Subscribe
About

Complexities of securing BYOD

The trade-off between security and usability in personal computing has long challenged the industry, never more so than with BYOD.

By Brian Bakker, Contributor
Johannesburg, 03 Mar 2014
Brent Kirkman, mobility executive: application services, UCS Solutions.
Brent Kirkman, mobility executive: application services, UCS Solutions.

On one level, the idea of encouraging workers to bring and use their own personal mobile and computing devices in the workplace may appeal to the bean-counters. However, such a strategy can be fraught with challenges, not least of which is how to manage what data and apps are present on the device, and ensuring that sensitive business information is adequately protected from loss or theft of the devices concerned.

But perhaps the greatest threat is from the installation of personal apps and the less-than-remote possibility that employees might fall prey to social engineering and inadvertently download malicious apps to their devices. Those apps could theoretically then have full access to the corporate network and data resources.

In this roundtable, Mogen Naidoo, an analyst with International Data Corporation (IDC), engages a group of industry pundits, beginning with a question about the bring your own device (BYOD) threat landscape. He asks: "What is shadow IT and what role does it play in the BYOD environment as we see it today?"

Andrew Kirkland, country director: Africa at Trustwave, fields the question by noting the lack of control inherent in a model where anyone can develop and upload an app to the app store, and effectively infiltrate corporate firewalls. "The focus with a lot of organisations is not so much trying to block the users from doing so, but actually trying to control what the users get access to and how those devices interact with the corporate network," he says.

According to Kirkland, one approach is to segment the network to allow people to use their own devices to a certain extent, but this, he says, doesn't resolve all the issues around malware. "In 2012, there was a 400% increase in mobile malware," he adds.

Self-healing networks

We're seeing a lot of interest in the concept of a 'self-healing network', says Kirkland. This, he elaborates, is made up of four technologies: network access control, security and incident management, data loss prevention, and secure Web gateway.

He maintains the secret is to remove the need for human intervention and automate the processes of segmentation, quarantine, reporting on and reacting to threats or incidents in the network environment.

Referring to a survey of CIOs conducted by IDC in 2013, Naidoo says only 10% of the respondents are using mobile management solutions, and 61% aren't doing so but are planning to. "The other thing is that only 20% of these employers expected to use company devices within the next 12 to 18 months," he notes, suggesting that standardisation is no longer a viable strategy.

BYOD isn't something that's going to be arriving, that people are looking at; it's actually been in place for a very long time.

Robert Sussman, joint CEO, Integr8

Robert Sussman, joint CEO of Integr8, says: "BYOD isn't something that's going to be arriving, that people are looking at; it's something that's been in place for a very long time."

Indeed, he draws an analogy with company cars, which evolved into allowances because executives wanted to choose their own cars. The same thing applies, he infers, to mobile phones and tablets: the end-user wants to choose the device that meets his or her needs and aspirations. Companies must just deal with those choices.

Participants

* Alex Russell, MD, EOH Citrix Services
* Andrew Kirkland, country director Africa, Trustwave
* Brent Kirkman, mobility executive: application services, UCS Solutions
* Colin Erasmus, OEM lead, Microsoft SA
* Gareth James, solution strategist for mobility and cloud, CA Southern Africa
* Mogen Naidoo, analyst, IDC
* Richard Aikman, product manager, Vox Telecom
* Robert Sussman, joint CEO, Integr8
* Tielman Botha, mobility services lead, Accenture SA

Colin Erasmus, OEM lead at Microsoft SA, suggests some organisations have tackled the security conundrum by drawing up lists of what specific devices are acceptable for use on the company network. It's a trend he says is called 'choose your own device' or CYOD.

Naidoo points to an apparent disconnect between mobile management and security, and wonders why there seems to be a reluctance among businesses to take up management solutions. He asks: are there options for effective BYOD management other than software solutions?

Corporate immaturity

Sussman suggests an immaturity and lack of awareness among local companies. The interpretation of the term BYOD is key, he adds. There's more to it than just the device; it's the application, the access to applications, the data, the security, the ownership - whether it's owned or rented, and if that's through your business or a third party.

"The reality is that BYOD is in its infancy locally. But at the same time, it's been here for a while," he says.

Brent Kirkman, mobility executive: application services for UCS Solutions, attributes this immaturity to the fact that senior employees brought in devices and began to demand that the IT department enable them to receive their e-mail. He maintains the apparent immaturity is born of fear.

The mechanisms we can put in place on tablet devices... can actually protect that data far better than you will with a laptop.

Brent Kirkman, mobility executive: application services, UCS Solutions

This is especially true of large companies with hundreds of employees, says Kirkman. They suddenly have all these devices consuming data on their corporate network and they're battling to put BYOD management tools in place without killing productivity. He believes BYOD will really take off when companies begin to understand how they can better secure their environments.

Tielman Botha, mobility services lead at Accenture SA, refers back to IDC's CIO survey and suggests the analyst firm approached the wrong audience on mobility. "You need to ask CEOs, CMOs and COOs because they are the guys pushing mobility," he says.

Tielman Botha, mobility services lead, Accenture SA.
Tielman Botha, mobility services lead, Accenture SA.

