts such a survey every quarter. The study revealed that the percentage of respondents using their own smartphones for work tasks has increased from 42% in the fall of 2011 to 46% in the fall of 2012. The company said that the percentage of phones provisioned by employers dropped from 58% to 33% over the same period.

For tablets, 59% of mobile workers said they expect to rely on tablets more in the coming year, and that iPad would remain the top preference of 54%.

Findings also indicate that the smartphone is "the center of the mobile workers' universe" because it ranks just behind wallets and keys as most important items in workers' lives.

 Ø  Should I worry only about iPads then?

Same iPass survey found that Apple's iPhone remains the most popular smartphone among workers, used by 53% of the mobile workforce, up from 45% in 2011. But Android phone use also increased to 34% of workers, up from 21%. Use of the Research in Motion BlackBerry smartphone decreased over the past year, from 32% of workers to 26%. Windows Phone-based devices were used by just 5% of mobile workers in the latest survey.

 Ø  With BYOD, security is the only issue I need to worry?

Yes organizations can now cut down lot of costs on procuring devices thanks to BYOD & BYOA but please don’t be very happy about the savings as most part of it will go to procure new BYOD visibility and security tools and that’s just not it. There is something called “bill shock” coming your way.

The iPass survey respondents ranked the cost of making a network connection as the least important factor when choosing a mobile network, which could create a "bill shock" for businesses without Bring Your Own Device (BYOD) cost-control policies. The rapid growth of BYOD is both increasing worker productivity and increasing corporate costs, noted Evan Kaplan, CEO of iPass. "This report shows [employees] are willing to connect with little regard for cost. This lack of cost sensitivity has the potential to dramatically impact corporate budgets."

This is where BYOD visualization becomes very critical and to know where the traffic is going.

 Ø  Ok I got that. But is BYOD security threat as big as made out to be?

According to the findings of a study sponsored by Webroot, which is based on a survey of endpoint and mobile-security decision makers in companies with 10 or more employees in the U.S., U.K. and Australia, found that more than half reported mobile threats, reduced employee productivity and disrupted business activities; 61% of survey respondents said they required additional IT resources to manage mobile security, resulting in higher costs.

The study also found an overwhelming 82% said they believe that mobile devices create a high security risk within the corporate environment. Results indicated that mobile security is a high priority for half the companies supporting BYOD, equating to increased help desk support and consumption of valuable IT resources. 45% reported lost or stolen devices in the past year and 24% experienced mobile malware infections, crippling productivity and potentially compromising company and customer data.

Blue Coat reported that 88 percent of employees think their mobile device is "somewhat or very secure from malware." Only about 22 percent of IT professionals, however, think the risk of malware spreading from employee devices to the corporate network is minimal or no risk.
Faronics, announced the results of its State of Cyber Security Readiness survey, which examines the cyber threat and data breach experiences of SMEs across US & UK. The respondents included executives from many levels of these organizations, ranging from the owner/partner to outside consultants, but were heavily weighted toward the director, manager, supervisor and technician levels.

The top three threats to their organizations listed by U.S. respondents included "proliferation of unstructured data," (69 percent), "unsecure third parties including cloud providers, (65 percent) and "not knowing where all sensitive data is located, (62 percent). U.K. respondents had a slightly different set of concerns: 62% believe "proliferation of end-user devices" is a key issue, as well as "lack of security protection across all devices," (cited by 56%) and "unsecure third parties including cloud providers," (53 percent).

 Ø  Are people implementing BYOD security in their organizations? Why or Why not?

From the same survey, While 46% of BYOD companies have implemented mobile security, only 40 percent of companies with fewer than 100 employees have mobile security. Despite having access to more IT resources, larger organizations--those with 500 or more employees--are at even higher risk.

According to the study, 67% had dealt with lost or stolen mobile devices and 32% had experienced mobile malware infections, creating widespread concern about the business impact of employee-owned devices within the enterprise. Overall, 67% agree that the management of mobile-device security is a great burden on IT resources.

 Ø  What issues are keeping organizations from making it completely BYOD secure?

"Although organizations have become more aware of potential threats, they do not seem to accurately perceive the repercussions associated with data breaches," said Dmitry Shesterin, vice president of product management at Faronics. "Findings indicate that organizations do not understand the full costs and damages they will suffer as a result of a data breach. These organizations need to become more proactive about their security programs in order to minimize the damage they will inevitably experience from one, if not more, data breach."

Faronics' survey found just 9% among U.S. respondents and 4% in the U.K. admit security is not taken seriously because their organization is not perceived as being vulnerable to attacks. 64% of U.S. respondents and 75% of U.K. respondents cited "insufficient people resources" as a primary barrier to achieving effective security. 62% of U.K. respondents consider "the complexity of compliance and regulatory requirements" as a key barrier. 55% listed "lack of in-house skilled or expert personnel". 50% of U.S. respondents noted "lack of central accountability" and 41% listed "lack of monitoring and enforcement of end users"

 Ø  So what should we do as far as access is concerned? Complete access or restricted access?

