As a 15-year security veteran, Scott Crawford witnessed the remote access security panic CIOs experienced when Wi-Fi came onto the scene. The same is happening in the bring-your-own-device (BYOD) era. Crawford, a research director at Enterprise Management Associates Inc. in Boulder, Colo., recently explained to SearchCIO.com why some tried-and-true security measures remain relevant, and why mobile devices have led to newer network access security measures.
SearchCIO.com: How can CIOs maintain control over network remote access security in a BYOD era?
Crawford: We've kind of been down this road before in the enterprise. When Wi-Fi was starting to be a big issue, access was coming in on consumer devices and becoming a standard part of laptops. It wasn't too hard to set up consumer gear that would give you wireless access to a wired network, and everyone was tearing their hair out, saying, "This is the end of the world for control over our network."
But we got to a point where we reached some dynamic equilibrium around this notion of control. To some extent, I expect the BYOD trend is going to be somewhat like that in the enterprise.
But there are some very distinct differences. The real issue, in a lot of cases, is this tremendous influx of very consumer-oriented devices. They're being provided by vendors who have not historically shown all that much interest in enterprise manageability for those devices. At the same time, a lot of the [consumer devices] adhere to a very different security model from authorized traditional enterprise endpoints, so things like sandboxing are a native aspect of applications for a lot of these [mobile] platforms. They incorporate this notion of application prominence through application distribution channels like app stores. There are some things that we never had on traditional endpoints that we have in this mobile world, so in some respects there are some advantages to these [consumer devices].
What remote access security policies and technologies for the corporate network can CIOs put in place for mobile devices, while still giving users flexibility?
There are remote access control technologies that can give organizations a lot more granular insight into the context of access, which can be really valuable. You may be able to display this data remotely via Web applications, but you don't want to send the data itself down to the endpoint in the form of content, like a spreadsheet or a document. So, there are technologies that enable you to determine the context of access: Where is this device connecting from? What kind of device is it, and what kind of control do I have over this device? If it's wholly owned by the consumer, the business may not want to get into the business of managing that mobile device, but they may be interested in containers for the application that isolate that application from other activity on that endpoint.
Another approach is not sending the data down at all. You may want to use endpoint virtualization to do the execute and even the display of the data in the data center, and what is sent down to the user is a representation, not the actual content itself. There are techniques that can determine the context of access -- the type of device, where it's accessing from, who the user is, [whether it's] legitimate access to this data or application -- and use those techniques to begin to build a policy around what is and what is not appropriate for these devices, which are usually not managed, period.
Should enterprises build a separate wireless network for mobile device access?
More about mobile device management
It depends on what's the need for protection and policy and control. Do you have compliance concerns that you have to meet, such as PCI, that would have some specific requirements? Is there a technique that would take certain aspects of the environment out of scope for the requirements of PCI? These are the things you have to consider before you consider what architectural solution would be best for you. The advantage of a segmented network is that you can isolate that activity on the network and provide a point of control at any point where that network connects with other networks, which in turn connects to sensitive resource that might be a target.
Let us know what you think about the story; email Christina Torode, News Director.