A Strategic Approach to BYOD in the Workplace

Justin Chiah, Director and General Manager, South East Asia and Taiwan at Hewlett Packard and Aruba Networks, discusses how Adaptive Trust Defence allows business organizations and IT teams to take a strategic approach to addressing critical network access security challenges that BYOD and IoT bring.

Staff working remotely away from the office was pretty much unheard of just 20 years ago. Today, easily accessible Internet connections, highly capable connected devices, collaboration tools and social networking applications allow us to communicate and work together in many ways.

We are now into another major trend shift in the workplace, and that is of workers bringing their own personal devices to use at work. It may seem risky for business organizations at first, what with data security, unstable devices and devices infected by computer viruses. However, there is actually a lot of potential and opportunities for business organizations to reap benefits from this trend.

For one, many consumer personal devices are faster and more powerful than office hardware designed for business users. Consumer devices are designed to run complex applications and graphic intensive visuals. They are meant to be powerful so that they can work with the latest videos and games. Business devices or devices marketed to IT normally do not have very high specs as they only need to run business software like spreadsheets, word processing, and occasionally, presentation software.

Also, users are generally very familiar with their personal connected devices. These devices are part of their lifestyle. They use them to communicate with their loved ones, for entertainment, to get the latest information on anything that they care about. Now, if they also use the same devices for work, it would be ideal.

The main concern for many IT teams, understandably, is security. Personal devices bring a raft of corporate security risks. As mentioned, there is a potential for corporate data and network security to be compromised. Furthermore, younger workers who grew up in the era of the Internet and mobile phones tend to be more lax in their attitude towards security. In a recent survey[1] we conducted, the GenMobile workforce was found to give little thought to security when sharing everything – connected devices, information, etc.

One way businesses can build a GenMobile-ready network is by starting from inside the perimeter. Business organizations can leverage known, contextual data that it can trust – a person’s role inside the organization, the devices and apps they use, and their physical location – to create policies that fortify network security, adapt to mobility needs and adapt to employee-owned devices. At Aruba, we call this approach the Adaptive Trust Defense. It essentially turns legacy perimeter security inside out. Adaptive Trust solves some critical network access security challenges.

Some key considerations for businesses exploring Adaptive Trust:

Users who are not technically adept require helpdesks assistance when connecting to a corporate network or with performance and other application issues, oftentimes overwhelming the workload of these helpdesks.

On the other end of the spectrum are employees who realize that they can use the same network credentials to gain access to the corporate network for their personal device. These unmanaged mobile devices can expose corporate data and services to intrusion.

The most important tasks for networks is the differentiation of employee-owned devices and IT-supplied hardware. Most networks have two portals: one for personal devices (guests) and one for corporate use. If personal devices are to log in as guest users only, it would be cumbersome as this would probably mean daily re-authentication.

To solve this, an identification method that distinguishes between personal (not guests) and corporate devices should be implemented, allowing automated authentication and classification of devices for various access levels. IT administrators are then able to keep track and manage the proliferation of devices and has the ability to quickly respond if an unwanted network intrusion occurs.

Another challenge is the configuration of personal devices where security measures often differ from the standard IT-supplied devices. Many personal mobile devices are live, with no password required for access to the device. Credentials are already stored on the device for automatic authentication when the corporate network is detected. This creates difficulties as there is no guarantee that the personal devices are in the hands of their owners.

Additionally, having configuration for inside-the-firewall access increases the risk of corporate server penetration, especially with malware and Trojans being increasingly common on devices. Corporate data is significantly at risk, especially if these unwanted viruses enter the corporate network.

While it is possible to allow self-configuration of employee-owned devices by publishing guidelines and instructions for correction and authentication of corporate networks, most IT groups prefer a more controlled approach.

For instance, an authentication portal for employees’ easy reference when connecting a new device to the corporate network would be helpful. The network prepares a unique self-install configuration profile for a particular user’s device and the user is offered a single button to click for execution.

This approach accomplishes a number of goals: It is easy for the user, reduces the risk of errors during manual configuration, allows secure self-registration and incorporates mutual authentication which allows the network to confirm the user’s identity. It also allows the device to use the EAP-TLS authentication protocol, avoiding repeated entry of username and password while maintaining full security. The certificate enables IT staff to track and audit logs to follow the device’s history through the network. IT can also disable corporate network access for any device that is reported lost or stolen.

Finally, the biggest challenge is that of managing network workload. Employees using resources on the corporate server for personal reasons, like video calling and online streaming, tend to take up bandwidth resources and inhibits productive work. IT administrator must be given a way to identify and monitor these personal devices to enable effective troubleshooting.

For example, IT may be offered the ability to blacklist devices. This adds another layer of security as IT can black list stolen devices to prevent them to be re-registered for access to the corporate network. Additionally, automated control of network traffic can be made available to allow for flexible management and deterring network overload or overburden.

Many IT teams are faced with overwhelming demand to support personal devices on their corporate network. After all, we are now living in a time where personal mobile devices have become part of our lifestyle. Many people carry several connected devices with them everywhere they go.

Business organizations that are prepared for the BYOD trend have in place a network infrastructure that is designed to offer comprehensive management and control over employee-owned mobile devices in the workplace. One with a strong positioning to capitalize on productivity-enhancing services, and allow for the systematic integration of personal devices into a corporate infrastructure. Most importantly, a network infrastructure that allows for the managing of user behavior, that ease self-service configuration whilst maintaining security, and that allows for automated network management.

– End –