BYOD Enhances Security

On 22 May 2013 by Pete Petersen
In or Out

Image source: http://smestrategy.net

Conversations with end customer organizations over the past few weeks have necessitated a little clarification.

What I said was, “In many ways, BYOD [Bring Your Own Device] is safer” than traditional desktops with traditional application distribution methods.

Here’s the explanation.

In a traditional world, the users connect to servers and compute resources over campus site or branch site networks. All well and fine. Even in a traditional implementation of VDI–or another term as of late, End User Virtualization (EUV)–users connect to virtual desktops and applications over their networks, which then connect to servers and other compute resources over data center switches.

Consider the following diagram as a typical example.

Typical/traditional VDI Deployment

In this example, external users connect through the Internet, through the corporate firewall, and through the NetScaler (perhaps with Global Service Load Balancing (GSLB) enabled to allow for an active-active Load Balance / Disaster Recovery scenario), and then hit the internal load balancer, which balances them to one of the Web Interface services for that site, which then delivers available published desktops and applications. This is a great scenario an organization that also has a well-managed desktop–or well-managed thin devices–both of which can provide a great user experience.

Beautiful. Until BYOD comes in. Now you have the understandably-concerning security risk of external, non-company-owned devices running around on the internal network with who-knows-what mal-ware protection, or what–if any–security disciplines included.

The users in this case are diametrically opposed. In the traditional sense, functionality is in opposition to security. BYOD is no different. However, properly implemented, BYOD can be an opportunity to think about the users (and their devices) differently.

What if we just move the whole experience to the inside? In other words, the only function the user device has at this point is an end device for published desktops and applications. That being the case, it is a much more compelling discussion to segment the user devices from the internal trusted network altogether.

So, make all users external, no matter where they’re coming from. Even if they’re coming from branch sites, or campus sites. Treat them all as external, corporate-owned or otherwise. This changes the dynamic a little. If you’ve already embraced the BYOD concept, and are now providing stipend to users rather than equipment, then the transition is much easier. If you’re still managing some of the end devices, then the conversation shifts from how to allow application services to the end device to providing device managed services to the device

Consider this diagram as an example of how users can all be treated as external.

Users as External

In this scenario, users come through the firewall no matter where they are: Branch sites, campus sites, or through the Internet from anywhere.

Consider the benefits vs. a traditional implementation.

  • Virtually any device can be chosen by the user–based on the user’s preferred work habits
  • Security needs are covered on the inside of the trusted network
  • Attack surface is greatly reduced, down to a single entry point over SSL
  • Data is completely controlled; either allow transfer to various local storage media (thumb drives, hard drives, optical media, locally-mapped network drives, etc.), or not, by policy

In the end, the users have a very similar experience to what they’re used to, using existing line-of-business and productivity applications, and with the added benefits of centralized management and the freedom to choose their own work experience.

For further reference, consider the following as additional reading.

One thing about it, all organizations need to embrace the wave and take an approach. Putting user devices outside the trusted network can enhance security while still allowing users all the resources they need to be productive and happy.