Steve Jobs never set out to penetrate corporate networks with the iPad, but the sheer portability and usability of the device, coupled with the lure of free, fast and unmetered internet connectivity, make the presence of it and other employee-owned laptops, tablets and smartphones on the corporate LAN practically an inevitability. Regardless of the late innovator's intentions, the security administrator responsible for enforcing corporate policy doesn't stand a chance. Really, that poor person doesn't. The faster organizations get their heads around the issue, the better, because it could have far-reaching impacts in the longer term.
Are there real network and productivity concerns in regard to BYOD? It would be foolish to assert otherwise. Those fears include:
- Personal devices infecting the network and exposing the organization to the threat of cyber attack from the inside out.
- Employees downloading sensitive data to their machines and slipping out the back door.
- Work hours being spent on Netflix, and clogging up the network with streaming video traffic along the way.
These are real risks, and organizations are investing in all manner of hugely complex network access control (NAC) and data leakage prevention (DLP) platforms. However, how does an employee bringing an iPad to work and checking Facebook contrast against the regular occurrence of an employee taking a corporate-issued laptop home, surfing dubious websites on a home Wi-Fi network and bringing the laptop back to work? Since corporate policies cannot be easily enforced when a machine is disconnected from the corporate network, there's arguably a greater risk from “bring-your-corporate-laptop-back-to-work-on-Monday” than there is from an iPad hitting the network during a lunch break.
In the same vein, anyone using a USB key to transfer files from a corporate machine to a home machine (for weekend homework) could equally be accused of BYOD, as anything dangerous on their home computer could easily end up inside the LAN the second they plug in the USB. If organizations are concerned about getting attacked from the inside, there are arguably far more open doors.
Trying to stem the tide of BYOD is akin to trying to keep the sun from rising: You can certainly try, but the end result seems relatively inevitable. People are and will continue to bring their toys to work for any number of purposes. So, forward-thinking organizations are open to the use of these devices on their network, but at the same time are aware that strategic plans must also be in place to prevent their network from becoming the Wild West. So what can be done?
The initial fears of any IT department are that BYOD may at worst infect the network or, at the very least, prevent it from operating at optimum levels. The key to minimizing those fears rests in the ability to drill down to the packet level to see exactly what's going on. That clear visibility allows organizations to take swift and accurate actions to correct the situation, because there is no guesswork involved. All the information is right there in front of them. It goes without saying that network security should be a priority, but security without visibility is a nightmare just waiting to happen, especially when any number of outside devices are operating on it.
Visibility will give IT staffs immediate answers to the most pertinent questions:
- Whose device is causing the issue?
- What areas of the network are impacted?
- When did it happen?
- Where does the problem exist?
- Why did it occur?
If every single packet isn't recorded, there is a good chance those answers won't reveal themselves in an expedient or cost-efficient fashion. One hundred percent packet capture clears the path to the problem and a fast resolution.
There's a strong argument that BYOD is a battle that organizations will ultimately lose and should be happy to concede (with certain conditions). The line between home and work is getting more and more blurred, and hard- line policies on BYOD may be counterproductive. In the future, organizations that elect to run with hard-line policies may find themselves struggling to attract talent. It's clear that Gen X and Gen Y employees won't tolerate restrictive policies, so the faster you get to a place that satisfies those who want to connect their tablets during office hours, the better for everyone concerned.
As with all things, it is possible to find a middle ground that gives employees access to high speed internet (which is by and large all they're after) in a highly controlled manner, without giving them access to all of the network resources. Sure, it won't satisfy everyone, and there will still be abuse, but by meeting employees half-way, risks can be managed down to acceptable levels.
Just make sure you've got the visibility to do it.