BYOD: How to Secure the Inevitable

by Kevin Flynn, senior product manager at Fortinet

The bring-your-own-device (BYOD) phenomenon is disruptive. It tears massive security holes into an already disintegrating perimeter. It causes IT administrators to lose sleep.

Passing fad? Not likely. In fact, research shows that if the youngest generation of workforce employees has anything to say about it, BYOD is here to stay.

A recent Fortinet study underscores that fact. It found that Gen-Y employees are coming into the workplace demanding — not requesting — they be able to use their own mobile smart phones and tablets for business-related functions.

With the rapid acceleration of BYOD trends, it should come as little surprise that nearly three out of four of Gen Y employees maintain they use personal mobile devices for work. And why wouldn’t they? The technological equivalent of a Swiss Army Knife, these devices hold everything near and dear to users from photos of friends to music, maps and games.

Eating cake

Call it having their cake and eating it too, but they want all these functions on just one device. More than half of Gen-Y users consider in no uncertain terms the ability to bring personal devices into the office and use them for work-related tasks a right — not a privilege. In fact, that expectation is so ingrained that more than a third of users said they have or would go against company policy in order to use their personal mobile devices for work.

Is this attitude a testament to Gen-Y’s inflated sense of entitlement and expectation? Perhaps. But before you start pointing fingers at the younger generations, here’s something to think about: While disruptive, the concept of using your own device to lighten your workload is hardly a new one.

What’s more, throughout the decades, it’s been network level security not the endpoint that has been instrumental in the transition of every disruptive trend. And because, historically, it has been the foundation of sweeping technological shifts, network security is sure to be integral in the transition to a BYOD environment.

Look at it this way: In the mid-1980s, accountants started to bring their own PCs into the workplace in order to run Lotus 1-2-3 spreadsheets that would expedite their job functions. Users in the media world did the same with Macintosh computers for desktop publishing. In addition, users even wrote these devices off as office supplies.

Needless to say, this trend did not go over well with IT administrators who preferred to maintain control at the helm of mainframes and dumb terminals. But, like it or not, IT administrators were eventually forced to adjust by crafting a network security architecture to support users’ PCs and Macs.

Flash forward a decade to the mid-1990s, and you’ll see the same thing occurring with the advent of the Internet. Employees found that they required access to the Internet for email as well as a resource for information. This, too, created new challenges for IT administrators, now forced not only to provide necessary network infrastructure, but support, maintain and bolster it with security mechanisms against a burgeoning crop of viruses delivered both via e-mail attachments and over the Web. Firewalls and VPN technologies became a critical component of every organization’s network.

Flash forward

Flash forward another ten years, and you’ll see the same recurring theme, only this time with the emergence of Web 2.0. Now, instead of a one-way street, the Web enabled the free flow of communication between users, opening up worlds of possibilities for marketing, customer service and collaboration. And with the Web 2.0 phenomenon starting to gain traction, IT administrators predictably had to shift gears in order to accommodate an increasingly porous network perimeter that redefined network security as we know it. Application control and data loss prevention (DLP) technologies were soon deployed in the network.

Lessons learned

If history should be any guide, the lessons here are two-fold. Whether we know it or not, we’ve been here before. BYOD, like any other disruptive phenomenon, represents a continuation of previous trends in which the demand for technology helps shape the dynamic of workplace culture.

And looking back, those companies that accepted technology’s inexorable forward march and adapted accordingly, are the ones that ultimately prospered. Those that dragged their feet either lost out to competitors or were forced to shutter their doors.

The second and perhaps most significant lesson here is that network security technology has been critical to the successful implementation of every technological change over the last four decades. And subsequently, the network is and will continue to be key to security as the IT environment continues to evolve.

Security will always surprise. Threats will change. A decade ago, who would have foreseen the proliferation of botnets? Or cyber espionage? Or the fact that almost a billion people would be putting their personal information on Facebook and other social networking platforms for the world to see?

The big takeaway is organizations will have to think holistically if they want their IT environment to remain safe. With regards to BYOD, that means taking a unified, network-centric approach to security that will provide IT administrators a holistic view, as well as a platform on which to set and control policies, while allowing data to pass back and forth as necessary between devices.

It’s no secret that the network will become increasingly more complex and difficult to manage as a greater number of disparate devices pass data through its gates. And, looking ahead, it’s only going to become more so. Taking a page out of the history books, IT professionals need to instead realize that the network provides a cornerstone for the successful and secure integration of new technologies.

Essentially, because all traffic needs to pass through the network, it is also the best place to deploy security in a BYOD world. For one, the personal nature of such devices makes platform standardization practically impossible, and if the survey responses are any indication likely to be met with strong resistance.

To that point, a network security centric approach to BYOD actually provides administrators the flexibility to enable a greater variety of endpoint security approaches by serving as a central point of control for just about everything. Security mechanisms such as application control, network based ant-malware, Wi-Fi security, VPN, two-factor authentication, DLP, URL filtering, stateful-firewalling, intrusion prevention and a slew of others can only be achieved on the network and not the client.

The net-net? Network security has been and will continue to be an undeniably fundamental component for all IT functions, as BYOD and myriad other anticipated technological trends gain momentum. Holding fastidiously onto an antiquated per-user licensing model for security appliances is only going to create more challenges that will ultimately thwart the efficiency that BYOD was intended to bring in the first place.

Your approach to security needs to reflect reality in order to truly work. And those that embrace its inevitable changes, while learning the lessons of the past, will be the ones that not only survive the BYOD trend, but will prosper from it in the long run.

Kevin Flynn is a senior product manager at Fortinet, an IT security vendor.