"If we look at the user productivity versus security, CIOs are only interested in security. It's the others who are interested in value," Botha adds.

Erasmus believes there has been a shift in budgets for technology from IT departments to marketing departments, which he says is scaring CIOs. One reason behind this, he believes, is a change in employment trends where applicants choose whether or not to accept an offered position on the basis of the particular devices they will be supplied to do the job.

Typing prowess

Botha makes an observation about young people coming out of schools and university who, he says, can't necessarily type on a keyboard. "They can type at triple our speed on a touch device. That's what makes them productive. Research shows the younger generation really is productive on a mobile device," he says.

Gareth James, solution strategist for mobility and cloud for CA Southern Africa, relates a discussion he had with an insurance company that had seen the number of mobile devices in use on its network doubling in the last seven months. One lesson he drew from this was that the device profile in emerging markets is different.

In the developed world, he says, the prevalent devices tend to be Apple- and Windows-based, which are inherently more secure. "The South Africa market is dominated by Android, which typically doesn't have those same restrictions and is vulnerable to a lot more malware," he says.

Not everybody needs full access, but if they do, wrap it, secure it, understand who is using your data, where it's going and control it.

Richard Aikman, product manager, Vox Telecom

Kirkman disagrees. "Technology is evolving so fast; we're dealing with laptops right now but the penetration of tablets is exceeding (that of) notebooks. And those very devices are actually more (vulnerable) to IP leakage," he says.

"The mechanisms we can put in place on tablet devices, containerisation and workspaces and so on can actually protect that data far better than you will with a laptop," he asserts.

Alex Russell, MD of EOH Citrix Services, reports seeing organisations grappling with the issue of BYOD using an old-school mentality that treats the mobile device like a notebook. This attitude, he suggests, results in those organisations bumping their heads against the dichotomy between usability and security.

Colin Erasmus, OEM lead, Microsoft SA.
Colin Erasmus, OEM lead, Microsoft SA.

"It's the technology ecosystems of vendors that are largely influencing the adoption of mobility in its truest sense," he says.

James believes the device itself is becoming less significant than the data contained thereon, which he suggests is shifting the emphasis to content management.

All about clarity

Kirkman asserts that BYOD management is about clarity, about marketing internally to the organisation, about being transparent and continuing change management for people coming into the environment, and what they're allowed to put on their devices. "The key part about that is containerisation," he adds.

He describes three different types of containerisation, the first of which involves separating personal data from corporate. This, Kirkman says, can be done through profiles.

A second level of containerisation is at an app level, sometimes called app wrapping. The third type, he says, are apps that are designed to be secure from the ground up, and therefore, cannot be overridden by the underlying operating system, be it iOS or Android.

Kirkman thinks the combination of these three forms of containerisation, combined with an open and transparent discussion with employees, will see the adoption rate picking up in SA. "We've seen it happen in the US, we've seen it happen in the Middle East, and as long as companies understand it and keep it simple, they'll be able to do it here," he says.

Alex Russell, MD, EOH Citrix Services.
Alex Russell, MD, EOH Citrix Services.

Richard Aikman, product manager at Vox Telecom, says organisations need to understand what BYOD is and that it's actually quite simple and requires analysing the workforce and what individual people need. "Not everybody needs full access, and if they do, wrap it, secure, it, understand who is using your data, where it's going and control it," he says.

"It's not something an organisation should be scared of. It's just an evolution of what's already been happening out there. (Companies) have already had an informal BYOD policy, driven by the employees who just wanted access to their mail and it evolved from there.

"Understand who the consumer of your data is and apply the regulatory framework around that, around where the data is stored and how to access it," says Aikman.

Data classification

Erasmus alludes to the fact that data classification, or rather, the lack thereof, is the elephant in the room. If you were to do a CIO survey today and ask them how many people have classified their data, the answers would be alarming, he says.

Richard Aikman, Vox Telecom product manager.
Richard Aikman, Vox Telecom product manager.

"At the end of the day, it's the data that is following us around. If you've done a decent job of classifying (it) and have the policies in place around whether (it's) allowed on a mobile device or not, it changes the whole situation," he says.

Kirkland adds that the Protection of Personal Information (POPI) Bill has now become law, and it's only a matter of months before the regulator is appointed. This, he says, will force companies to classify the private data they have in their networks.

Botha agrees that data and user classification are important aspects that are frequently underplayed. "As long as organisations accept that mobile is going to be part of their business, and work with it, they can evolve the solutions," he says.

Russell adds that organisations need to embrace mobility. While he acknowledges that the content is sensitive, he points out that it's happening whether companies like it or not, and all that's left to do is work to provide the required features for their users.

Erasmus uses the analogy of social media, which he says also caught the business world off-guard, but is now aggressively being adopted and transformed into a revenue source. Mobility, he says, is the same thing and organisations need to understand it internally as well as externally.

James has the last word: "The devices are already there; the bringing has already happened and now it's about taking a step back and figuring out how to enable that workforce, because they've already grasped it."

The technology, he adds, is there to be a light touch on the app so that the app is useable and functional so employees can do their jobs. Content management of the actual data and use of encryption between corporate and private repositories can maintain security.

"Because if you don't allow the users to do that, they'll simply go outside the security and then you've lost control," he concludes.

Share