Increasing device independence is critical here. Unless this happens, ad hoc solutions kick in every time unsupported devices enter your environment. This increases cost and strains support resources, not to mention being a security nightmare. A comprehensive strategic roadmap is needed to address fundamental issues at the architecture level for BYOD infrastructure readiness, in order to ensure the endpoint independence of the network, data, support and applications.
Focus on instituting a policy framework and infrastructure that are endpoint independent and BYOD ready. Keep in mind the strategic goals of minimizing support requirements and maximizing security. Formulate a strategic roadmap that moves you toward this goal, one step at a time. Some of the things to keep in mind here are:
- Security: From a security point of view, your architecture needs changes that make your network the primary control point. With BYOD, since the device is not owned by the organization, it cannot be secured as you would a corporate endpoint. Security must hence be built in at some other point in the network. Implement network access controls, network segmentation and dynamic access controls based on the level of trust of the device and the user. A provision needs to be in place to scan and block unauthorized devices on the network.
- Data protection: To attain BYOD infrastructure readiness, your architecture needs to be able to identify, isolate and secure enterprise data on devices.
- Support: Limiting your support to devices and minimizing the corporate footprint on them are essential for endpoint independence and can greatly reduce support costs. A self-service portal could help minimize helpdesk requirements. For complete BYOD readiness, you need to provide different levels of support for different devices and levels of ownership and scale as required. A balance between supporting a broader range of devices vs. a lower level of support needs to be struck.
- Policies: BYOD policies need to be flexible enough and up-to-date to cater to new use case scenarios. Policies need to be reviewed regularly, with new policies and changes effectively communicated to end users. Ensure that policies exist for remote wiping of devices.
Networks and dynamic access control
Implementing dynamic access control is essential for ramping up your infrastructure’s BYOD readiness. Start by assuming a hostile environment. With users being anywhere and on any device, a single level of access is no longer appropriate if your infrastructure is to be BYOD ready. Endpoints can be fingerprinted in various ways, including physical and virtual locations, usage history and whether known or unknown. Testing can help determine the device’s security posture.
Gear up the network architecture to invoke dynamic access control based on the device’s authentication strength and ownership. Your directory and policy server should arbitrate access, with full access to enterprise IT assets provided only to company owned, company managed devices, through IPSEC/SSL tunnels. User-controlled, non-company devices that are registered with your BYOD program can be given partial access through thin clients, SSL and NAC. Unknown, unregistered devices that can only be partially authenticated can be given extremely limited access to Web apps and servers through SSL, working in a clientless setup.
Application delivery architecture
For a BYOD-ready infrastructure, application delivery architecture must evolve keeping in mind multiplying device ownership and types. It is not advisable to invest deeply in every platform when dealing with varied environments. The app delivery architecture needs to separate consumer and business data and computing on devices by leveraging isolation methods and thinner architectures.
Mobile device managers (MDMs) are poised to become a popular means of adding additional security and manageability to devices and should be an integral part of your BYOD infrastructure build-out to achieve a segmented, policy-controlled environment. To modify the application delivery architecture, consider the following approaches:
- On the server side:
1) Web/server-based computing.
2) On demand virtualized/streamed applications and workspaces.
3) Hosted virtual desktops or HVDs that mimic desktops but maintain apps and data remotely.
- On the device side:
1) Secure access clients and MDM solutions for comprehensive device management and security controls.
2) Certificates for controlling ownership and access.
3) Sandbox/container frameworks to isolate enterprise data and apps.
4) Virtual workspaces and hardware modifications such as disabling of cameras/antennae to protect apps and information.
Ideally, keep all enterprise data off endpoints. However given connectivity and data availability requirements, this might not always be feasible. Wherever this is not possible, insist on mandatory data encryption and compensate by ensuring that enterprise data on endpoints does not mix with user data, so that you can wipe corporate data off the device if the situation demands it.
This tip is based on a talk on challenges and issues surrounding BYOD adoption, by Stephen Kleynhans, Research VP, Gartner, at the Gartner IT Infrastructure Operations & Data Center Summit 2012 in Mumbai.
(Compiled by Varun Haran)