The combined topics of mobility and BYOD have now reached the status of a bandwagon that simply must be jumped on. In the past week I've seen an unrelenting stream of press releases and white papers cross my desk from a seemingly endless array of newly minted "mobility experts", and I'm starting to think we should change "BYOD" to "MYOB". Two of the more interesting introductions of late have come from the wireless LAN camp in the way of Cisco and Aruba Networks.
Mobile security and management represents a many-faceted problem, and we have a rapidly expanding range of suppliers addressing different parts of it. While vendors may like to simplify the problem, enterprise security managers need to have a clear idea about the whole realm of mobile security before venturing out to acquire the various piece parts of their security solution. As we have seen no one solution that is hands-down best at all of the various components, in the near term we can expect a security complex to involve a number of "piece parts".
At the most basic level we need to ensure that we can enforce security policies on devices, like the requirement to have a strong power-on password and the ability to remotely lock and wipe the device if it is lost or stolen, or if an employee is terminated. Those issues can be addressed with push email solutions like Microsoft's Exchange Active Sync and IBM's Lotus Notes Traveler.
More comprehensive management solutions come in the way of mobile device management (MDM) systems like those from Sybase, MobileIron, AirWatch, Zenprise, and Good Technology as well as the ever-present Research In Motion (RIM). With their recently delivered Mobile Fusion solution, RIM can now provide MDM services for Apple iOS and Android devices as well as BlackBerry. Odyssey Software adds MDM capabilities to Microsoft's System Device Center, allowing it to manage mobile devices along with desktop and laptops, and IBM is in beta with the same capability on the Tivoli End Point Manager. In their 2011 Magic Quadrant for Mobile Device Management Software, Gartner found more than 60 different vendors--and that number has grown since then.
Those solutions typically involve installing a client on the mobile device (tablet or smartphone) that can then be monitored from a premises or cloud-based management platform. Capabilities vary from product to product but will typically include the ability to enforce policies (e.g. require strong power-on passwords); push configuration settings and certificates to devices; provide asset tracking, remote wipe and lock, along with tools for service monitoring and diagnostic support.
The other growing area in mobility management is applications management. Many organizations are looking to take direct control of applications delivery and support, rather than depending on public app stores like iTunes or the Android market. That starts with the ability to detect "jailbroken" (iOS) or "rooted" (Android) devices that could allow malware infected mobile apps to gain access to the corporate network. Users can be limited to the internal app store, which would provide distribution with automatic update flagging and application whitelisting/blacklisting capabilities. Many of the MDM solutions have incorporated these capabilities and there are specialist solutions like Apperian and AppCentral, and one with particularly strong security hooks from Nukona.
Getting back to Cisco and Aruba, they don't do any of that stuff, but rather build on the one area they can control, which is secure network access. Having cut their teeth on secure WLAN, 802.1x authentication and VPN technologies, the WLAN vendors do have some insight on network access.
In dealing with WLAN stations, you have essentially two distinct populations to support: company-owned employee devices and the rest of the world. While WLAN security was a disaster in the early days of WEP (Wired Equivalent Privacy), the incorporation of better encryption in the way of IEEE 802.11i’s WPA and WPA2 and the adoption of 802.1x authentication allowed organizations to provide security for employees, most of whom had those company-provided devices the IT department could securely lock-down.
However, once the employee security issues were addressed, then came the problem of guest access. Universities faced special challenges given that the vast majority of their users were students rather than employees, and some universities chose to simply offer unprotected Wi-Fi access, while others implemented login portals that required a user name and password.
Enterprise guest solutions ran the gamut but generally relied on providing a separate wireless VLAN that was restricted to Internet access only and required a "secret" WEP or WPA key to access; that was a "secret" that just about everyone knew. Of course once someone was given the secret key, they had network access for life because it was too difficult to keep changing the key. Over the past few years, most of the WLAN vendors have introduced guest access portals that still use virtual WLANs but provide unique codes to each visitor with expirations and the ability to uniquely identify each visitor. It was those guest access portals that opened the door to BYOD secure access.
Cisco uses its Identity Services Engine (ISE) to provide authentication, authorization, device profiling, certificate enrollment, and policy enforcement that identify devices and enforce defined usage profiles. The ISE can also interface with Microsoft Active Directory and RSA's SecureID temporal password capability. As they are only focusing on the network access aspect of security, they can apply the same capabilities to wired, Wi-Fi, or 3G/4G connected stations. Aruba does much the same in what they call ClearPass that Zeus wrote about a few days back.
The advantage each of the WLAN solutions touts is the ability to easily activate or "onboard" user owned devices with little or no IT involvement, hence their ability to invoke the "BYOD" label. However, it is critically important to recognize that these systems are not providing "mobile security," but address only one very limited part of it. If one of your users has a jailbroken device with a malware infected app on it, these solutions will ensure it can get reliable, secure access to corporate resources.
It’s nice to see how many vendors have learned to spell "BYOD", but users had better be able to spell "caveat emptor".
