I recently traveled to the annual Gartner Security & Risk Management Summit in lovely National Harbor, Maryland with over 2,000 IT Security executives. There was a lot of buzz around Secure BYOD (bring your own device), and most of the major security vendors (including Cisco who I represented) had a story of some sort. Amidst this BYOD buzz, during a session, a man rose his hand and said:
“There is SO much talk about BYOD but I have not heard the industry definition, is there one? It seems it has many meanings to organizations struggling with it and to vendors trying to respond to it.”
This is a very fair question and remark. Most see BYOD as people bringing their own personal device to the office with access to all work-related applications while using it for personal life. Some organizations may say they do NOT have a BYOD policy because they only allow corporate sanctioned devices, but one could argue that is a BYOD policy that says “no personal devices”. A significant take-way was email is still the killer application for organizations to be mobile. I’m not sure my teenage daughter will agree with that, but she is not working for anyone yet.
Although all mobile devices are open to threats, it seems some may be more vulnerable than others -- such as Android devices with the OS fragmentation and a more open application store then Apple IOS devices. Further discussions with attendees suggested that there are many stakeholders in crafting the BYOD policy from HR, legal, networking, marketing & sales, and many times IT security is not brought to the table early enough. This can make the BYOD effort even more confusing for the IT security professional. Policy is the common ground for stakeholders to align. Once policy is determined, the network becomes the best vector to set and enforce it with both visibility and control. Russell Rice, Director @ Cisco spoke about the value of a policy-governed network in a standing room only session. You can view his presentation below, and read the white paper on the topic:
According to Gartner, Secure BYOD = NAC plus MDM:
- Advanced network access & control determines who, what, where, when and how may gain access to the network and where they may go.
- MDM provides the critical device management to inventory and management of the many devices such as disallowing jail broken devices or implementing remote data wipe on lost or stolen mobile devices.
Cisco provides the core components to secure BYOD and more. The Cisco Identity Services Engine (ISE) was recently noted in the Gartner Magic Quadrant for NAC & Unified Access. Cisco ISE is much more than NAC, including authentication, access control, guest services, management uniquely all in one platform. It will also be integrated with MDM vendors—initially with Airwatch, Good Technology, MobileIron & Zenprise later this year. Cisco’s equation to secure BYOD = ISE plus MDM plus additional security services.
The additional security services include secure remote access (Cisco AnyConnect), web security (where the bulk of the threats come from) and many other protective services like application controls and intrusion prevention. Cisco offers an unmatched very comprehensive secure BYOD solution. Beyond the security, Cisco offers wireless infrastructure, management & collaboration solutions that deliver an optimal experience for both IT and the end user. This is available in the Cisco BYOD Smart Solution which includes products and services –wrapped.
Based on my recent travels, there are many points of views on BYOD, and how to secure it. And the mobile security threats keep coming and evolving. This is a fast and furious growth area. It would be great to hear from others on their point of view on mobile threats and mobile security.