Most CIOs that I meet have some sort of plan for BYOD. After all, the C-level execs want to use their MacBooks at home and at work! The idea is so popular that even the Federal Government is trying it.
Superficially, BYOD seems like a win-win: The enterprise saves money on device procurement and support, and users get to choose their device. But in my view the idea is over-sold and all too often organizations fail to understand the true financial implications. Citrix, an avid fan of BYOD, acknowledges that the real win is employee satisfaction. But all too often the BYOD discussion omits the real challenge – security and risk:
“For companies that allow personal devices, most surveyed permit employee access to email (70%) and websites (53%), while few allow access to more sensitive data such as file servers (16%) financial records (13%). Even so, if a cyber-criminal gains access to employee email, this can expose corporate information and cause significant damage… ”
Seeking a practical way forward, many CIOs give the user Hobson’s choice: You’re “Always in or always out”. Unfortunately both models are a sort of three-fifths compromise between empowerment and security, and upon closer examination underwhelm both the CISO and users. In this post I will narrow the discussion to “primary productivity devices” – PCs. (Unsurprisingly, PC management could benefit from models adopted in MDM, MAM, and MIM – but even these are inadequate.)
“Always in” devices are owned, managed, secured and patched by the enterprise, are on-domain, and have Intranet access. They can roam, but only under tight control: Access to enterprise applications is only possible over the VPN. The user does not have admin privileges, data at rest is encrypted, the device has endpoint protection, and web browsing is permitted via the enterprise proxy. When in the office, these devices are NAC-ed and put onto an “inside” VLAN.
An employee owned device is “always out”: The owner has full admin rights, and can use the device for any purpose. She is responsible for support (eg: AppleCare) and keeping the device patched. The enterprise has little say over its presence on the device, which is ideally ephemeral, but rarely so in practice. When the employee brings the device to work, it is NAC-ed and dynamically assigned to an “outside” VLAN: The Intranet, enterprise applications and other critical infrastructure are not accessible except via some form of remote access, such as RDS or VDI. The device is effectively in the DMZ and (from any location) the user can only access enterprise web applications or a virtual desktop/app via an SSL VPN and two-factor authentication. Windows desktops and applications run within the enterprise data center, and are “securely delivered” to the BYO device.
Neither model satisfies the needs of the enterprise or the employee.
“Always in” offers the CISO the most control, but no matter what IT does, the user can easily allow an attacker to compromise the device – for example from a poisoned email attachment or inserting a malicious USB key, or unwittingly checking the news on NBC.com. Attacks on roaming devices using hotel networks are also a significant concern. The device’s privileged access to enterprise infrastructure permits an attacker to quickly penetrate deeper. Rigorous IT controls and device lock-down also make life miserable for the user. Most useful consumer web-apps are off-limits, and there are substantial privacy concerns when accessing personal sites. Personalization is taboo: iTunes and Angry Birds are out of the question.
The “always out” user has to be connected in order to work, and endures a user experience dominated by network latency. And not all applications can be remotely delivered. This approach also fails to adequately protect the user or the enterprise: The user can unwittingly install malware that steals log-in credentials and data (personal and corporate). And remotely accessed virtual desktops are just as vulnerable to a bad click – which invites an attacker into the data center.
Is there a better way? Yes. The Bromium endpoint architecture satisfies stringent security requirements of the CISO and delights the user – whether she is in the office or on the road. I will cover the various aspects of this in a series of future posts.