cancel
Showing results for 
Search instead for 
Did you mean: 

There is No New Thing Under the Sun. What about BYOD?

Level 12

Meanwhile, today’s security teams are grappling with the “any-to-any problem”: how to secure any user, on any device, located anywhere, accessing any application or resource. The BYOD trend only complicates these efforts. It’s difficult to manage all of these types of equipment, especially with a limited IT budget. In a BYOD environment, the CISO needs to be especially certain that the data room is tightly controlled.

-- Cisco 2014 Annual Security Report

A while back I was chatting with my colleague about BYOD (Bring Your Own Device) at lunch. I stated that we would need to pay more attention to the BYOD, as it had started to put more stress to our policy, network, and security. My colleague rolled his eyes and said the BYOD was nothing new; people had been bringing laptops to the company's network FOR YEARS.

The next morning, as soon as I saw him, I told him that the BYOD situation was different nowadays. I said that back in the old days, only certain persons brought ONE laptop PER PERSON to our network, but now EVERY person easily would have multiple devices to bring in. I counted mine: a Blackberry, an iPhone, an iPad, and a MacBook Pro. That colleague had the same number of devices, but lucky he left his iPad home for his son, so he brought in one less that day.

Many organizations has found that the wireless subnets that were designed a couple years ago always ran out of IP addresses; they have to constantly expand the wireless network scope. Not only the sudden increase of the number of devices in the network troubles the organizations, but also the organizations realize that they have to face the challenge, the complexity, of securing the network and their valuable data from the mobile devices. The traditional NAC doesn't seem to be able to handle this new trend. MDM comes into the picture, but is it mature enough?

According to the data of the mobile OS market share, Android currently dominates the market, followed by iOS. The problem is that a large percentage of Android devices still uses outdated releases. These devices are subject to security vulnerabilities. The information security of many organizations are solid and well-protected from outside but really weak from inside. Now more and more vulnerable devices are brought directly to the inside network. I'm sure you get the picture.

Does your organization face the same challenge? How does your organization protect itself from the BYOD? By both policy and MDM? Do you think the current MDM solutions are good enough?

I am looking forward to reading your stories and comments.

71 Comments
Level 11

I think any medium to large organization is feeling this pain.  I know that in my work experience, we've been slow to put MDM at the top of our priority list and there is a bit of catching up to do.  At my last position we were using Aruba controllers with Airwave and Clearpass to manage mobile devices.  Typically the policies I have seen have basically looked to see if a device is organization owned or personal, and if it is personal we simply dump to the internet.  I dont feel like that is enough.  For example, the fellow we found doing Bit Torrent from his phone and the fact that Hulu is the top application at any given time period.  All these personal devices take a hit to the internet bandwidth increase that upper management already doesnt want to pay additional money for.  In my opinion, its usually the policy part of the puzzle that makes it difficult.

Jim

MVP
MVP

BYOD devices are on their own network..a guest wireless network that has no access to the primary.

Access is password protected and it is still firewalled and restrictions to various sites still exist...

Level 17

Guest Wireless has limited bandwidth, so everyone just fights over that (though recently increased). Internal use you must have a PW.. policy dictates how far you can go without an app that allows us control and the ability to wipe your device. Info-sec will watch for malicious devices, and request a block by MAC - or call to tell them to stop the torrent. Most of the times they find something it is the user's device after being hijacked.

Level 11

Thanks for the information Jfrazier

Level 12

Jfrazier that is what we do try to lock down as much as possible. it works for the most part that and if our security team sees you with a device that's not on your property pass it gets taken until you leave for the day and they will walk you out to your car and then hand it to you..

Level 12

Jim, pretty good story and well said!

Since MDM is so new (some may not even know what MDM is) that we are learning how to deploy it correctly. It's an evolving process. I understand the reason to swing the personal devices to the internet in order to separate the company owned and the personal devices. IPS on the internet segment can kill the P2P traffic and enforce the internet usage policies.

Level 12

Jfrazier Yours is a good way to handle BYOD if the BYOD devices are treated as "guest" devices. Policies can also be applied to the BYOD network.

Now, what about the BYOD devices need to be a part of internal network? The reason I ask is that one of the benefits of the BYOD is cost saving in company's assets. A company then doesn't have to purchase mobile devices for every employee and to pay for the maintenance.

Level 12

cahunt It looks like that you have this BYOD under control.

How many persons in the team(s) do your organization have to deploy, implement, and maintain these infrastructure and policies?

Level 12

Aaron Denning Wow, you guys have really strict policy! I like it. I just wonder how many companies can actually enforce such a strict policy. Would you also share your MDM infrastructure?

Level 12

BYOD is really on their own as Jfrazier said. Only a few are allowed to access the network with more than one device.

