Best Practices for BYOD on a Budget

by Jim MacLeod, Product Manager at WildPackets

While the bring-your-own-device (BYOD) to work is a growing trend within the IT world, the main issue is that consumer-friendly technology is changing the way people want to work. Smartphones have provided mobile email for a decade, but the market has moved from business phones complete with corporate controls to consumer devices.

True mobile productivity is here

More recently, tablets have enabled comfortable Internet access anywhere, with sophisticated applications that allow true mobile productivity. However, increasing reliance on mobile devices is creating increasing demands on IT to support and secure devices.

Some businesses have embraced BYOD arguing that employee-owned equipment for business usage could save the company money, but there is not a definitive answer on this yet. The savings on hardware may turn into increased IT costs; initially by creating BYOD-friendly infrastructure and supporting an ever expanding variety of hardware, OSes, and apps.

There are also security concerns of non-corporate equipment accessing the company network and data. It easy to fall into the trap of approving a capital expense now on the uncertain promise of operational expense reduction. Fortunately, pilot programs don’t have to be expensive, and can help uncover the hidden costs for each unique business.

Consumer devices are better

While there are undoubtedly security risks associated with BYOD, this practice is inevitable given that consumer devices are simply better, faster, and usually less expensive than business-grade. With the speed at which consumer technology advance, businesses employing BYOD don’t have to wait three years for equipment to depreciate before it can be replaced.

We are transitioning into a mobilized and interconnected workplace where employees can and will bring the hottest gizmos and gadgets into the work environment even if current company security policy forbids it.

So, with BYOD becoming an inescapable reality, how can businesses embrace it without having to completely overhaul their security system? What follows are several ways to start implementing BYOD securely onto a network without having to buy the next shiny business security tool.

Make BYOD easy

Telling employees not to bring their own devices, or enacting a complicated policy to discourage the practice, is a guaranteed way to encourage employees to bypass restrictions. Don’t try to convolute the processes of allowing employees to bring their devices to work. Simplicity provides better voluntary compliance in the end. With BYOD, if there is an easy process for users to get online, they will typically agree to the additional conditions that make it easier for IT to manage these new devices.

BYOD problems are similar to those of VPN deployment: devices that connect to your network may spend time on other networks. For this reason, start addressing the BYOD problem by using a VPN. Create a new Wi-Fi SSID, or re-use a “guest” SSID, which will be a subnet in an outbound DMZ, the middle ground between an organization’s trusted internal network and an untrusted, external network.

This will make access to the internal network only available via VPN, which leverages the security lessons learned from VPN deployment, and monitors inbound VPN connections. That subnet should also have Internet access — assuming that the corporate network does too — so employees will be willing to use it rather than trying to bypass it.

This creates a single (logical) location where all of the BYOD devices will congregate, and where network security can be applied. By providing a BYOD SSID, the devices have access to your high-speed Internet connection, so employees are less likely to connect via cellular connection while at work. It also means that their communication will pass through any network-level detection systems, increasing the chances of detecting virus or botnet behavior without requiring an agent on the system.

A BYOD network extends the protections of the corporate network to these devices, while simultaneously protecting the core network from them.

If there are security concerns about corporate data, or if mobile devices don’t support a VPN connection, it’s probably sufficient to provide BYOD access only to email. Email is the primary method of electronic communication among most employees, who will often send documents to each other via email even if collaboration servers are available.

Fortunately, email is one of the easiest services to deploy securely. Microsoft Exchange provides Exchange ActiveSync (EAS), which most mobile devices support. Non-Exchange networks can also provide remote email via encrypted POP or IMAP along with encrypted and authenticated SMTP.

Another low-effort high-value way to provide network access without significant additional risk is to use full-screen remote logins, like Remote Desktop (RDP) on Windows or VNC on all platforms. These remote access tools are especially powerful if the company has already deployed virtual desktop (VDI), similar to Citrix or Windows Terminal Server.

BYOD essentially becomes a mobile thin client, with the dual advantages of convenient user access and centralized data control. The data is on the corporate network and not on the BYOD side, so even if the device is lost, there’s no data exposure risk.