Top technologies / solutions available for BYOD Security:
Task for companies who utilize BYOD is to develop a policy that defines exactly what sensitive company information needs to be protected and which employees should have access to this information, and then to educate all employees on this policy.
Technologies for security of BYOD :
1. VDI- One popular software-based security method gaining steam in BYOD environments is the Virtual Hosted Desktop (VHD). VHD (sometimes known as Virtual Desktop Infrastructure or VDI) creates a complete desktop image that includes an operating system, all applications and settings. The hosted desktop can be accessed from any compatible machine, and processing and storage take place on a central server. With enough network bandwidth and powerful hardware, this type of virtualized environment can combine acceptable performance with high-levels of security.
- Containerization is way to address VHD's issues by placing native applications inside a safe zone on a device. A virtual machine manager (VMM) abstracts the container from the client hardware, boosting performance and reducing server strain by allowing client-side execution - while still improving security by isolating the container from certain functions, such as wireless network connections, USB ports or device cameras. Some virtual containers contain an entire operating system and productivity application suite, while others are purpose-built, single-function virtual devices that provide services like compliance monitoring or highly secure applications.
- Chipset-level security technologies allow MDM to reach underneath a managed device's operating system, performing remote wipes and pre-boot virus scans, regardless of the device's status. By providing access below the operating system, this technology allows administrators to correct problems by loading software patches and virus definitions, and its integrated support for Public Key Infrastructure (PKI) allows IT to use the devices themselves to authenticate users, removing the need for third-party software tokens or hardware-based authentication devices. Intel Anti-Theft technology extends security features such as remote, OS-independent device locking and unlocking to processors.
2. NAC- Use Network Access Control (NAC) technology that allows employees to use their personal devices on the network while providing the security and access control required by the enterprise. The approach combines granular access policies, automated enforcement, and complete visibility into every device and user on the network. Leverage software and hardware solutions to lock down and manage devices while simultaneously securing the data itself. Wireless networks have to be built for secure BYOD access and the way to do that is incorporating NAC for mobile devices
3. Data loss prevention- Deploying these engines enables administrators to keep track of data traffic and immediately block suspicious users or activity. For example, the source noted that traffic with "xxx-xx-xxx" in its string might be obstructed, as it could suggest that a social security number is being transmitted.
DLP tools can apply a use policy for information as it is created, whether it is a file, email or application. This means that data in rest, in use or in transit can be logged, reported tagged and encrypted at any stage, ensuring the prevention of unauthorized activity. As more firms allow employees the freedom to access the corporate database from a personal device, DLP technologies will be imperative to maintain secure data management.
(Read more: How to write a great article in less than 30 mins)
4. Mobile Device Management (MDM)
MDM products are probably the ones that most immediately come to mind when people talk about mobility and BYOD. However in my view they are very limited in their ability to address the problems that we face in these areas. MDM products typically use an agent on the device that communicates with a back-end management application. Policies are defined within the management application and then the agent enforces those policies, monitors the devices’ compliance with those policies and may trigger actions based on the level of compliance ranging from notifying an administrator through to disabling the device. Typically these applications can also remotely lock or wipe devices, and track location. MDM apps can usually deploy applications to mobile devices. In addition they often include a form of app store for user selected apps.
Pros - Cons of the different type of available technology / Solutions:
- VDI and application streaming help address BYOD problems because they run applications and Windows desktops on back-end servers, rather than on endpoint devices.
- Devices communicate with servers that host the OS and applications, so the resources sent to the devices are compliant and secure. This way, devices receive the apps and data users need to work. All users need is a client on their devices to open the connection to the VDI server.
- Using VDI and BYOD together can free administrators from managing hardware.
(Watch more : 5 Implications of HTML 5 on Security)
- Mobile devices don't always meet the hardware requirements it takes to run virtual desktops.
- Despite the fact that VDI makes device management easier for IT and increases productivity in theory, virtualization challenges can make it hard for users to get work done. Trying to use VDI on touch screens can be a nightmare.
- To use a remote desktop, tablet users need keyboards and mice the same way they would if they were sitting at their computers.
- Control the Role of the User- we like to call this Role Based Access Control today. It simply means the network needs to recognize the identity of the user, and only allow them access to the resources that are necessary by applying the appropriate User Role. For example: a campus wireless network with NAC would have a Student, Faculty, and Guest role. Each with the specific set of privileges appropriate for them.
- Enforce Policies- This is called “integrity checking” or “endpoint compliance”. Does the machine connecting to the network have anti-virus? Does the machine connecting have the latest updates? These are some of the policies controlled by traditional access control.
- These devices are highly vulnerable through Common Vulnerability and Exposure "holes" and most likely are infected with eavesdropping software.
- In addition to WIFI connectivity, they may be operating on cellular networks, at the same time, thereby leaving a gaping hole of risk in the area of data theft and leakage
- They may contain corporate resources 'in-transit's such as customer records, contact lists, spreadsheets, documents, presentations, etc. which could be at risk of theft by malware eavesdropping and data theft or if the equipment is lost or stolen.
- DLP prevents either an accidental disclosure or an employee overtly sending data out to someone outside the company.
- Real-time monitoring-visibility into the risk of accessing or sending sensitive data from mobile devices
- Active enforcement- Prevent the loss or misuse of sensitive data in real-time.
- Poorly implemented rules can negatively impact the user experience of BYOD.
- ·Extensive policy enforcement.
- ·Additional controls are usually included.
- ·Provide one platform for managing all smartphones and tablet devices.
- ·No separation of personal from work data.
- ·Additional cost.
Likely to be superseded by changes in the hardware/OS space.
-by Harikesh Mishra, CISO, JIL Information Technology limited