MVP
MVP

We normally use certificates issued to company mobile devices to control what accesses the mobile network. If you do not have the certificate on your device you are not accessing the network at all. It is strict but it prevents anybody from connecting to the network with an unauthorized mobile device.

Level 13

I like that. But I think you would still need to have the on device controls as well.

Level 12

esther Are those devices that are allowed to access internal resources personal or company owned? Do you identify them with MAC address or require them to install MDM app?

Level 12

Kurt H, yours is a good way to lock down the BYOD access. I'm glad that your organization is able to enforce such a policy. Many other organization can't do that due to business reasons.

Level 12

the extra devices allowed is just for management, identified with their MAC address

MVP
MVP

We are looking at doing something like that for company owned assets.

Thus if you have the token or certificate you get access to the intranet (wired or wireless) and if you don't then you

get the guest network (wired or wireless).

It helps simplify things (scalability) and provides a good initial layer of protection.

Level 13

Unless the user knows what you’re doing : ) and then it’s as simple as copying to each device you want

Level 12

Jfrazier Yeah, it's a good and simple (not weak) solution. And exceptions can be granted to VIPs' personal devices. The policies go from there.

Level 12

kevincrouch4 Is it that easy? I'm curious. Would you elaborate? Thanks.

Level 12

kevincrouch4 Agreed. Some vendors found it's pain of the neck to implement device control on Apple's iOS devices, but they have workaround.

Level 17

We are big to begin with, but it spans across Engineering, Operations and Info-Sec for BYOD. You could include Project Management and a slew of contractors to help install and cable. We partnered with a big provider to get another internal DAS. The DAS helps with the load on the guest network to provide good throughput while in a place where the signal would not normally go, but of course most folks have this idea of saving their un-limited data and using wireless instead.

We do have a paging services group along with a new mobile computing group to assist with management of internal devices, most devices supplied run off a 4G data hence the DAS... we are beginning to supply the extra device in some cases when the need is there for the whole 'mobile computing' solution. though those devices are all on proper encryption and authentication, those are normally wireless.

Level 13

In my experience, you usually move the certificate to the device some way. If you emailed it, just re-download from the email. if they moved it to the storage on the device and installed it from there, just copy it off the storage and on to the new device. Once on the new (second) device, just install again. The computer will think both devices are the same device, but all the systems I know of would still accept either device. Possibly only one at a time though.

As for recovering already installed certificates, I’ve never looked into it. The moral of the story is trust the phone with the certificate but not the user – make sure you remove anyway for the user to get an actual copy of the cert.

MVP
MVP

Two different approaches, separated by a few years and therefore a shift in the policy and application of BYOD.

1) Employees and visitors were welcome to bring their own devices, but they could only connect to the guest network after physically presenting their device to the IT Service Desk for inspection. That meant verification that the OS was up-to-date WRT patching and AV definitions. Only then was the WEP key (yes, it really was a while ago) given to the user.

2) Anyone can connect to the wireless guest network. Period.

Level 12

through our wireless if you dont have a GID you don't get on if your a visitor the manager of the section you are seeing needs to get you a temp GID just to get on. if you need to work from home we use RSA tokens and pulse, if you want your emails and what not on your smartphone it has to go to the security get patched then to the help desk so they can put everything on it and give you a pin for your phone. its crazy here and super secure.

Level 12

michael stump, that's an interesting shift in the policy. I wonder what was the driving force behind the shift. I've seen organizations received notices of copyright infringement from time to time because devices connected to the guest network were caught to download copyrighted stuff with P2P. Yes, IPS didn't catch prohibited traffic all the time.

Level 12

cahunt Thank you for sharing your valuable behind-the-scene information. It's big, just like Texas.

Level 12

That's cool and simple. I don't know what iOS 8's randomized MAC addresses before connection will bring to us for management.

Level 12

Aaron Denning And the troublesome and time-consuming security / help desk procedure definitely scares people away unless they have "real" needs. BTW, thanks for sharing your MDM policy and procedure.

Level 12

kevincrouch4 That makes sense and it seems like a tradeoff. Then the identification portion needs to be improved and strengthen. Do you have any suggestion?

Level 12

Great post mfmahler.Thank U. I have learned a lot.

Level 9

This methodology is the one I see most often.  It definitely has its drawbacks, but the protection of the internal network is more than worth eating those up.

Level 9

I'd like to name this method "The Battle to Finish YouTube Video without Rage Quitting".

Level 10

Ideally, your guest wifi network is going to go through the same firewall as normal traffic for scrubbing (this kills the p2p), but will then be sent out a different pipe so as not to impact your office LAN.

Level 12

Thank you for the kind words, esther. I've learnt a lot from everyone's interactions and contributions here, too.

Level 12

I am not a member of network team but I know, everyone bring their devices and they are not allowed to connect to wirless (we use LTE since it's password protected).

