The Bring Your Own Device (BYOD) movement and its challenges to enterprises were discussed on July 26, 2012, at an OpenLab: Junos Center for Innovation (Bridgewater) meeting entitled “Smartphones and Tablets — Can They Be Secured?”
While the speakers confessed to having a love-hate relationship with the movement, all agreed it was here to stay and, more important, enterprises should determine how to deal with it.
Of course, the speakers offered their own solutions for companies. For example, Juniper has its own product — the Junos Pulse Mobile Security Suite— aimed at the BYOD crowd. Rodney Dilts, director of security technology at AT&T (Washington, D.C.), said the carrier had worked with Juniper to integrate the product into the AT&T network and now offers enterprise users a co-branded mobile security suite.
Companies are embracing BYOD because employees, especially younger ones, are more comfortable bringing devices they have selected themselves to the workplace, said Gregg Martin, director of mobile security at FishNet Security (Overland Park, Kan.).
While many executives believe BYOD saves companies money, in reality it doesn’t, Martin said, because the devices have to be managed. However, letting employees bring their own devices could make them more productive, and that’s what enterprises ultimately want, he added.
A multitude of devices presents serious challenges to the stability of a company’s IT infrastructure, said Dan Hoffman, chief mobile security evangelist at Juniper. He presented a host of statistics from the Juniper Networks Mobile Threat Center (Columbus, Ohio) proving that attacks on Android devices are increasing exponentially.
What about iOS devices?, Hoffman was asked. Are they more secure? “We don’t hear a lot about Apple. While we have a free security market for Android, there is no equivalent data for Apple,” he replied.
Martin later added that Apple has some obvious security concerns regarding Siri. For example, even if you use a passcode with your device, you can ask Siri to make a phone call for you without entering the code, he noted. Thus, anyone who picks up your device can ask Siri to make a call, he said.
Another Apple-related security concern involves third-party apps. An employee can open a document containing sensitive corporate information, save it to another app, such as GoodReader, then back it up to iCloud. Even if a company wipes the user’s phone once he or she leaves its employ, the former employee may be able to recover the document from the cloud.
The most pressing problem for Android phones is spyware, Hoffman continued. “You install an innocent-looking game, and it takes your email contacts, financial information and sensitive work information.” Some games can even send covert SMS messages and make outgoing phone calls, allowing others to listen in on confidential work conversations.
Yet while all this threatens enterprises, it’s also a problem when marketplace solutions “make phones unusable, with too much security” on the device itself, said Dilts.
AT&T has worked with Juniper to address this issue. “We have a network-based concept. We believe in letting users go about their business while a security policy protects them in the network,” he explained.
It used to be that corporations would require their laptops to have antivirus software installed, Dilts said. But you can’t put bloated security software on a smartphone. That kind of software will slow the user down too much, he noted.
In the co-branded solution, Juniper has developed a lean “client” residing on the smartphone that works with AT&T’s network. The client performs device management, provides the identity of both the user and the device and has some lightweight antivirus and anti-malware protection. “It also has a vehicle, so the network can hook into the client,” Dilts said.
All the heavy lifting for security is done in the network application layers above the client. When the device is connected to the enterprise, it has to follow the protocols the enterprise has established. Maybe the enterprise doesn’t want users to access some websites while they are hooked into the client’s servers. Or perhaps there are specific applications that employees can access only when connected to the enterprise.
If users have downloaded a malicious application and then try to connect to the enterprise, “they may get the message ‘You’ve been disconnected from the enterprise because we believe you may have downloaded a malicious app’ or something like that. The idea is that the network is seeing these things, taking some smart action and then notifying the user and the system administrator,” Dilts said.
There is some controversy about what a company has the right to do with a device an employee owns, Dilts said. Firms have been known to wipe all user data from devices, even when those devices are technically not owned by them.
However, most companies work on the following theory: the device can do anything it wants when not connected to the enterprise, but once it is, the firm has the right to know whether the device is still solid.