Most organizations haven't yet solved the "my phone, my rules" challenge, according to Blue Coat. IT may have higher, stricter expectations for security controls on personal devices, but employees are making them meet in the middle, which has resulted in the creation of flexible policies that implement security only when corporate assets are at risk.

Not surprisingly, far more IT staffers (37 percent) than employees (12 percent) want to allow restrictions on the type of sites or content that can be accessed, as part of a corporate policy.

 Ø  What is the impact of security breaches?

From the same Faronics survey, when queried about the impact of data breaches on their organizations, more than half of U.S. and U.K. respondents cited the loss of time and productivity most frequently. Both U.S. and U.K. respondents also listed damage to their organization's brand second most frequently. According to the findings among companies that experienced a data breach:

42% of U.S. respondents and 38% of U.K. respondents stated they "lost customers and business partners"
41% and 34% of U.S. and U.K. respondents, respectively experienced an increase in the "cost of new customer acquisition”
35% of U.S. respondents and 31% of U.K. respondents "suffered a loss of reputation"

Results seem to indicate that companies tend to seriously underestimate the potential damage to brand and reputation, revealing a great data breach perception gap. Misconceptions about the consequences associated with a data breach are preventing organizations from implementing the necessary financial tools, in house-expertise and technologies to achieve cyber readiness.

 Ø  What factors influenced IT buyers to buy BYOD visualization, security and related tools?

Survey findings uncover that IT managers made security and data protection investment decisions based on ease of deployment and ongoing operations as well as low purchase costs.
73% in the U.S. and 78% in the U.K., seek products and solutions that enable easy deployment. U.K. teams further indicated the importance of minimal maintenance effort with 62% of respondents listing the "ease of ongoing operations" as a key factor influencing security investments, followed by 58% seeking "low purchase cost" and 52% seeking low total cost ownership (TCO). U.S. teams indicated a greater concern with costs, as 65% of respondents listed "low purchase cost" as a primary influencer over the 60% who listed "ease of ongoing operations" and 30% listed "low TCO."

 Ø  What tools are they using today?

65% and 75%, respectively of U.S. and U.K. respondents employ firewalls and other perimeter security technologies. 36% of U.S. and 53% of U.K. respondents turn to blacklisting and/or whitelisting tools to identify content with vulnerabilities. A significant plurality of IT teams relies on enforcing strict data policies, cited by 33% of U.S. and 45% of U.K. respondents.

I hope these surveys reveal important things that are happening in the BYOD market today. How is it trending and what does Gartner say, will try to cover in the comings blogs!! Any questions or concerns or trends regarding BYOD visibility or security, drop me an email and will be happy to answer.

Manjunath M Gowda
ceo, i7 Networks
“Got BYOD? Get control”

manju.m (@) i7networks (.) in

Friday, November 16, 2012

I know BYOD but what is this BYOA or COPE? Being in IT should I worry about all these?

Today, whether you like it or not, whether you allow it or not, every organization has employees accessing office information via BYODs (“Bring Your Own Device”). Allowing access obviously opens up security flood gates that many IT may not be aware of at all. Let me discuss a bit about what is happening in the world today and briefly touch upon visibility of BYODs, talk about the new trend what is called BYOA and COPE, and then talk a little about the security for these BYOds.

A survey conducted by B2B International in July 2012 reveals that 33% percent of companies allow their staff unrestricted access to corporate resources from their smartphones or tablets. 38% of companies apply some kind of restriction on smartphone use: these include bans on access to certain network resources. A further 19% have a complete ban on the use of mobile devices for work activities. But only 11% of companies currently use some kind of BYOD management tools to ensure compliance with corporate security policies. 34% of those surveyed think that the use of personal devices presents a threat for business, and another 55% frequently think about how to reduce the risk. This increased focus on mobile devices from IT specialists is probably explained by the fact that 23% said they had faced the loss of business data due to the loss or theft of mobile devices.

Despite all the risks involved, only 9% of companies are planning to introduce a strict ban of their usage (and another 91% will be looking at solutions on how to manage these BYODs and the risks and the security issues better). . Interestingly, 36% of the IT specialists surveyed are sure that, irrespective of any new measures, the number of user devices in the workplace will only increase.

