Is Your BYOD Policy Out-of-Date?
As consumerization continues to spread throughout the enterprise, IT decision makers must remain on their toes, tracking and anticipating end user behavior and deploying technology to protect against productivity losses and data breaches, one researcher says.
Mon, May 14, 2012
Network World — As consumerization continues to spread throughout the enterprise, IT decision makers must remain on their toes, tracking and anticipating end user behavior and deploying technology to protect against productivity losses and data breaches, one researcher says.
Mike Geide, senior researcher at Zscaler ThreatlabZ, points to his firm's latest report on web transactions in the enterprise as a sign that fluctuating consumerization trends will force IT decision makers to evaluate their policies on a regular basis.
More news and research: The Consumerization of IT and BYOD Guide
"In terms of engaging the CEO or COO of an organization, just say 'let's review our policies, find out what's working and maybe adjust it,'" Geide says. "On a quarterly basis, it's probably a good idea. Certainly twice a year makes sense, especially how fast things are evolving, but I think quarterly is probably a good recommendation for organizations."
A good example came this past March, when the NCAA men's college basketball tournament's online presence posed a threat to network bandwidth. A joint effort between Turner Sports, CBS Sports and the NCAA brought the NCAA March Madness Live online streaming service to Android devices for the first time, thus establishing a connection with the country's largest smartphone population. With the first three rounds of play largely scheduled during work hours on weekdays, sports fans across the country kept up with the action online, at the expense of company bandwidth.
Zscaler's research on the more than 200 billion web transactions in its cloud showed that sports-related traffic in the enterprise was 74% higher at the start of March Madness than it was around the time of the Super Bowl in February. Traffic to gambling sites also jumped to its highest point around the time the tournament tipped off.
This trend is one that many in the enterprise had anticipated, as the research saw policies blocking streaming media in the workplace grow 0.38% in January to 0.46% in March. However, increasingly tech-savvy end users are forcing enterprise decision makers to be even more vigilant when crafting their policies, Geide says.
"Users do regularly try to bypass security policies and that's something that organizations need to be cognizant about," Geide says. "It's not only good to go ahead and set a policy for their organizations, but you have to enforce policy, and that means more than just a firewall. The technology that's behind the enforcement has to be aware of the ways around that users are going to attempt to bypass security controls."
The use of anonymous proxy servers to access unauthorized web content is not uncommon in the workplace, Geide says. If employees can find a way to access these websites, productivity takes a backseat to network security concerns, he adds.
"If you're allowed to goof off at work and maybe start visiting other sites, like pornographic sites, gambling sites, or shopping sites, you're also opening yourself up to potential security threats as well, because maybe those sites are more apt to be compromised and end up exposing security threats that way," Geide says.
The realization that more end users are learning how to browse anonymously has made the option to block access to proxy servers a common policy decision, Geide says.
Compounding security and bandwidth threats to the network is the continued growth in devices used by employees. Smartphone penetration continues to reach new heights, following 42.5% year-over-year growth in the first quarter of this year, according to IDC. All the while, the freedom of the bring-your-own-device mobility policy has introduced a larger, more diverse base of devices to the network. A survey released in April by the SANS Institute found 61% of more than 500 participating companies allow BYOD.
Devices running Apple's iOS operating system, whose App Store is the world's largest and is replete with consumer media and entertainment toys, grew steadily over the first quarter in terms of activity in Zscaler's cloud. Google's Android, although it experienced a decline, still accounted for 37% of mobile transactions in March. Meanwhile, BlackBerry devices, which the SANS survey found is the most supported platform in the workplace, dropped to just 15% of all activity on Zscaler's cloud.
To keep end users' bandwidth-consuming entertainment apps from dragging down performance across the company, Geide says many companies have taken to installing separate, guest WiFi networks solely for that purpose. Employees who would normally have attempted to connect to the corporate network will be willing to revert to the guest network if it means their Pandora app will stream at higher performance, he adds.
That solution, however, does not address the security issues presented by rogue apps running on end-user devices. The need for such capabilities as remote wipe and data backup and restore has made mobile device management (MDM) a household term, Geide says.
However, although acronyms like BYOD and MDM are found in news headlines on a daily basis, they have yet to make their way into many enterprise management policies. Just 9% of respondents to the SANS survey were "completely" aware of all devices accessing their infrastructure and applications. Meanwhile, 26% say they "sort of" have a management policy for consumer devices, and another 31% didn't have one at all.
Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter https://twitter.com/#!/ntwrkwrldneagle and keep up with the Microsoft https://twitter.com/#!/microsoftsubnet , Cisco https://twitter.com/#!/ciscosubnet and Open Source community blogs. Colin's email address is firstname.lastname@example.org.
Read more about anti-malware in Network World's Anti-malware section.