Level 12

Good to know, ZibaK. That means you guys don't allow BYOD.

Level 12

dwoj Agree. You guys have the same policy?

Level 12

Rate limiting...

Level 12

garetht Ideally if the guest traffic can be sent to a different internet pipe or rate limit the guest traffic in the same internet pipe, that will be good. Otherwise, the internet bandwidth will take a hit and everyone is suffered, as Jim mentioned in his feedback here.

Level 11

I would say that most companies are not going to foot the bill for a separate internet circuit from the work related one, and further that upper management (the ones paying the bill) probably have no concept of what traffic is business and what traffic is Hulu, Netflix, etc.   Not to mention aggregation points where maybe you do have separate circuits but at some point they may all be flowing through the same 100meg interface on an older firewall. 

I love the idea of rate limiting.  But in my network lifetime, the usual cause for bad design is a lack of defined policies.  Networkers can make almost anything happen, but they need the backing of the upper organization.  Otherwise, you implement and then someone cries and you have to remove your implementation.. Rinse, repeat, rinse, repeat, etc

Jim

Level 12

Thanks mfmhler for valid info I like to learn something everyday!

Level 10

>most companies are not going to foot the bill for a separate internet circuit from the work related one

Anything more than a very small shop would be wise to have a separate backup line.  Even it's just a DSL line, capacity to vary by business need.  When your main office internet link goes dark due to an ISP issue it's very pleasant to switch over (automatically or otherwise) to a backup connection.

Level 11

garetht - I completely agree.  I didnt state that correctly.  My point was that even if you have redundant circuits for internet, its doubtful (in my opinion) that most companies are installing that bandwidth for your personal pleasure.

Jim

Level 21

Our BYOD policy is currently rather simple; however, I suspect it is going to change very soon for the worse...

Currently we provide company PC's to most employees which has approved and supported software installed on it.  We have an internal wireless network that can be used to attach those devices.  If you bring devices from home you can connect them via our Public wireless network which basically just gives you internet access.  We can also connect with home PC's via a VPN through our corporate firewall.

Unfortunately more and more employees are wanting to use their own non-supported devices and software which is causing nothing but a huge headache for those of us that manage corporate IT.

I personally think its more cost effective overall for companies to just provide a company approved system (or a choice from a list of approved systems) with company approved software to all employees.

Level 12

garetht I agree with you, too. I started my career as a web admin and I've seen more and more dependance on the internet, not only from businesses, but from daily life in general. Also as more and more business operations have been moving to public/private/hybrid clouds, internet service with backup that provides 100% uptime is a must for organizations, large and small.

Level 12

Jim, business first, definitely. But it won't hurt with business needs and more: we just enabled two 10G internet circuits this afternoon; it's good timing for the World Cup live streaming starting tomorrow.

Level 12

byrona Thank you for sharing your thoughts and your company's "current" policy.

I personally think its more cost effective overall for companies to just provide a company approved system (or a choice from a list of approved systems) with company approved software to all employees.

I can see the way of the cost saving from your comment.

The system landscape has changed. Most employees no longer request a couple thousand dollars' laptops; they want those a few hundred bucks' tablets or smartphones.

Level 13

I've seen two opposite ends of the spectrum & I think that there should be a happy medium between the two. Company "A" had an extremely strict BYOD policy...no BYOD at all and no wireless access at all on the internal network. Company "B" had no restriction whatsoever on BYOD and had no firewall or restrictions on the internal network wireless or wired network. I feel confident that there are secure ways to restrict wireless and wired access to the internal network. A guest wireless network is a must with no access to internal resources. You could use either WPA2 PSK or perhaps some kind of self-registration through captive portal. I would also recommend denying inter-user traffic on the guest network. Don't forget the wired network though. With vendors, contractors and visitors walking around, it would be easy for someone to plug into an open port & create a real problem.

As far as BYOD on the internal network, I think you need to have policies in place that only allow specific types of operating systems and I think that certificate-based authentication is the way to go. Perhaps some kind of pre-registration portal needs to occur before the device can connect. Also, I think either an IPS or firewall is a must to segment user VLANs from your data center/server VLANs. Perhaps the "BYOD Network" must pass through more stringent ACL's before accessing internal resources.

Level 12

BYOD denied here. Currently only on policy but we'll soon implement some form of control to prevent it. We are small enough for me to know every device that connects to our network (well, almost), so when something new is hooked, I know it.

Standardization of hardware helps a lot there too. We are 100% Lenovo/BlackBerry so when I see an iPhone or Android device or a laptop from another brand, I know it's not from us.

MVP
MVP

I understand that. There was many issues related to locking devices down with Certificates, but it was needed.

About the Author
CCIE Data Center #46006. I am passionate IT professional who splits the work hours as a Datacenter Architect and a Network Security Specialist. Yes, I enjoy this double personality professional life.