Fresh Perspectives on Consumerization and BYOD – Part 2
This is the second of a three-part blog series exploring the issues and challenges with consumerization and BYOD. Part 1 is available here. This blog entry will explore the role of the network in addressing unmanaged devices.
“Why do I need Mobile Device Management?”, said the man sitting across the table from me.
I recently spent some time with one of our customers, and the director of network security opened the meeting in that manner. At first, I thought he was asking me a question, and I started to talk about the important role that Mobile Device Management plays with respect to managed device policy, and how that integrates with the Palo Alto Networks firewall. However, I later realized that he was opening a discussion to talk about his perspectives on BYOD.
We started talking about how there's a general belief that consumerization and BYOD are a device proliferation problem that needs to be controlled. As we talked, we both agree that the heart of the matter, the real issue is dealing with unmanaged devices, and that’s a network control problem.
“The problem with BYOD is that the company doesn’t have any control over what users do with their own devices. That means you can't count on the user installing anything to bring it under management”, the customer said. “I can’t control what users do, but I control the network, and that’s where I’m going to tackle the problem.”
We got into a discussion about network access control (NAC), and its use cases. NAC can restrict what devices get on a network, but is that a good way to tackle BYOD and unmanaged devices? The tough part isn’t blocking what doesn’t belong, but managing what should be allowed. NAC works best when you have a closed, static environment with company-owned devices. Under these conditions, it’s relatively easy to define what devices should be plugged in. A company that has hundreds of retail stores may have a standard set of equipment at each location. For example, each store might have 3 cash registers, 3 point of sale devices, one PC for the manager’s office, and 2 Internet kiosks. The employees may change over time, but the equipment doesn't. NAC can make sure these are the only devices running at the store, and no BYOD issues crop up because nothing else should be brought online. The challenge with NAC is handling variety, and corporate network is a much different story than the retail environment. At headquarters, there's a broader landscape of users, applications and devices, and it can get very tricky very quickly trying to manage what’s what.
The next-generation firewall realigns expectations about how to build appropriate controls in the network. Because the next-generation firewall is application aware, it can determine which traffic may pass and which may not. In the BYOD scenario, a general purpose policy might allow access to low-value applications (such as the cafeteria menu) and restrict access to sensitive applications (such as the customer database). The firewall also links network policy to users and groups, ensuring that only the right users can reach permitted applications. These principles help organizations determine what should be allowed before ever getting into myriad of use case issues that arise out of identifying the things that don’t belong.
Upon reflection, these are precisely the issues that’s needed for tackling the unmanaged device scenario. It’s the applications and users that count, and it’s the network that’s the point of control. The device may be the issue, but it’s the network that needs the solution. The foundation for security starts with knowing who the users are and what application they are accessing, and that should be in place regardless of what device is in use. With good knowledge of the user and the application, more granular controls can address the devices. Is an employee using a corporate laptop that’s up to spec? Is an employee using a non-recognized device? Address the specific conditions once it’s determined that the user’s allowed to access the application in the first place.
During my conversation with the customer, this was precisely the line of thought that he was going through. Although he originally purchased Palo Alto Networks firewalls to replace his legacy firewalls at the perimeter and in the data center, it provides the foundation for what’s needed to tackle the BYOD issues that he was seeing. IT can permit an accountant access to financial applications from a corporate laptop with assurance that the endpoint has proper data protection measures installed. The same user accessing the same application from a personally-owned iPad may have restricted access, such as a path through remote desktop. From the remote desktop session, the user can access the application but cannot download the data locally to the device. An unknown user with an unknown iPad would see a captive portal that requires authentication before any access is allowed, and then appropriate application policies can be enforced.
With the next-generation firewall at the network perimeter, an organization can enforce controls over employee owned devices between security zones, such as from the corporate LAN to the Internet. A user might be allowed to use their personal iPad to access the web, while the firewall enforces content control policies to block undesirable browsing behavior according to company policy. In addition, an organization can tackle the issue of how to address employee-owned devices that are being used externally by implementing GlobalProtect for safe access back to the corporate network.
With these fundamental controls in place in the network, it's much easier to apply a variety of additional technologies to make a BYOD strategy even more effective. Back to the customer’s original question, mobile device management pairs quite nicely to all of the controls listed above. Taking the data center example, the authorized user with the unmanaged device would have very limited access to the environment, and the unknown user would have none at all. With Mobile Device Management, an organization could provide the options for greater access after the proper controls for device policy are in place, such as PIN enforcement, lockout and remote wipe. For example, a user that wants greater access from a personally owned device might choose to install a mobile device management profile. As mentioned before, there's no way to force users what to do with their personal devices, but with the next-generation firewall securing the network, an organization can govern the amount of access from an unmanaged device. The users can choose to switch from unmanaged to managed in order to gain even more functionality. It's a win-win because company gets control over risk without unnecessary administrative headaches, and employees get access through their favorite device.
We covered a lot of important topics in that meeting, and I think the customer is exactly right. The network is the place to enforce control, whether it’s a matter of dealing with applications, users or in this case, devices. In Part III of this series, we’ll cover the specifics on how the next-generation firewall applies these concepts.