BYOD 2.0: A more secure workplace

People have become very attached to their mobile devices. They customise them, surf the web, play games, watch movies, shop, and often completely manage their lives with these always-connected devices.

With the global mobile workforce expected to increase to 1.2 billion by the end of 2013 —a figure that will represent about 35 percent of the worldwide workforce— mobile technology is set to become the leading driver of innovation in both our personal and professional lives for many years to come.

“The Mobile Nation”, a report released by Deloitte Access Economics and commissioned by the Australian Mobile Telecommunications Association (AMTA) has also estimated the productivity benefit of mobile technologies to reach AUD$11.8 billion for the period of 2012 to 2025.

It found that employees are driving the adoption of mobile more than the IT department, with employees seeking to use their own mobile devices (such as smartphones and tablets) at work, driving the Bring-Your-Own-Device (BYOD) trend. In addition, the report also found that mobile technology is increasingly becoming the most important method of interaction between businesses and their customers; making it a key platform for marketing, sales, and delivery of new mobile services.

While many organisations are reporting increased productivity and employee satisfaction at work as a result of their BYOD strategies, regardless of the reported convenience and flexibility, there are still a number of potential pitfalls companies need to be aware of when rolling out BYOD policies.

Some of the key concerns include the associated risks the corporate infrastructure becomes exposed to through BYOD practices. Applying appropriate security measures across different devices from multiple vendors, running different platforms is becoming increasingly difficult. Especially so, when allowing unmanaged and potentially unsecured personal devices access to sensitive, proprietary information.

Organisations need dynamic policy enforcement to govern the way they now lock down data and applications. As with laptops, if an employee logs in to the corporate data centre from a compromised mobile device harbouring rootkits, keyloggers, or other forms of malware, then that employee becomes as much a risk as a hacker with direct access to the corporate data centre.

CIO challenges

The most important problem faced by an organisation today is data security. BYOD increases the risk of data theft, leakage and malware intrusion caused by a machine connected to an enterprise network. If each employee introduces more than one device to the corporate infrastructure, then the overall number of devices increases tremendously.

This not only complicates things for the IT department, but also has the potential to cause serious headaches for the CIO when you consider the cost implications associated with supporting such a high volume of devices.

BYOD 1.0 was the IT industry’s first attempt at solving problems related to personally owned devices in the workplace. The primary aim of dedicated Mobile Device Management (MDM) solutions, which have emerged over the past 18-24 months to help successfully manage the implementation of BYOD initiatives, is to manage and secure the endpoint device itself, and to some extent provide protection for data that rests on the device (which is typically limited to enabling native device encryption via configuration).

The primary aim of the layer 3 VPN (Virtual Private Network) is to connect the device back into the corporate network, providing data-in transit security for corporate traffic.  Both of these BYOD 1.0 components have a drawback—they are umbrellas that protect and manage the entire device, rather than zeroing in on just the enterprise data and applications on that device. Since these are usually dual-purpose (work/personal) devices, this device-wide approach causes issues for both workers and for IT.

Why BYOD 2.0?

BYOD 2.0 builds on the BYOD 1.0 foundation but makes a substantial shift from a device-level focus to an application-level focus. BYOD 2.0 seeks to ensure that the enterprise footprint on a personally owned device is limited to enterprise data and applications and nothing more. This means that mobile device management is supplanted by mobile application management (MAM), and device-level VPNs are replaced by application-specific VPNs.

Employees prefer this approach, because the IT department manages and sees only the enterprise subset of the overall data and applications on the device, leaving the management of the device itself, and of personal data and applications, to the device owner.

IT staff also prefer the BYOD 2.0 approach for the same reasons - it allows them to concern themselves only with the enterprise data and applications they need to secure, manage, and control.  This ‘application wrapping’ approach, which now focuses on the application rather than on the device, makes BYOD 2.0 popular with Australian enterprises .

Application wrapping also allows a mobile application management administrator to set specific policy elements that can be applied to an application or group of applications. Policy elements can include such things as determining whether user authentication is required for a specific application; whether data associated with the application can be stored on the device; and whether specific APIs such as ‘copy and paste’ or file sharing will be allowed.

In the enterprise, application wrapping allows an administrator to take an application, add extra security and management features and re-deploy it as a single containerised program in an enterprise application store.

BYOD 2.0 and the application wrapping frameworks discussed above are changing the dynamic in the mobile space. By combining mobile management functionality, access functionality, together with traffic optimisation functionality into a single offering, these wrappers give enterprises a mobile IT solution that extends from data and applications on the endpoint into the cloud and data centre.

Whether organisations are prepared or not, BYOD is here to stay, and is transforming enterprise IT. While it has real potential to provide organisations with a significant cost saving and productivity boost, it is not without risk.

Adrian Noblett is a solution architect at F5 Networks (ANZ).