Mobile device security sessions are drawing crowds at the RSA Conference. Unlike THE hot topic in some other years (remember when everyone was so keen on NAC?), the explosive increase in the use of smart phones and tablets, and the move to cloud services are changing the way companies do business, changing the role of IT to more of a service provider role and changing the types of policies and controls needed to secure information in an open and borderline chaotic environment.
Embracing BYOD (bring your own device) and building policies and infrastructure to support it is of particular interest, as most organizations, as they usually fall into two broad categories: Companies that commit to BYOD and companies that are having BYOD imposed on them. In other words, except in the most restrictive circumstances, it’s happening. What are you going to do to make it work?
It’s always worthwhile to go to school on what other organizations are doing. Cardinal Health and Cisco Systems gave us a high level look into their internal BYOD programs in a presentation called “BYOD(evice) without BYOI(nsecurity).” And while Cisco’s message was garnished with a little mandatory vendor messaging around their AnyConnect secure mobility technologies, they are eating their own dog food. Both organizations had sound advice about polices and processes, as well as technology, to make BYOD work in a way that saves money, increases productivity, protects the enterprise and keeps employees happy with their iPads, iPhones, Droids etc.
The presentation reinforced the compelling, straightforward motivations behind BYOD from both corporate and employee perspectives:
- Companies can save a lot of money allowing employees to use their own smart phones. Cardinal has moved from 12,000 company-owned smart phones (Blackberrys, not a good sign for RIM, which has quickly fallen on hard times) to 2,000. They estimate an annual savings of $8 million in total cost of ownership. Not trivial. They don’t pay their workers a stipend for allowing them to use their own phones, but say that isn’t much of a problem. Most employees are more than happy just to be allowed to use their cool, powerful phones for work as well as personal use.
- Increased productivity. Workers have highly capable devices that they really, really like using, and, by the way, can be used pretty much anywhere there’s a decent cell signal and/or WiFi.
- It’s probably happening anyway, so why not make it work to your advantage.
It’s not surprising that the first step is to engage all the stakeholders in the organization to create a plan that will work for the business. This means, of course, strong support from top management, and engagement of IT, security, line of business owners, legal, HR (there are a lot of dicey policy issues around corporate use personal devices and the personal information on them) and the mobile workers themselves. From an IT perspective, an effective mobile device management program has to be a collaborative effort that includes, subject experts for desktops, servers, architecture, networking, security etc.
Security needs to be brought in early (“baked in” as a former colleague loves to say), according to dan Houser, Cardinal’s security and identity architect. Security controls, he stressed, need to strike the right balance, protecting the company while at the same not have too much impact on the use of personal devices.
“Controls have to be reasonable,” he said. “If they are considered too onerous, users will find ways to bypass them.”
Access and identity policies and supporting control technologies are key, developing a risk-based approach depending on the individual, their role in the organization and consequent authorization to corporate applications, systems and information; the device they are using (is it registered/managed), where they are connecting from, etc. At a high level, this means treating personally owned devices as external (as Kevin Johnson recommends in his Q&A with Security Bistro), and leveraging technology to support corporate policies on how much, if any access personally owned devices will have to internal corporate resources and what they can do with those resources. For example, Cardinal does not allow corporate information to be downloaded onto personal devices; Cisco does.
[This approach echoes the tack RSA (the company) is taking. As part of a wide-ranging presentation, RSA described a partnership with web security service provider Zscaler. The short version is that RSA assesses the risk level of the person and device, while Zscaler determines the risk of whatever or wherever are trying to connect to.]
As a technological approach, Cardinal is implementing both BYOD management and security and virtual desktop infrastructure (VDI), maximizing their flexibility, while minimizing cost and facilitating security.