Fortinet Blog | News and Threat Research

The number of organizations denying personal device access to their network is on the downswing, as predicted here in a recent blog by Kevin Flynn.

Gartner reports 70 percent of respondents in a December 2012 survey are planning to implement bring-your-own-device (BYOD) policies within the next 12 months. At the time of Flynn’s blog, more than 60 percent of 286 respondents in a Fortiblog survey did not permit personal devices on their organization’s network.

Flynn notes that he wouldn’t be surprised to see that number rapidly decrease in the coming months. He is right. In fact, Gartner reports 33 percent of all organizations they surveyed now have BYOD policies in place for mobile devices, including smartphones and tablets.

“Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization,” said Dionisio Zumerle, principal research analyst at Gartner.

In terms of technology and tools, Flynn points out that technology to protect your network already exists, and much of it resides in your existing Fortinet infrastructure: integrated wireless controllers, bandwidth management techniques and network-based antimalware protection.

Gartner believes organizations should focus efforts on three major effects when moving to a BYOD policy:

Effect 1: Users’ right to leverage the capabilities of their personal devices conflicts with enterprise mobile security policies and increases the risk of data leakage and vulnerability exploitation.

When enterprise data is allowed on these devices, says Gartner, the risk of leakage increases because of the rise of mobile malware. Risk is found in legitimate-but-unsupported software that may create security risks for the organization. And there’s always the chance of someone losing a personal device. Mobile device management (MDM) software can enforce policies on mobile devices, says Gartner. Users should obtain access to enterprise information only after having accepted an MDM agent on their personal devices. A URL-filtering tool, such as a cloud-based secure Web gateway service, is also suggested to safeguard and enforce enterprise police on Internet traffic. Gartner suggests enterprises consider application whitelisting, blacklisting and containerization.

Effect 2: User freedom of device choice and the proliferation of devices with inadequate security make it difficult to properly secure certain devices, as well as keep track of vulnerabilities and updates.

Garter notes an essential security baseline should require enhanced password controls, lock/timeout enforcement, data encryption and remote lock and/or wipe. The enterprise mobility baseline must also express minimum requirements on hardware – OS versions aren’t enough. Network access control policies should be implemented. Gartner suggests a no-compromise security policy for device variety; where it’s possible to manage and secure a new device model, it should be done.

Effect 3: The user’s ownership of device and data raises privacy concerns and stands in the way of taking corrective action for compromised devices.

Most people consider data on their personal devices as their property and would object to having it manipulated without their consent. When shifting from enterprise to user-owned devices, says Gartner, “remote wipe” – a fundamental security feature in a mobile security policy – becomes complicated from a legal and cultural standpoint. Gartner emphasizes sufficient attention be paid to this issue to avoid repercussions and recommends consulting with the legal department. Problems may arise if the user refuses a remote wipe. Time is of the essence when performing this task, says Gartner, and asking the user for permission after the compromise, when a remote wipe is considered necessary, will be impacted by message exchange delays that can be critical.

To address this issue, Gartner says it’s important to obtain the explicit, written consent from users to delete their data in case of compromises, or the loss or theft of devices, at the time of the user’s initiation to the BYOD program.