Modernizing Authentication — What It Takes to Transform Secure Access
Walk into nearly any enterprise today and more likely than not, employees will be carrying their own mobile devices. The Bring Your Own Device (BYOD) phenomenon is real, and it's affecting the way that organizations need to deliver and secure access to IT infrastructure.
Survey Says: BYOD Adoption, Risk
While BYOD is a known trend, its actual impact and adoption varies, depending on who you ask. According to a recent study from security vendor Blue Coat, IT staff and employees tend to view BYOD in different ways. While 71 percent of employees reported that they used their own devices to access corporate IT, IT staff in the same survey said they believed 37 percent of employees were accessing the network with non-corporate devices.
A study from security vendor Webroot seems to confirm there are a large number of employee-owned devices. It reports that 73 percent of companies now have a mix of company- and employee-owned mobile devices.
BYOD creates significant potential to impact enterprise networks as unknown devices can introduce new risks. However, IT staff and employees also have different views on risk, according to Blue Coat's results. Nearly 80 percent of IT managers rated the risk of malware infecting the enterprise network from mobile devices as moderate to very high. In stark contrast, 88 percent of employees reported that their mobile devices were somewhat or very secure.
The Webroot survey also emphasizes that managing BYOD security isn't easy, with 83 percent of respondents saying it's a tough task. That said, 64 percent of respondents said the cost savings of allowing BYOD outweigh the potential security challenges.
To mitigate potential risks of BYOD, it's important to have some form of BYOD security controls or policies. Yet according to the Webroot study, only 48 percent of enterprises currently have a mobile security plan. This means the market is ripe for solutions, which vendors are now rushing to provide.
BYOD in the Cloud
BYOD involves multiple types of risks to enterprises. By definition, devices are mobile and are not always accessed from behind the traditional confines of an enterprise's network perimeter. Thus enterprise-based controls that reside inside a corporate firewall are likely not enough to provide protection when mobile devices are accessed outside the firewall.
While one potential solution is to tunnel traffic back through a corporate VPN, multiple vendors are now taking BYOD security to the cloud. Blue Coat, Webroot and OpenDNS are among the vendors announcing new cloud-delivered approaches for securing BYOD.
The Blue Coat Mobile Device Security (MDS) service leverages the Webpulse cloud threat detection service that Blue Coat has offered for several years. The goal with the MDS is to provide mobile policy and threat detection consistent with what employees get inside the enterprise, said Sasi Murthy, senior director of Product Marketing at Blue Coat.
"Don't worry just about the devices, worry about the corporate network," Murthy said.
The WebPulse component in MDS provides protection against malware threats and is complemented by operational controls for enterprises to enforce a policy-based approach for application use.
Webroot's SecureAnywhere Business Mobile protection suite, also announced this week, provides cloud-based BYOD security. In addition to anti-malware protection, Webroot's solution includes an application inspector that will alert users about potential risks in mobile apps that they choose to install.
The new OpenDNS Umbrella service leverages OpenDNS' cloud network of services to help accelerate mobile traffic as well as secure it. With Umbrella, mobile users get Internet access through a secure VPN connection that provides a full wrapper around the mobile device.
According to OpenDNS CEO David Ulevitch, mobile security needs to be on all the time in order for it to be effective. "It doesn't matter if you have the most effective security solution in the world if it sits in a box," Ulevitch said. "If it never gets deployed, then it's useless."