BYOD Security . VDI Can Help

On 14 November 2012 by Pete Petersen

Holes In BYOD

Allowing employees to bring their own devices to work–and use them to do actual company work–has many advantages. And disadvantages. To be clear, smartphones and tablets are just computers. As pointed out by Paul Roberts in the “Holes In BYOD” article, a jailbroken iPhone is just a Unix host–with all the implications of having full access to the IP stack, file system, underneath all of Apple’s neat security features of iOS. Let’s list a few of the advantages and disadvantages of BYOD.

BYOD Advantages

  • Less hardware (end device) cost
  • Happier employees; they feel more free and trusted by the organization
  • No Tech Refresh budget needed for the end devices
  • No “golden” image(s) to manage for the devices

BYOD Disadvantages

  • Security risks of uncontrolled devices on the corporate network (malware, virus, breached devices)
  • Unauthorized applications accessing corporate data (risk of corruption, security)
  • Lost (unlocked) devices containing sensitive data

Five Tips For Better BYOD Security

The following is a direct excerpt from Paul Roberts’ article:

 

Letting employees bring their own devices onto the company network doesn’t have to be complicated, says
Kevin Mahaffey, CTO and a co-founder of Lookout Mobile Security, which makes security software for mobile devices. He suggests five simple steps for an effective BYOD security program.

  1. Have sensible, but not restrictive, policies. Emphasize user education about the threats posed by lost, stolen, and infected mobile devices and enforce reasonable policies such as requiring a PIN code to get physical access to a mobile device used on the company network.
  2. Implement remote lock, wipe, and locate features on company- and employee-owned devices. There are any number of mobile device management packages that offer these kind of remote features, and device location and remote wipe come standard with newer versions of Apple’s iOS software.
  3. Install anti-malware protection. It’s still early days for mobile malware, but the trend lines point sharply up and to the right. Better to be safe than sorry: Install mobile anti-malware now.
  4. Road warriors should use VPNs for everything when connecting to company assets from mobile devices, especially when connecting over public Wi-Fi.
  5. Focus on authentication and identity. Strong passwords aren’t enough, especially when keylogging malware and man-in-themiddle attacks may be present. Multifactor authentication or federated identity should be used to access high-value services on the company network.

—Paul Roberts

A Study In Scarlet

Many of these concerns can be mitigated with a VDI solution. Let’s address a few together. To be clear, Paul’s article should be reviewed and understood completely before taking off into BYOD territory–and I’m not talking about just large corporations either; I mean organizations large and small, public and private, domestic and offshore.

In Paul’s excellent set of tips above, #4 is especially interesting when considering the list in context of a VDI implementation. All of the compute and needed organization assets are behind a firewall at this point. When users connect to their virtual desktop or published applications, they can connect through a Secure Gateway and run the session over an encrypted channel. In that case, no VPN needed for the stream. In some cases, it may be better to VPN-connect first, and then access the published resources, depending on regulatory requirements and security policies of the organization.

In addition, in a well-thought-out WiFi solution in this context, the WiFi network is also behind the firewall at least in the DMZ, if not placed on the outside of the trusted network. This way, employee-owned devices are always on the outside anyway. This method makes it easier to enforce policies such as never letting corporate email or documents get onto mobile devices in the first place.

All organizations should clearly understand the risks and benefits of BYOD before embarking down the road. Organizations that are already in the thick of BYOD before realizing they got there have some work to do. But there are solutions that not only make it better, but can have a very positive effect on employee productivity and saving money on end user devices.

Here is a link to the article. Please understand and implement before embarking.

http://twimgs.com/infoweek/drdigital/101512dr/DarkReading_2012_10.pdf

Trackbacks & Pings