What are some of the key security concerns that CIOs need to address, with the development of a BYOD environment in the enterprises?

Consumerization of IT provides many opportunities, but it also creates some security challenges. Much of these challenges are rooted in the fact that the mobility of these devices introduces security management issues around access control, data protection and compliance, as well as the fact that employee-owned devices used for work introduce added IT complexity -- it’s not always clear who owns the device, and furthermore, who owns what  data on the device.

One of the key considerations for CIOs in a BYOD environment is the fact that mobile devices require scalable solutions that help IT secure and manage the entire device and the data. IT needs a centralized way to enable easy, self-service provisioning to include access mechanisms like VPN and Wi-Fi, to set and enforce policies independent of the ever-growing endpoint types, and to do so in a way that is persistent and can’t be undone by users through careless or intentional acts.

Also, in the case of lost/stolen devices or if an employee leaves the organization, IT needs to be able to perform full or partial data wipes. Partial wipes are critical for employee-owned devices where only corporate data should be removed, thus preserving photos, music, applications, and other non-corporate resources. Remotely tracking the phone’s location, locking it, and performing backups and restoration are also important mobile device security capabilities.

What kind of overhaul does the security and compliance strategy of an enterprise calls for, so as to enable BYOD concept, in a secure manner?

There is no denying that the pre-existing security policies and processes would need to undergo an overhaul in a consumerized IT environment.  Every organization will need to do a risk assessment to look at the technology that will be supported and its inherent risks, how users will access corporate resources and ultimately corporate data and how to manage data on lost devices or on the devices of users leaving the organization.

Legacy security policies and processes certainly need to be pulled out and reviewed as the important point to note is that consumer devices are already accessing data on nearly all networks and have been doing so for some time.  Examples include users’ e-mail sent from a corporate account to a POP e-mail address can be downloaded onto a personal device, or the standard scenario of the executive management team adding their new iPad/tablet type device and the IT team supporting these handful of units.

Additionally, compliance policies and controls, which have been developed to manage traditional endpoint systems need to be enhanced to accommodate and support the new endpoint, which includes all mobile technology (smartphones through to tablet devices), as well as corporate deployed devices and devices brought in from home. Visibility is required to know what connects to your network, are these devices compliant and how do we ensure that they are as safe as the rest of the corporate infrastructure. 

How should organizations address the security risks arising due to BYOD phenomenon?

Following are examples of the processes and technologies that organizations can adopt in a consumerized IT environment:

• Implement accountability by associating devices with users and as such their permissions and roles
• An agent-less vulnerability management solution to provide 24/7 visibility on every device that is trying to connect to the network and validate the compliance and risk that the device may bring to the network
• A firewall and network IPS to control traffic to and from key assets, as well as provide protection for and from devices that cannot install host-based solutions
• Network access control (NAC) to ensure employee-owned devices have security tools installed or are otherwise compliant with IT standards prior to accessing the network. NAC can control guest devices and other unmanaged endpoints and can ensure that they have limited ability to access resources or infect the network
• VPNs for securing connections to corporate networks
• End-point security with a centralized management console to ease the effort required by security administrators and to enable them to easily manage all endpoints in the system; this includes extending anti-malware solutions to smartphone and tablet devices
• Implementing encryption for information at rest and in motion
• Remote locate, lock and wipe technology to be enforced on mobile devices to protect data in case the device is lost or stolen
• Considering virtualized desktops (VDI), where employees can access company applications and data on personal devices but the application infrastructure and data remains on corporate servers behind the firewall