September 08, 2012, 7:45 AM — This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
With the Bring Your Own Device (BYOD) movement quickly becoming an accepted norm, IT needs to better understand how it impacts all aspects of the corporate network security strategy.
BYOD is another technology trend that moves a company from a position of risk avoidance to risk management. Where many IT organizations get it wrong is they focus on only one piece of the puzzle - like the device. If organizations want to minimize the risks of BYOD, they need to assess the impact on the network security ecosystem and understand the big and small weaknesses it creates.
Here are 10 tips for implementing BYOD securely and effectively within the enterprise, while fostering secure, remote access to business critical information:
1. Go Beyond Passwords to Authentication. Static passwords, combined with the risks of BYOD, are not enough to ensure secure remote access to sensitive business data and systems. Companies should consider multi-factor authentication methods to strengthen security while continuing to prioritize usability. One-time passwords and alternate notification methods (e.g. text messages) are two ways to make the authentication process holistically stronger.
2. Secure Remote Access with SSL-Based VPN. Once you have authenticated a user, companies must secure the network connection. SSL VPN gives employees enormous flexibility to access the network securely from any location and from any mobile device. Furthermore, unlike IPSec, SSL VPN provides secure remote connectivity without the need for software to be installed on each device.
3. SSO for Password Fatigue. Separate logins for individual applications are both a hassle and a security risk, as users may deploy insecure methods for keeping up with different passwords. Single sign on (SSO) tools let employees use a single password to access a portal of company and cloud applications, and can be part of an SSL VPN configuration.
4. End Node Control. Once an employee leaves the company, network access should leave right along with them. However, that is not always the case unless there is a way to instantly and effectively block specific users. Find a solution that manages devices from the corporate side, not just the employee side, and allows you to quickly remove a specific user's access privileges with a few keystrokes. This should be accomplished without requiring redefinition of the entire user base, which is both time-consuming and prone to error.
5. Applying a Federated ID. Federated ID simply means that the person's identity is stored across multiple systems, such as when you use Facebook or Twitter to log in to another account online. The same works for your organization, where you authenticate a user, and then allow them access across internal and external systems that you manage. Federated IDs allow single sign-on for the employee. What are the benefits? The employee logs in to any approved system easily, the corporation controls access even to cloud-based applications, and the service provider does not need to maintain user profiles.
6. Soft tokens with BYOD. Physical security devices have become risky and cumbersome. BYOD represents a wonderful opportunity for enterprises to save money on the costs of buying, managing and distributing hard tokens or other physical devices. Soft security tokens that interact with the employee device, such as a smartphone, provide an "ergonomic" solution that works for both parties, and can be easily updated and managed as the threat landscape changes.
7. Manage the Entire Process. The risks of BYOD make it even more critical to have a centralized view of network activity, incoming threats and abnormalities within the network, as well as the ability to quickly and easily respond. It is important to find a centralized management console that provides comprehensive reporting, incident process management, progressive multichannel alerting, geotagged statistics and the ability to apply governance across the entire platform.
8. Appoint a Leader, Execute a Strategy. Management of a BYOD strategy should not be a responsibility that's lumped in with the hundreds of other tasks that IT manages. Appoint a cross-functional leader who will oversee the policies, guidelines, roles and duties of the various departments that are involved with executing a BYOD strategy. This person will be responsible for determining every aspect of BYOD within the enterprise, including what devices will be allowed, what departments will support them and who pays for support, service, data plans, etc.
9. Have a policy. No matter who owns the device, employees must abide by corporate information security protocols if they are using the device for business. A BYOD policy should cover the basics like requiring an auto-locking capability and a personal identification number (PIN) as well as support encryption and remote wipe in case of theft. The policy should also cover what types of data can and can't be stored on the device, what to do if it's stolen, and acceptable and unacceptable backup processes. Most importantly, having a written user agreement policy and communicating regularly the importance of following security procedures when using their devices is critical.
10. Encourage common sense. Don't assume employees will use common sense - reinforce it. Regularly review even the most obvious mobile device security measures, like what to do if a device is lost or stolen, regular device updates, locking devices when not in use and using discretion with downloads.
Following these tips will enable you to embrace BYOD while safeguarding your existing security ecosystem.
Stonesoft provides mid- and large-sized organizations software-based network security solutions, which include the industry's first evasion prevention system (EPS), the industry's first transformable Security Engine as well as standalone next generation firewalls, intrusion prevention systems and SLL VPN solutions.
Read more about anti-malware in Network World's Anti-malware section.