Security Experts:

Dealing with Mobility and BYOD Security Challenges? Start with The Network

While there are Multiple Considerations to Secure Mobile Traffic, it’s the Network Where You Must Start...

The topic of mobility and BYOD has become a fairly divisive subject, because of the differing perspectives on how to resolve security challenges for the mobile user. Within the SecurityWeek contributor set alone, perspective on this ranges from the complexities of dealing with BYOD to a recommendation to keep personal and business devices separate. The fact is, we all have strong affinities for our favorite mobile devices, and just as organizations had to embrace the desire for users to use Macs in the office (remember that controversy?), users are now making their own choices about the mobile devices they use at work. When employees are given the resources to do their jobs in more places, they find better and more productive ways to work.

The challenge is how to give users the full advantage of their mobility platform of choice without introducing risks to the business. A key part of that challenge is enabling flexible mobile security options depending on the device and use case. For example, an employee on an unmanaged device may just require access to the Internet, while another employee on a managed device may require full access to specific data center applications. Your mobile security solution should support both use cases.

BYOD Risks

Existing Approaches Have Limitations

When looking at the landscape for mobile device security, there are a number of approaches that are available. There are container and VDI technologies that isolate data, for example, offerings from Good Technologies or Citrix VDI solutions.

Containers work well to isolate sensitive data into a sandbox, but the technology is limited to certain applications. Therefore, any time a user chooses to use other productivity applications on the device, there are security risks introduced as users create business content outside of the container. Similarly, virtualization provides many benefits to partition where data goes. Business data stays in the data center instead of the endpoint, making it ideal for regulatory and compliance-driven environments. However, much like the limitations with containers, there are productivity applications that may be used outside of VDI. In addition, not every application is designed with the right interface for VDI on a mobile device.

Mobility and BYOD challenges have also created a secondary market around mobile device management products. Designed to manage the settings on a device, MDMs are typically used in conjunction with legacy VPN products to address mobile security. Yet the ephemeral quality of VPN means that when a user disconnects, they will not be subject to network security controls and therefore may inadvertently be downloading malware or sharing files inappropriately.

Therefore, while each element of existing solutions addresses part of the challenges around mobile security, there is no individual approach provides a complete solution.

Start with the Network

I recently spoke with Brian Tokuyoshi, a Senior Security Analyst at Palo Alto Networks, and his advice for security teams is to avoid tackling the problem from the standpoint of dealing with all the permutations of endpoint technologies and start with the common denominator – the network. The network is the right place for IT to see all mobile traffic and enforce control between applications and mobile users, and that’s true regardless of what device is being used. Even with BYOD use cases, the organization can’t control what users do with their own devices, but they can control access to applications once the users touch the network.

But what should be the element of control within the network for mobile devices? Logically, the control structure belongs to the firewall, the one device that sits in the right location for enforcement, and can monitor and safely enable mobile user access to data center applications. The key criteria for this firewall needs to be the ability to understand applications, users and content, so mobile users are identified and access only applications allowed by policy, while content is scanned for known and unknown threats.

The threat aspect is particularly important for mobile users. For most users, the only defense for vulnerabilities in device’s operating system is to install the latest patches, but with so many devices in use, the organization has no idea how much exposure they face against emerging threats. Very few users have antivirus software running on their devices either, thus opening the door to the risk of downloading malicious code. Addressing vulnerabilities and malware protection in the network provides mobile users and device with a scalable, network-based protection for mobile device traffic.

In addition to the firewall as a control point, the traffic must be safely brought on to the network. This is where an always-on VPN connection complements the protection provided by the firewall. An always-on VPN connection to the corporate network, regardless of location, ensures that users have the same enforcement policy regardless of whether they are at using a desktop or using a mobile device.

Secure the Data and Device

Container or isolation technologies and MDM solutions now become options to add on to the network-based firewall protection (with always-on VPN). MDM solutions will establish profiles to govern device settings and device state, while containers and isolation technologies provide additional options for organizations with highly sensitive data and stringent regulatory requirements. Because these options are used with the firewall network protection and a secure always-on VPN connection, security extends to mobile users whether or not they are using container applications, non-IT sanctioned productivity applications or personal applications.

Summary

In summary, while there are multiple considerations to secure mobile traffic, it’s the network where you must start. This means maintaining a secure connection, keeping the traffic across it safe, and extending it to all users. By retaining control of the network, organizations can embrace mobility by making it safe for all users in all locations, regardless of the device. Starting from this premise, it becomes much easier to think in terms of how to make mobility work for your organization by providing the security to enable safe usage rather than trying to prevent it.

Subscribe to the SecurityWeek Email Briefing
view counter
Danelle Au is head of product marketing at Adallom, a SaaS security company. Danelle has more than 15 years of experience bringing new and innovative security technologies to market, and is a frequent speaker at conferences. Prior to Adallom, Danelle was responsible for solutions marketing at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, "Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.
view counter