Connect with us

Hi, what are you looking for?


Mobile & Wireless

Dealing with Mobility and BYOD Security Challenges? Start with The Network

While there are Multiple Considerations to Secure Mobile Traffic, it’s the Network Where You Must Start…

While there are Multiple Considerations to Secure Mobile Traffic, it’s the Network Where You Must Start…

The topic of mobility and BYOD has become a fairly divisive subject, because of the differing perspectives on how to resolve security challenges for the mobile user. Within the SecurityWeek contributor set alone, perspective on this ranges from the complexities of dealing with BYOD to a recommendation to keep personal and business devices separate. The fact is, we all have strong affinities for our favorite mobile devices, and just as organizations had to embrace the desire for users to use Macs in the office (remember that controversy?), users are now making their own choices about the mobile devices they use at work. When employees are given the resources to do their jobs in more places, they find better and more productive ways to work.

The challenge is how to give users the full advantage of their mobility platform of choice without introducing risks to the business. A key part of that challenge is enabling flexible mobile security options depending on the device and use case. For example, an employee on an unmanaged device may just require access to the Internet, while another employee on a managed device may require full access to specific data center applications. Your mobile security solution should support both use cases.

BYOD Risks

Existing Approaches Have Limitations

When looking at the landscape for mobile device security, there are a number of approaches that are available. There are container and VDI technologies that isolate data, for example, offerings from Good Technologies or Citrix VDI solutions.

Containers work well to isolate sensitive data into a sandbox, but the technology is limited to certain applications. Therefore, any time a user chooses to use other productivity applications on the device, there are security risks introduced as users create business content outside of the container. Similarly, virtualization provides many benefits to partition where data goes. Business data stays in the data center instead of the endpoint, making it ideal for regulatory and compliance-driven environments. However, much like the limitations with containers, there are productivity applications that may be used outside of VDI. In addition, not every application is designed with the right interface for VDI on a mobile device.

Mobility and BYOD challenges have also created a secondary market around mobile device management products. Designed to manage the settings on a device, MDMs are typically used in conjunction with legacy VPN products to address mobile security. Yet the ephemeral quality of VPN means that when a user disconnects, they will not be subject to network security controls and therefore may inadvertently be downloading malware or sharing files inappropriately.

Therefore, while each element of existing solutions addresses part of the challenges around mobile security, there is no individual approach provides a complete solution.

Advertisement. Scroll to continue reading.

Start with the Network

I recently spoke with Brian Tokuyoshi, a Senior Security Analyst at Palo Alto Networks, and his advice for security teams is to avoid tackling the problem from the standpoint of dealing with all the permutations of endpoint technologies and start with the common denominator – the network. The network is the right place for IT to see all mobile traffic and enforce control between applications and mobile users, and that’s true regardless of what device is being used. Even with BYOD use cases, the organization can’t control what users do with their own devices, but they can control access to applications once the users touch the network.

But what should be the element of control within the network for mobile devices? Logically, the control structure belongs to the firewall, the one device that sits in the right location for enforcement, and can monitor and safely enable mobile user access to data center applications. The key criteria for this firewall needs to be the ability to understand applications, users and content, so mobile users are identified and access only applications allowed by policy, while content is scanned for known and unknown threats.

The threat aspect is particularly important for mobile users. For most users, the only defense for vulnerabilities in device’s operating system is to install the latest patches, but with so many devices in use, the organization has no idea how much exposure they face against emerging threats. Very few users have antivirus software running on their devices either, thus opening the door to the risk of downloading malicious code. Addressing vulnerabilities and malware protection in the network provides mobile users and device with a scalable, network-based protection for mobile device traffic.

In addition to the firewall as a control point, the traffic must be safely brought on to the network. This is where an always-on VPN connection complements the protection provided by the firewall. An always-on VPN connection to the corporate network, regardless of location, ensures that users have the same enforcement policy regardless of whether they are at using a desktop or using a mobile device.

Secure the Data and Device

Container or isolation technologies and MDM solutions now become options to add on to the network-based firewall protection (with always-on VPN). MDM solutions will establish profiles to govern device settings and device state, while containers and isolation technologies provide additional options for organizations with highly sensitive data and stringent regulatory requirements. Because these options are used with the firewall network protection and a secure always-on VPN connection, security extends to mobile users whether or not they are using container applications, non-IT sanctioned productivity applications or personal applications.


In summary, while there are multiple considerations to secure mobile traffic, it’s the network where you must start. This means maintaining a secure connection, keeping the traffic across it safe, and extending it to all users. By retaining control of the network, organizations can embrace mobility by making it safe for all users in all locations, regardless of the device. Starting from this premise, it becomes much easier to think in terms of how to make mobility work for your organization by providing the security to enable safe usage rather than trying to prevent it.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...