Unleash the full Potential of BYOD With COnfidence

A lire sur:  http://www.gartner.com/technology/media-products/newsletters/hp_networking/issue3/gartner.html

Getting Your Network Ready for BYOD

Network managers will need to add policies to their networks to gain control in bring-your-own-device environments. Here, we recommend a path from gradually allowing to fully supporting personally owned devices on the network.

Key Challenges

• Many IT departments have little to no control over personally owned devices in today's environment.
• The solutions that can control and secure personally owned devices (for example, mobile device management [MDM]) are still maturing.
• Many networks don't have the capability to enforce different access zones for personally owned and corporate-owned devices.

Recommendations

• Most organization should begin with a "Contain" strategy, in which personally owned devices are granted limited access to the network and to a subset of corporate applications.
• If the organization is able to gain an acceptable level of control over personally owned devices, it can migrate to an "Embrace" strategy, where these devices are granted full access to the network and to corporate applications.

Introduction

Many organizations recognize that they need to quickly evolve their support for bring your own device (BYOD) programs. A poll (see Note 1) taken during a Gartner webinar reflects this urgency. One of the questions in the poll asked:

How would you characterize your organization's position on BYOD adoption?

Attendees were asked to respond in the context of Gartner's framework for consumerization (see Figure 1, Note 1 and "Optimal Security Approaches for the Secure Use of Consumer IT," note: this research is provided for historical perspective; portions of this document may not reflect current conditions). The webinar highlighted how the framework would apply in a BYOD environment and asked participants to select one of these answers:

• Contain = Permit some users to use some personally owned devices
• Embrace = Permit all users to use some personally owned devices
• Block = Prohibit all personally owned devices in the workplace
• Disregard = Ignore the issue; do not establish any BYOD policies

Figure 1

Mapping Security Responses to Risk and Business Value

Source: Gartner (September 2012)

Table 1. Results of BYOD Webinar Survey

	Today	In Three Years
Contain	46.7%	35.7%
Embrace	30.5%	61.2%
Block	15.2%	3.0%
Disregard	7.6%	0.0%

Source: Gartner (September 2012)

The polling results (see Note 3) reflect that, today, many organizations (46.7%) favor a Contain approach for BYOD. However, in three years' time, a clear majority (61.2%) would favor the Embrace approach. Network managers must enable this shift in their organizations by preparing their networks to securely support the widespread use of personally owned devices. Here, we provide sample policies and suggested network access levels for a Contain environment as well as an Embrace environment. Then, we provide recommendations for migrating from a Contain to an Embrace scenario.

Analysis

Contain

Here, we present Gartner's recommendations for enabling an environment where some employees can use some personally owned devices.

Sample Access Control Policies

Define which internal applications (and data) can be accessed from personally owned devices, and which will be blocked. For example:

• Allow Internet access
• Allow access to email, calendar and contacts (such as via Exchange ActiveSync)
• Allow access to some corporate applications
• Block access to sensitive intellectual property and data

Recommended Network Access Level

Create a limited access zone (LAZ) to restrict access to applications and data. The LAZ should, at a minimum, support wireless LAN access, although it may need to be extended to the wired LAN and should use one or more of the policy enforcement points we suggest. These options can be used to limit access according to the user's role (by integrating with Active Directory):

• Server-Based Computing (such as Citrix and Windows Terminal Server)
• SSL VPN
• Virtualized desktop infrastructure (VDI)
• Firewall, wireless controller or any Layer 3 network component that accepts access control lists (ACLs)

Justification

Personally owned devices that lack management and security controls present risks of:

• Data Loss – Organizations that have invested in content-aware data loss prevention (DLP) solutions for endpoints face challenges when pressured to allow BYOD initiatives. DLP vendors offer fewer choices for tablets and smartphones. Where solutions are available, they are generally not as robust as for Microsoft-Windows-based platforms. If DLP has not been enabled on personally owned devices, users should be prevented from accessing and storing sensitive data on them.
• Malware – Personally owned Windows laptops are more likely to be compromised by malware than corporate-owned and corporate-managed laptops. Malware is also a risk for OS X (such as Flashbot) and tablets and smartphones (for example, Google has removed malware-compromised apps from the Android Marketplace).

Embrace

Here, we present Gartner's recommendations for enabling an environment where all employees can use some personally owned devices.

Sample Endpoint Control and Security Policies

In an Embrace scenario, the objective is to create policies that enable the IT organization to gain an acceptable level of control over the personally owned endpoint. The degree of control depends on the organization's security stance. Sample policies include (some or all policies may apply):

• Require MDM agents for tablets and smartphones
• Require DLP agents for tablets and smartphones
• Maintain current OS levels and patches for Windows PCs and Apple OS X devices
• Require security agents for Windows PCs and OS X devices (for example, network access control [NAC], endpoint protection platform [EPP] and DLP)

Recommended Network Access Level

Allow personally owned endpoints that are compliant with security policies to access the corporate network.

