BYOD and Corporate Network Security

The Bring Your Own Device trend became a reality in Czech companies in 2012. Employees are bringing their own smartphones, tablets, and laptops — and IT departments must respond. How do you balance productivity with security?

What BYOD Is and Why IT Can’t Ignore It¶

BYOD means employees use their personal devices for work purposes. According to a 2012 Gartner survey, up to 40 percent of employees at large companies use at least one personal device to access corporate data. This trend cannot be stopped — it can only be managed.

The main drivers are clear. Employees want to work on devices they know. The iPad and iPhone have changed user expectations. A company-issued BlackBerry is no longer the only option. Android devices are affordable and their market share is growing rapidly.

For companies, this brings both benefits and risks. On one hand, lower hardware costs and higher employee satisfaction. On the other, loss of control over devices, risk of data leakage, and more complex management.

BYOD Security Risks¶

We’ve identified five key risks that we encounter with our clients:

• Loss or theft of a device — a smartphone with access to corporate email and documents sits in a jacket pocket. Devices get lost in taxis, restaurants, at airports.
• Unsecured Wi-Fi networks — an employee connects to public Wi-Fi at a café and accesses the intranet. A man-in-the-middle attack is trivial.
• Outdated software — corporate IT can enforce updates on managed computers. On a personal Android phone running a year-old OS version, that’s not possible.
• Malware — personal devices may not have antivirus software. Users install apps from unofficial sources.
• Shared devices — an employee lends their tablet to their children. A child accidentally deletes corporate data or sends an email.

Network Access Control as the First Line of Defense¶

The foundation is network segmentation. BYOD devices should never be on the same network segment as corporate servers and critical systems. We recommend implementing 802.1X authentication on all access points.

In practice, this means creating at least three network zones:

• Corporate zone — full access, managed devices with a certificate only
• BYOD zone — restricted access, email and web applications over HTTPS, no access to file servers
• Guest zone — internet only, no access to internal resources

Cisco ISE or Microsoft NPS can automatically assign the appropriate VLAN based on device certificate and health status. Devices without a certificate end up in the guest zone.

Mobile Device Management¶

MDM solutions such as MobileIron, AirWatch, or Good Technology allow corporate IT to manage personal devices — but only to the extent the employee agrees to.

Key MDM capabilities for BYOD:

• Remote wipe — remotely erase corporate data when a device is lost (not the entire device, only the corporate container)
• Password enforcement — the device must have a PIN or password of a certain complexity
• Encryption — enforcing storage encryption
• App blacklisting — blocking dangerous applications
• Containerization — corporate data and apps are in a separate container that is encrypted and managed independently

Containerization is critical for BYOD. The employee retains full control over the personal portion of the device. The company has control over corporate data. When an employee leaves, only the corporate container is wiped.

VPN and Encrypted Communications¶

Every access from a BYOD device to corporate resources should go through a VPN tunnel. Per-app VPN is the ideal solution — VPN activates only for corporate apps while personal traffic goes directly.

For email, we recommend ActiveSync with forced SSL and policies that require a PIN on the device. Exchange 2010 SP2 already supports granular ActiveSync policies, including restrictions to specific devices.

Legal and Compliance Aspects¶

BYOD also raises legal questions. The company must have a clear BYOD policy that employees sign. The policy should cover:

• What data may be stored on a personal device
• What happens when a device is lost (remote wipe)
• Who pays for the data plan and device repairs
• What happens to corporate data when an employee leaves
• Monitoring — what the company can and cannot track on a personal device

In the Czech legal environment, it’s important to respect the Personal Data Protection Act. A company may not monitor an employee’s personal activities on their own device. That’s precisely why containerization is so important — the company manages only its own container.

Our Implementation Experiences¶

In recent months we’ve implemented BYOD solutions for three mid-sized Czech companies. The most common mistakes we encountered:

Direct access to file servers. Clients wanted to map network drives on tablets. That’s a security nightmare. The solution is a web portal for document access with authentication and an audit log.

A single policy for all devices. A manager’s iPad and a part-timer’s Android phone carry the same risks, but require different levels of security. Policies must be tiered according to role and device type.

No monitoring. Without access logging, it’s impossible to detect a compromised device. At a minimum, login logs and access to sensitive data are a necessity.

Summary¶

BYOD is not a matter of if, but when and how. Companies that ignore it take on more risk than those that actively manage it. The key pillars are network segmentation, MDM with containerization, VPN, and a clear policy. Investment in BYOD security pays off in the form of satisfied employees and controlled risk.