If this is all about BYOD, there is a new thing coming up called BYOA or what is called “bring your own applications”. BYOA cuts costs, reduces training requirements since users already are familiar with their apps and it will be relatively easy to integrate the apps into the organization's IT infrastructure. Agrees Edwin Schouten, IBM's Cloud Services Leader for Global Technology Service and sees lots of positives. Whether the IT likes or not there will be a plethora of applications running on corporate network driven by the employees or the consumers rather than IT – something IT needs to adopt, accept and move on and work more on how to secure my network inspite of BYOD and how to integrate user apps into the IT infrastructure securely rather than trying to put restrictions on the usage or option of the software or the apps. Basically consumerization of IT will be an unstoppable of change. This (BYOA) will be very familiar to the original impetus of BYOD. Infact the BYOA trend also is getting traction in Europe. The Telegraph takes a look at the issue. To quote telegraph on this, “Bring or choose, the trend is for employees to use such tools for storage note-taking and free apps such as Skype for voice communications. The numbers are already impressive. Yammer has more than five million corporate users, Google apps has 40 million active users and Dropbox has more than 50 million users”

While we are still digesting the BYOD and BYOA, another new concept is coming up which is called COPE or what is “Corporate Owned Personally Enabled”.  In this scenario, the device itself is owned by the organization, but apps come from the employee. COPE , ReadWrite Enterprise has a story essentially works like this: the organization buys the device and still owns it, but the employee is allowed, within reason, to install the applications they want on the device, be it smartphone or traditional computer.

Basically general consensus in the CIO world is that IT should stop controlling BYOD or BYOA or COPE but start working on how to take advantage of this to reduce costs and bring in new tools to make sure the organization is secure and the consumer apps are well integrated. Many IT organizations probably can say that employees are not allowed or not deploying their personal devices (BYOD) on company’s network but according to the survey, 84% of smartphone users are also using their devices at work. While BYOD could mean increased productivity for your employees, it also is a potential threat to your overall network be it performance or security or the delivery of the applications running on it. According to ESG, 88% of enterprise organizations today allow for BYOD and personal use of devices while at work. Also mobile workforce enablement was ranked as a top ten IT priority by respondents to the ESG 2012 IT spending intentions research survey. Furthermore, additional ESG research shows that 88% of enterprise organizations with BYOD initiatives surveyed allow for mixed personal/work use on employee owned devices.

So what are the effects of allowing BYOD without checking? Yes there is a huge gain in productivity, drastic cut is costs, employee friendly etc. but leaves open a huge security hole, huge risks, excessive bandwidth load and in all impacting performance and security of business critical applications. If you are not ready for this additional network bandwidth consumption, these devices will actually start impacting negatively on productivity and revenue. Imagine all of your employees watching Netflix, or YouTube or downloading video or books or music or watching anything live at business hours. Due to this, performance of the corporate network can drastically come down impacting the performance of the corporate applications and employee productivity. For example, just one employee watching an HD Video (streams at 1.5MB/sec) could consume an entire T1 link.

Equally problematic, these BYOD devices have the ability to transfer items out of the enterprise. Not that it cannot be done via other computing devices but just the way apps are integrated into BYODs and the ease of use has made life much easier and sharing that much simpler.  New applications such as Dropbox or iCloud enable employees to share files and content outside of the enterprise. This represents a potentially serious security threat depending on who is sharing information and what information is shared. Organizations need to get a handle on what is going on in their BYOD environment be it related to risks, network and application performance, potential data breaches, or lost employee productivity.

Some of the things NOT recommended are first to blindly upgrade or double your bandwidth and second, to buy any security tools without knowing where the hole is. When applications run slowly, the network typically gets blamed. Without any visibility into the network, and hence not knowing what actions are performed and by who etc., organizations tend to increase the bandwidth and hence run into higher operating costs. Worse, it does not take much time to clog the new bandwidth!! Without visibility and a baseline network performance, BYOD initiatives could prove to be detrimental to the network and the business.

Same goes with BYOD security too. Without visibility that is without the info such as what is happening, who are accessing what, how many devices and what types and who have access to what and what devices are connected via corporate network and what security holes they are creating, don’t deploy the tools else you will be band-aiding the wrong places. You need to know many things such as where are your sensitive files are, who are accessing them, who are accessing cloud services, who are using services such as Dropbox and what files are loaded and shared, is someone or some device accessing sensitive information etc. Visibility gives you the power of quickly identifying all these and the problem sources, data security holes and can make informed intelligent decisions on how to protect and what tools to buy. Once you are monitoring the environment, administrators will know exactly what is happening, organization can intelligently implement policies to ensure right people have access to right sites and files and effectively enforce and monitor the access.

The summary J

To handle various computing devices (BYOD) and numerous apps (BYOA), organizations first need to have visibility into the network and on these devices and the apps that are running on them. This granular information will enable organizations to understand which users, which apps, what access are being used or abused across the corporate network and corporate resources. Based on this visibility, organizations can implement policies regarding the right usage of recreational and business use of these devices and also get in the right security tools to ensure corporate critical info is protected. Failing to gain this visibility could lead organizations to unnecessarily overprovision network capacity to support employee recreational use or put tools which might not really fix the underlying security issue. As they say “knowing is everything”.

There are many companies that offer BYOD visualization and security tools (both intrusive agent and also non-intrusive agentless) and by deploying such tools, organizations can say yes to BYOD & BYOA and still retain control, ensure higher employee productivity, lower cost and make sure no productivity distraction happens nor any security holes left.

“Happy BYODing” J

Manjunath M Gowda
 “Got BYOD? Get control of it”