Just because BYOD has become normal operating process in most workplaces doesn’t mean the practice has stopped up causing dispute for IT.
Take San Francisco-based law firm Hanson Bridgett LLP, for example, whose attorneys perform legal work in the healthcare business and must adhere to the federal HIPAA and the HiTech Act standards, amongst others. According to the firm’s IT director Chris Fryer, that income the Apple and Android smart phones and tablets that its attorneys use need to be managed so that the business data on them is encrypted and can be wiped if wanted. But no one wants to interfere with the personal data on those privately owned mobile devices.
“We run just the business data and leave the rest alone,” says Fryer. That’s done by using mobile-device management (MDM) software from Good Technology and its “containerization” part so that the business apps and data on every machine is encrypted and cordoned off from the individual data.
But as much as Fryer has establish the Good Technology MDM to be effectual, there are still hurdles, he says. Each MDM vendor’s APIs for containerization need to be supported in the mobile apps, which is not always the case, he says.
“It’s an imperfect word,” says Fryer, noting that lack of standards in MDM and mobile apps combined with the plethora of MDM vendors — by some counts there are more than 150 — has made this a tough terrain.
In addition, Fryer points out his law firm relies on Microsoft Office applications to prepare complex legal documents. But Microsoft didn’t launch Office for iPad until late March, and in a way that’s tied to a subscription for Microsoft 365 cloud service. Fryer is watching how that will unfold. “We’re trying hard to edit documents on an iPad,” says Frye. “We want to make sure that will happen in a container.”
Fryer says there also can be issues with how e-mail clients work with MDM.
“Some MDM vendors allow you to use the native e-mail client,” says Fryer. “You can put up Google mail and also your corporate e-mail for that.” But Frye says the Good Technology containerization requires the use of Good’s email component to securely control e-mail, which can be problematic to end users accustomed to something else.
All of these challenges mean that despite the positive experience that the law firm has had with Good’s MDM technology, there’s still cause to keep an eye out for something new. Many businesses are up for trying new BYOD security possibilities for e-mail and calendaring.
First United Security Bank, based in Alabama, has long been in the practice of making sure any desktop e-mail with sensitive data is encrypted when sharing with business partners. That’s done with the ZixCorp e-mail encryption service that lets pre-authorized senders and receivers encrypt and decrypt e-mail.
Now, about two dozen employees have received approval for BYOD use, says Phillip Wheat, CIO at First United Security Bank. But these BYOD-approved employees must add the Zix Mobile App 1.0 to their personal Apple or Android device. This allows them to view e-mail attachments but not save attachments to their mobile devices. Wheat says this eliminates the need to have to remotely wipe an employee’s device if it’s lost or stolen.
Several security vendors are coming up with ways to extend their basic product or service to accommodate BYOD security. Dell is tying BYOD security controls to its SonicWall E-Class Appliance by introducing enterprise mobility software for Google Android or Apple iOS. This Dell software, called Secure Mobile Access 11.0 with Mobile Connect App, lets the IT manager set up a way to selectively apply customized VPN controls only to the corporate apps, not the employee’s personal apps. Dell is looking at adding the Windows mobile platform.
Jay Terrell, chief technology officer for Fulton County in Georgia, is a SonicWall customer who may start using this BYOD mobility approach. But he adds the county is still working on devising a BYOD strategy as it migrates off corporate-issued BlackBerries primarily to Android use. In the past, the county has allowed some limited BYOD use if the employee consents to use AirWatch MDM software.
However, not all organizations are migrating off BlackBerry. In fact, parts of the Australian government, for instance, are adopting the BlackBerry Enterprise Service 10 for mobility, with a big emphasis on BYOD, because of its secure multi-platform containerization technology, called BlackBerry Secure Work Space for iOS and Android. In March, this BlackBerry containerization technology received the U.S. government’s Federal Information Processing Standard (FIPS) 140-2 certification issued by the National Institute of Standards and Technology.
Gary Pettigrove, chief information officer at the Australian National Audit Office, which has 350 employees, is supporting BYOD for over 50 staff members and expects to have more than 200 in BYOD mode later this year. User preference in BYOD dictates the technology choices, but users must allow their personal devices to be managed for security purposes by the IT group.
“The IT team controls the BlackBerry service and fleet through a central administration portal,” says Pettigrove. “No one can join the service without first submitting their handset for configuration and setting up BlackBerry’s Secure Work Space. This is containerization, application-wrapping and secure connectivity options, allowing us to secure and control employees’ iOS and Android devices via the BES10 administration console.”
Pettigrove says BYOD is clearly benefiting staff productivity and employee satisfaction. It also appears to be helping reduce technology costs.
BYOD and network-access control
What might be surprising to some is how Microsoft actively supports a BYOD program that doesn’t deny employees any choice of mobile computing device, including smartphones and tablets from Apple and Android.
BYOD on a large scale was a decision made a few years ago to “embrace what’s coming” in terms of worker preferences and productivity, says Bret Arsenault, chief information security officer at Microsoft. Today, about 90,000 devices are “personally owned” by Microsoft employees and used for business purposes, including email and document editing. But it’s not that just anything goes with BYOD, Arsenault emphasizes. “Security is not an afterthought.”
Microsoft does mandate encryption and can extend a wipe capability to corporate data through use of its own service, Windows Intune. “We’re effectively securing the data — segregating and protecting the data on the device when it’s not owned by the business,” says Tim Rains, Microsoft directory of Trustworthy Computing. Microsoft uses Intune across the enterprise, testing out new features before they’re generally available.
According to Arsenault, the Microsoft BYOD strategy involves “certifying a set of capabilities, not the device.” Through the certificate-based Intune agent software, Microsoft can set limits related to a PIN timeout policy and manage the key that provides access to encrypted data. Education and training on use of BYOD in business is also an element in all this. “It’s the base minimum,” he notes.
But BYOD is not usually accorded the same level of trust as corporate-issued devices. And BYOD is subject to specific network-access controls on the Microsoft enterprise network which is set up under a model called “variable user experience” based on the identity of the device and the location, says Arsenault. In this, Microsoft recognizes security levels tied to on-network, off-network, wireless and Internet. Sometimes BYOD users don’t get the same access as they might with a corporate-issued device, depending on the sensitivity of the resource.
Gartner analyst Lawrence Orans says it’s a common security practice associated with BYOD to set up policies for mobile-device management based on network-access control. But one of the challenges in all this is that the various MDM vendors have specific partnerships with specific NAC vendors and when you pick NAC, “you’re also picking the MDM. If you pick the MDM first, you also limit the NAC partnership,” he points out.
The big players in NAC, including Cisco, ForeScout and Aruba Networks, each have several partnerships with MDM vendors, typically partnering with the MDM vendor to create integrated NAC and MDM client software. But there are a lot more MDM vendors than NAC vendors, Orans points out, advising enterprise IT managers to choose carefully if they’re supporting NAC, too.