Justification

• Because the organization has applied security controls to personally owned devices, these endpoints can be granted the same level of network access and application access as corporate-owned and corporate-managed PCs.
• Even with our suggested security controls, organizations will not have the same level of control over personally owned devices as they have for Windows PCs (this is particularly true for organizations that denied users administrative access to Windows). Security-conscious organizations should consider a stronger focus on network security monitoring to compensate for the decrease in endpoint security controls.

Moving From Contain to Embrace

Many organizations face a large gap in moving from a Contain environment to an Embrace environment in BYOD. The challenges are technical as well as cultural, and network security professionals need to prepare on both fronts. Gartner recommends:

• Gain CIO Support – Gain support from the CIO to use NAC policies for controlling the access of personally owned devices. Adopting an Embrace philosophy for BYOD requires that the organization gain some level of visibility and control over personally owned devices, a requirement that will have a huge impact on IT culture and corporate culture. CIOs will need to drive the mandate to establish an appropriate level of control over personal devices and to control the level of network access.
• Partner With the Mobile Team – In large enterprises, the mobile team drives BYOD projects. The network security team should be part of the overall project team that defines how BYOD will be supported. NAC should be an integral component of the overall architecture, so that the network has the ability to restrict access to devices that are noncompliant with BYOD policies.
• Begin With Basic Contain Policies – For many organizations, the first step in a Contain strategy will be to implement network authentication for preventing personally owned devices from accessing the corporate network. Initially, these devices may only be granted access to the Internet and to email, calendars and contacts (typically via ActiveSync). Once the solution and the operational processes (such as troubleshooting failed authentications) have matured, the NAC/BYOD team can add more advanced capabilities – for example, adding an SSL VPN gateway or a terminal server to control access to selected corporate applications based on the user's role.
• Slowly Evolve to an Embrace Approach – Once the organization has gained an acceptable level of control over personally owned endpoints (for example, NAC and MDM integration), it can begin to implement the network policies that will lead to an Embrace environment. Use a phased approach to slowly add personally owned devices to the corporate network.

Note 1
Webinar – Protect Your Network in the Era of BYOD

On 6 September 2012, Gartner presented two webinars, "Protect Your Network in the Era of BYOD." Both webinars included several polling questions on the topic of employees using personally owned devices for work.

Note 2
Explanation of Block, Contain, Disregard and Embrace Strategies

As defined in "Optimal Security Approaches for the Secure Use of Consumer IT" (note: This research is provided for historical perspective; portions of this document may not reflect current conditions), the strategies are:

• Block (or ban) the use of consumer-grade products or services by explicitly prohibiting their use in an appropriate policy; then enforce the policy by scanning for use or blocking port numbers or device drivers. Blocking is possible, but unpopular. Influential users, such as executives, will push for exceptions, forcing the IT department to move to another action on this list. However, there will always be some applications that are too sensitive, or some consumer technologies that are too unsafe, to use. A common example of a blocked consumer technology is peer-to-peer file sharing.
• Contain actively accepts and facilitates use in well-defined situations, and in some cases implements controls to prevent the use of the consumer technology. This approach costs money, but enables the IT department to request a budget to manage and audit device configurations and performance. SSL VPNs are an early example of a Contain approach, because they enable the controlled connection of consumer devices to the corporate network. NAC for guest networking is a more recent example.
• Disregard essentially means "pretending" that the consumerization trend doesn't affect you, or at least not actively looking to see whether consumer technologies are in use. This is generally an unacceptable approach, except for areas of no business criticality, because it provides no support for the confidentiality, integrity, audit and available levels required by business. However, just as most enterprises don't really care which particular model of mobile phone or calculator employees use, there will always be some areas in which Disregard is the preferred approach.
• Embrace refers to the IT organization incorporating consumer-grade technology (or enterprise versions of consumer products/services) and promoting, delivering and supporting it just like any other IT-delivered product or service. This requires discipline for the IT department to request the budget to manage and audit device configurations and performance. Essentially, this approach adds enough security to make the use safe, but requires funding to do so.

Note 3
Details on Polling Question Sample Size

Table 1 represents the answers from these two questions:

• 1. How would you characterize your organization's position on BYOD adoption today?


• 105 attendees responded (the total is from both sessions)
• 2. How would you characterize your organization's position on BYOD adoption in three years?


• 98 attendees responded (the total is from both sessions)

Source: Gartner Research, G00232671, Lawrence Orans, 28 September 2012