There is No Stopping the BYOD Wave. The Difficulty is the Complexity Involved...
How far off the grid would you have to be to have missed the changes in how computing power is purchased these days? We all carry more compute power in our pockets than our employers put on our desks just a few years ago. Even the airlines have to keep updating their instructions for landing; it’s not one or two people firing up high-bandwidth, high-power computing devices as soon as rubber meets tarmac, it’s now pretty much everyone on the plane.
Indeed, flying is one of those times where we get reminders of our still relatively new expectations: always on, always connected, always communicating. (Is WiFi on a flight a must-have, or something to avoid? Some people enjoy the enforced disconnect for a few hours.) Once, you only saw this on the “geek bus” flights, but now it’s everywhere.
This socio-economic tide of uber-friendly, attractive compute power hit IT and security departments like a tsunami, maybe not moving all that fast, but moving with utterly unstoppable force. The predictable initial reactions from both IT and security were focused on preventing these strange new beasts, consumer-grade computers, from connecting to the corporate world. Just saying “no” didn’t last long. Once the CEO wants the new toy, it becomes impossible to refuse.
As I work with security teams, I’ve seen an explosion of complexity in mobility access controls. Once upon a time, major access rules were on firewalls, with a smattering of inconvenient, hard-to-track exceptions sprinkled elsewhere. As an industry, we’re currently working through a transition to the “next generation firewall,” but that is largely an in-place exchange. Take your existing monstrously complex firewall; swap it for a new one with intriguing new features. To start with, aim for a one-for-one exchange, think Indiana Jones swapping the bag of sand for the idol. Simultaneously, “Bring Your Own Device” arrived as a great wave. When we look at security controls end-to-end (which I believe is the ONLY effective way to do it), BYOD is a challenge not just because it’s new, complex, and fast-moving, but also because it moves policy enforcement away from familiar locations. You don’t control it at the classic border firewall, or the internal control point (perhaps at the perimeter of a data center, or some other major boundary).
Mobility happens out at the ragged edge, near the users. This is a vast new frontier of enforcement “opportunities” (read: opportunities to get it wrong). Mobility control products have been taking off spectacularly over the last couple of years. I used to get into comparatively few conversations about them; now half of the companies I talk to have so many mobility control points that they’ve lost the ability to understand what it all does. I suspect the other half has the problem, but just hasn’t realized it yet – security is like that. I’m not suggesting the mobility control vendors are doing anything wrong, they are offering the features IT security departments need in order to prevent the enzyme of mobility from dissolving all internal network controls. The problem is the explosion in complexity and another rule set to manage, when typical organizations weren’t doing all that well at managing the old ones.
Let me offer an example. Many organizations decide they should allow guest access, bring your own device, and you can connect to our WiFi when you’re a guest in our building, but we’ll politely escort your packets off the premises and out to the Internet. All very fair, but how close are these mobile users to the Internet access you’re offering? Technically speaking, not close at all – the base station your phone connects to is part of one highly complex world (the set of APs, filled with details about channel allocation and coverage). The mobility controllers add another layer beyond the APs, without them, you would have a Wild West free-for-all, but adding them brings another complex control point (and this is where most of the action is right now in access controls for mobile workers). That layer is still separate from the corporate LAN or campus environment, which in turn is distinct from the edge environment where you connect to the Internet, enforcing yet more controls. Looked at “edge on” like this, the infrastructure is a confusing maze, at least four layers, ALL of which must work in concert to get the “simple” effect the business wanted: guest users should get Internet, and nothing else. How do you orchestrate this? It’s a simple objective, but a real challenge. The number of ways to fumble by accidentally adding an “off ramp” that allows untrusted guests to access real corporate services is dizzying. And this is just one simple example of an access policy.
Nowadays, IT departments have largely given up imitating King Cnut – as he found, you can order the tide not to come in, but all you get are wet feet. BYOD already happened; the game now is to adapt. And sure enough, the VC-backed innovation engine responded – we now have MDM, MAM, and a variety of seriously smart access points and mobility controllers. This all makes sense. But it’s creating a new problem – the perennial security problem of ever-increasing complexity. We can deploy agents, we can write new access policies, and we can pursue “containerization.” These are good reactions in and of themselves, but in the context of a messy, disorganized, poorly controlled end-to-end security environment, they add more potential sources of chaos and breakdown. Think of existing security controls as a desk piled high with papers, near the point of collapse, adding BYOD tosses on another couple of reams.
As we’ve seen, there is no stopping the BYOD wave. The difficulty is the complexity involved. You can’t get the policies right, and protect your operation, unless you can orchestrate and coordinate end-to-end, across your whole environment. In a nutshell, the BYOD problem isn’t even about BYOD; it’s about the ability to visualize, understand, and control your whole infrastructure, including this latest addition to the network map.