Bridging the Gap between BYOD and Policy Enforcement
May 16, 2012
Best practices preach that security policies should be applied consistently across an entire distributed agency. However, the Bring Your Own Device (BYOD) trend is making it even more complicated than before, because not only are employees bringing a vast array of disparate wireless devices to work, they also want to connect from anywhere, with any device, and often look to access the cloud. Additionally, there is continuing need for contractors requiring access to government network resources, as well as cross-department access and information sharing between various agencies. These demands create an increasing pressure that CIOs in the government have to face. This diversity also means the weakest link in security policy enforcement could exist almost anywhere in the agency infrastructure. Many CIOs are wondering how they can accommodate the exponential growth of new devices and applications on their agency network in real-time, as well as how to secure, determine and manage who, what, when, where, how and how many users and devices access that network?
So what technologies are available today for CIOs to bridge the gap and strike a good balance between the BYOD craze and uniform distributed policy enforcement and compliance management?
CIOs permitting BYOD in their respective agencies should automate the process to register and track the mobile devices based on device type, user authentication and risk status. There are some unique solutions available in the marketplace today – such as Cisco Identity Services Engine (ISE) – that enable self-registration of the device and eliminate the need for employees, contractors or guest users to deal with an IT Help Desk. Cisco ISE allows the agencies to create and enforce security and access policies for various endpoint devices connected to the agency network. You might recall that I attended the Cisco Summit a couple of weeks ago and their demonstration of this capability, which offers the ability to quarantine the ‘unknown device’ to allow for proper assimilation into the environment based on policy or rules, was quite impressive. Today, if an agency doesn’t have that kind of discovery tool in its wireless network, they will either risk the enterprise by opening it up for usability, or have a manual procedure for users to meet with an on-site team to ‘allow’ this access. These are all very burdensome and truly not achievable considering the magnitude of devices entering and leaving an agency daily.
As part of the BYOD strategy, CIOs need to have a good handle over device management. Mobile Device Management (MDM) solutions like AirWatch or MobileIron let agencies assess devices for high risk factors such as jail-breaking or someone using non-approved rogue applications like YouTube or Angry Birds. MDM solutions are very effective in managing the complete life cycle of a customer’s handheld device including device configuration, asset management, remote wipe and restore.
What other management tools are already out there or are coming soon? Cisco Prime is a tool that provides end-to-end visibility for applications, services, users and devices across the network, but also allows the administrators to correlate user identity with policy. The advancements now are tremendous from just a year or two ago. Other leading vendors like Symantec have come out with many effective solutions for data loss prevention (DLP) and endpoint security for mobile devices. These solutions help to deny confidential information, such as sensitive PII data, from moving to or from mobile devices or unauthorized non-approved storage locations, which we might use personally but in the enterprise, is a huge breach of data security.
There is no doubt that BYOD brings several benefits and cost savings to the agencies. However, with all the benefits, there is also risk and vulnerability. Agency CIOs need to enforce strict policies and make sure compliance requirements are being met. The supporting policies have to be clearly spelled out, should be easy to understand and should be automated and enforced by tools like those I mention above. The agencies need to bridge the gap and implement solutions for password protection, data encryption, 802.1X authentication using secure VPN, data leakage prevention, device monitoring, remote wipe, continuous monitoring and e-discovery. The devices are coming into the workplace – this is unavoidable – but agencies can manage how they approach their use. As a CIO, you might not be ‘ahead’ of the influx of devices, but with the technologies available today, it is possible to manage your security efficiently and cost effectively. Let me know your thoughts. Follow me on Twitter atGTSI_Architect.