Is There a Standard Definition for BYOD?

June 18, 2012 - 2 Comments

I recently traveled to the annual Gartner Security & Risk Management Summit in lovely National Harbor, Maryland with over 2,000 IT Security executives. There was a lot of buzz around Secure BYOD (bring your own device), and most of the major security vendors (including Cisco who I represented) had a story of some sort.  Amidst this BYOD buzz, during a session, a man rose his hand and said:

“There is SO much talk about BYOD but I have not heard the industry definition, is there one? It seems it has many meanings to organizations struggling with it and to vendors trying to respond to it.”

This is a very fair question and remark. Most see BYOD as people bringing their own personal device to the office with access to all work-related applications while using it for personal life. Some organizations may say they do NOT have a BYOD policy because they only allow corporate sanctioned devices, but one could argue that is a BYOD policy that says “no personal devices”.  A significant take-way was email is still the killer application for organizations to be mobile. I’m not sure my teenage daughter will agree with that, but she is not working for anyone yet.

Although all mobile devices are open to threats, it seems some may be more vulnerable than others – such as Android devices with the OS fragmentation and a more open application store then Apple IOS devices. Further discussions with attendees suggested that there are many stakeholders in crafting the BYOD policy from HR, legal, networking, marketing & sales, and many times IT security is not brought to the table early enough.  This can make the BYOD effort even more confusing for the IT security professional. Policy is the common ground for stakeholders to align.  Once policy is determined, the network becomes the best vector to set and enforce it with both visibility and control.  Russell Rice, Director @ Cisco spoke about the value of a policy-governed network in a standing room only session.  You can view his presentation below, and read the white paper on the topic:

According to Gartner, Secure BYOD = NAC plus MDM:

  • Advanced network access & control determines who, what, where, when and how may gain access to the network and where they may go.
  • MDM provides the critical device management to inventory and management of the many devices such as disallowing jail broken devices or implementing remote data wipe on lost or stolen mobile devices.

Cisco provides the core components to secure BYOD and more. The Cisco Identity Services Engine (ISE) was recently noted in the Gartner Magic Quadrant for NAC & Unified Access. Cisco ISE is much more than NAC, including authentication, access control, guest services, management uniquely all in one platform.  It will also be integrated with MDM vendors—initially with Airwatch, Good Technology, MobileIron & Zenprise later this year. Cisco’s equation to secure BYOD = ISE plus MDM plus additional security services.

The additional security services include secure remote access (Cisco AnyConnect), web security (where the bulk of the threats come from) and many other protective services like application controls and intrusion prevention. Cisco offers an unmatched very comprehensive secure BYOD solution. Beyond the security, Cisco offers wireless infrastructure, management & collaboration solutions that deliver an optimal experience for both IT and the end user. This is available in the Cisco BYOD Smart Solution which includes products and services –wrapped.

Based on my recent travels, there are many points of views on BYOD, and how to secure it.  And the mobile security threats keep coming and evolving.  This is a fast and furious growth area.  It would be great to hear from others on their point of view on mobile threats and mobile security.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. In my experience MDM’s that grant the enterprise too many administrative rights over an employee owned device will be unattractive to the employee. The employee will find some way around the IT policy or they will not take advantage of the BYOD option. Either way the enterprise loses…they have a rule breaker or an less productive employee. If you have real time visibility into what mobile devices are connected to your network you can see if these devices are acting within policy, or if they are displaying threatening behavior. With Cisco’s ISE + A NetFlow analysis tool (Like Lancope’s STealthWatch)you have the Visibility plus the Context you need to be confident in a BYOD policy…without having to modify an employee owned device or manage a bunch of agent monitored endpoints.

  2. Kathy, thank you for taking the time to discuss the topic, and yes, it is a very good question. Every vendor seems to have an ‘answer’, but each is approaching it from a slightly different (and smaller) point of view than Cisco. Many of our customers have an existing investment in 2/3 of the Cisco solution. Meaning they likely have Cisco Switches and Wireless Mobility infrastructure and simply need to add Cisco ISE to complete our solution (an architecture for BYOD). It will be interesting to see how MDM (solution and vendors) adapt to this rapidly changing landscape over the next year or two. Thanks again for the observations from the security conference and BYOD discussion. David