Bring-your-own-device (BYOD) is everywhere in today's workplace — whether that means smartphones, tablets, laptops or other personal devices — and using the same device for both business and personal tasks is becoming commonplace. Convenience, improved productivity and the potential for cost savings are undeniable benefits; but, this practice poses a huge security risk to the business. All of those personal devices accessing the network are loaded with apps that make life simpler and more fun, and not just for the user. After all, who hasn't seen a game-laden phone handed to a grouchy toddler in a restaurant?
BYOD improves employee satisfaction and productivity, but the fact remains that business risk increases dramatically when personal and business applications intermingle, particularly if personal apps have vulnerabilities that hackers can leverage to pull business information out of a device, or to insert malware — which makes the device a conduit for infecting backend network systems.
According to data from Google's Our Mobile Planet, the average mobile user downloads 25 apps on their smartphone, each with their own set of permissions and rights to their device. In the United States, that number jumps to more than 32 apps. Users access these apps — for games, entertainment, travel, shopping, sports, and much more — through their personal mobile providers, but, once the device is connected to your network through the corporate VPN, all that traffic can reach out and touch your network data. Multiply those 25-32 applications by the number of users in your organization who use their personal devices for work, and that's a lot of risk, not to mention the impact both personal and business traffic has on network bandwidth.
Organizations have tried various means of gaining control of BYOD security, with limited success. These strategies include mandatory encryption, along with endpoint integrity checking, and auditing of mobile devices, but industry surveys indicate that many organizations don't enforce their mandatory policies. In fact, a recent Gartner survey indicated 59 percent of respondents who regularly use their private devices for work have not yet signed a formal BYOD policy agreement with their employer.
Blacklisting of certain personal apps is another BYOD security strategy in which the blacklisted apps are detected, and the user is required to de-install them before access to the corporate network is granted. This is not a solution that's embraced by users, however, who will simply find a workaround to keep their favorite game in place.
This is compounded by an apparent disconnect between users and IT when it comes to BYOD security. Although BYOD increasingly is becoming the norm in business today, security often is a secondary thought for users, who resist the idea of mobile device management (MDM) agents or security controls being placed on their devices to protect privacy of personal data and apps. Consumer applications are more pervasive with a user's personal information — Google Maps and apps like Yelp all ask for your current location, for example — yet industry surveys reveal that more than one-third of enterprises have no risk control measures in place.
The threat of data loss and the introduction of malware into the network — which can mean even more data loss and probably is something IT should be even more concerned with — are what put security at the top of the list of BYOD concerns for IT professionals and cause CIOs to lose sleep. A data breach can result in enormous costs to the business in the form of stolen financial and customer information resulting in legal costs, lawsuits and regulatory fines.
The upside is that all of this presents an opportunity for IT organizations to rethink how they support mobile access. Previously, safeguarding mobile device access to corporate data and resources – while respecting personal data privacy –required a complex mix of proprietary mobile applications, custom application development, and multi-box solutions from multiple vendors. New technology, however, enables secure mobile access solutions to support per-app VPN, which empowers IT to restrict VPN access only to a specific set of trusted mobile applications. Instead of blacklisting certain personal applications, per-app VPN capability lets IT designate which apps each user can use to access the corporate VPN and allowed corporate resources.
Administrators can authorize mobile apps through a per-user, per-device policy, while prohibiting corporate data communications with personal apps. Policy-enforced network access controls connect the user only to permitted corporate data and resources. Best-in-class per-app VPN technology can support any mobile app, secure container or Mobile Device Management solution without requiring modification, app-wrapping or custom development, which would slow down deployment and increase costs, impacting mobile worker productivity.
Here are some initial steps to make this work seamlessly:
- Make sure your per-app VPN technology will support any mobile app of your choosing without development or customization
- Make sure you understand which backend resources you want your users to be able to access, whether web apps, client/server apps, file shares or virtual desktops and look for VPN technology that can support access to all required workloads.
- One way hackers gain access is by infecting a mobile app, so, in addition to determining which apps you will allow to access the network, make sure those apps haven't been compromised or infected
Per-app VPN lets IT professionals breathe easier because it allows mobile employees to access enterprise data and resources, and still protects the corporate network from security threats. By enabling IT to restrict VPN access only to a specific set of mobile applications, a per-app VPN solution will allow IT to manage and secure access to business applications and data, coexist with personal applications, and respect personal data privacy.
IT can no longer afford to ignore BYOD security, hoping that security issues will take care of themselves. The good news, however, is that per-app VPN technology combined with strong security policies will allow CIOs to get some sleep at night.