The organisation determines what devices they will allow on the network and generates policies stating appropriate devices and acceptable behaviours. Many organisations also must decide which technical controls they plan to implement in order to enforce corporate policies.
Creating the corporate policy is a necessary first step for creating a secure mobile environment but ultimately organisations need technical solutions in place to enforce policy. Technical controls can vary from network-based to device-based and no single solution is appropriate for all organisations. Some of the most common technical controls associated with enforcing BYOD policies are listed below:
Virtual Desktop Infrastructure (VDI)
Server-based VDI is the creation of a user's desktop environment, from operating system through applications, in a virtual machine (VM), run on a hypervisor and hosted in a centralised server. The hosting server simultaneously supports multiple virtual desktops, with the number of virtual desktops supported limited by several factors, most notably the configurations of the desktops and the computing capacity of the server. The virtual machine instances that contain the virtual desktops are established and torn down based on business requirements - an on-demand attribute. Also, based on business requirements and rules, virtual machines can move from one physical server to another.
Allowing mobile devices to access VDI gives organisations the ability to leverage their existing investment in VDI and provides a secure window into the corporate network. VDI does not allow for cross-pollination of data between the user's personal device and the corporate infrastructure. VDI helps alleviate policy enforcement concerns because the enforcement still occurs on the corporate network.
Mobile Device Management (MDM)
MDM has become synonymous with mobile security. However, MDM is not a complete solution to BYOD challenges as it does not provide a complete security solution-most MDM and endpoint clients are designed to address many challenges that are not security related such as Software Distribution, Policy Management, Inventory Management and Service Management.
MDM does provide an expanded level of policy enforcement that is not enabled by default. MDM allows policy enforcement on the mobile device itself and many solutions offer remote location/lock/wiping capabilities to protect against loss or theft. However, MDM solutions enforce different policies based on the mobile device they are supporting resulting in inconsistent security coverage.
Endpoint Security Clients
Endpoint security clients are an extension of traditional anti-malware clients. The majority of traditional endpoint security vendors have created mobile versions of their clients allowing for a combination of anti-malware, VPN, and remote wiping capabilities on the endpoint itself. Like their desktop counterparts, endpoint security clients increase management headaches by requiring the installation of an agent.
As the name implies, network-based enforcement relies on the network to enforce policies and controls around what the client, data, and user can do or access. Network based enforcement requires a great deal of granularity and intelligence on the network to provide adequate access controls to prevent nefarious activity.
A key advantage of network-based enforcement is the location of the targeted data ultimately resides on the network. Establishing controls on the network itself allows an organisation to block malicious software or activities coming from mobile devices before any damage can occur to the network.
Network-based enforcement is the area Fortinet plays in, but our solutions are designed to also support the other methods of BYOD enforcement described above. Fortinet provides flexibility for organisations to choose technology partners that solve specific problems in their environment and then apply security policies to ensure that enforcement occurs when necessary.
Are companies in Malaysia ready to overcome BYOD-related risks? If not, what steps could they take?
There is no silver bullet to address the challenges posed by mobile devices. To solve the many problems require a technology-driven, multi-pronged approach. Fortinet has a wide portfolio of solutions that can address the new threat vectors provided by mobile devices and enforce policy compliance for users wherever they may be. Specifically, Fortinet provides secure mobility by protecting the network, the data, and the client.
Organisations in Malaysia must realise that to effectively protect their corporate networks and data from potential threats coming from mobile devices, they must handle the security issue at the network level rather than at endpoint level. This network security strategy requires strong control over users and applications, on top of device management.
IT organisations must have the power to detect and control the use of applications on their networks and endpoints based on application classification, behavioural analysis and end-user association; and to detect and control Web-based applications at a granular level, including inspecting encrypted application traffic, regardless of ports and protocols used.
It's imperative for Malaysian firms to take action on BYOD soon because it's clear that employees are not going to stop using their own handhelds for business and instead, they will just try to figure out ways to make it work.
What are the top issues that you believe company leaders in Malaysia are failing to consider in relation to mobile working as well as BYOD?
The top three issues are bandwidth and productivity drains, data and device loss and increasing cyber attacks on mobile devices.
Bandwidth and Productivity Drains - Many employees have found that mobile devices often do not have the same strict policy enforcement capabilities as desktop devices. This policy gap enables many employees to use their mobile devices to access video streaming and other applications that are denied by standard corporate policy. With mobile devices offering a way to bypass the limits normally imposed on these applications and behaviours, users are putting a strain on the corporate network bandwidth and being less productive.
Data and Device Loss - Banning BYOD may reduce data and device loss. With devices operating outside the confines of the traditional brick and mortar enterprise, the potential for data loss increases significantly. The threats to mobile users include the risk of malware infection, inadvertent or malicious sharing of critical business data or even the devices being lost or stolen. Additionally, rogue wireless networks exist in public with the sole purpose of stealing unprotected data.
Attacks against Mobile Devices - Even mobile devices themselves are increasingly becoming the target of attack. Hackers have started to realise the potential goldmine of data that exists within mobile devices and unauthorised app stores provide an easy means of distribution for mobile applications - some of which are not legitimate.
With the expected softening economy in 2013, do you expect an increase in BYOD/and mobile working in Malaysia?
With a softening economy, the pressure on organisations to increase productivity and cut costs rises. BYOD can facilitate both objectives, as outlined above. In addition, mobile device ownership in Malaysia is among the highest in the region, and we expect adoption impetus from the user end as well.
In conclusion, could you detail how Fortinet's recently announced solutions help Malaysian companies?
Fortinet has recently introduced FortiOS 5.0, the world's most advanced security operating system. This new release provides more security, intelligence and control to help Malaysian enterprises be better protected against today's advanced threats and enables more secure BYOD environments.
Fortinet has added more than 150 features and enhancements to FortiOS 5.0. As a result, enterprises of all sizes will be better equipped to defend themselves against new advanced threats, and manage and protect their network against an influx of new types of mobile devices and applications.
Key benefits include the following:
1. More security to fight advanced threats. A client reputation feature gives enterprises a cumulative security ranking of each device based on a range of behaviours and provides specific, actionable information that enables organisations to identity compromised systems and potential zero-day attacks in real time. The new advanced anti-malware detection system adds an on-device behaviour-based heuristic engine and cloud-based AV services that includes an operating system sandbox and botnet IP reputation database.
2. More control to secure mobile devices and BYOD environments by identifying devices and applying specific access policies as well as security profiles, according to the device type or device group, location and usage.
3. More intelligence with automatic adjustment of role-based policies for users and guests based on location, data and application profile.
Sign up for CIO Asia eNewsletters.