Managing BYOD's second act
- By Paul Parker
- Nov 13, 2018
All of us remember a time, not too long ago, when government agencies were wrestling with a phenomenon cheekily called “bring your own device,” or BYOD. Many articles and much angst was generated by this phenomenon, which indicated mobile phones, tablets, laptops and other devices were flooding into agencies. Security red flags were raised, network congestion was predicted and many saw the situation as an Armageddon of devices.
Thankfully, agencies have successfully gotten their arms around the number of devices using their networks, device security is a non-issue and everyone’s resting easy.
Not quite. If anything, the mobile device challenge has gotten even more complex. Right now, more devices are being introduced every day, and mobile computing is an increasingly critical part of everyone’s lives.
Welcome to BYOD’s second act, which may be even bigger than the first.
The numbers from the Department of Homeland Security tell the tale. According to DHS, its employees currently are using 90,000 devices. Thirty-eight percent of those employees are using government-issued devices, while the rest rely on their personal iPhone or Android mobile devices.
Although policies and guidance attempt to ensure mobile device security, yet initiatives like the DHS’s Mobile Device Security project and the Committee on National Security Systems’ CNSS Policy No. 11 go only so far. The DHS program is specifically designed for that agency, and does not address mobile security in other agencies. Meanwhile, CNSS Policy No. 11 requires the use of either Common Criteria or Commercial Solutions for Classified certified solutions, which can be tough to achieve. Even if it were easy, employees do not necessarily want to carry highly encrypted or modified devices. Like everyone else, they are accustomed to their phones being easy to use, not a burden.
While programs like these are absolutely necessary, and must be encouraged and followed, all agencies should consider augmenting their mobile device security efforts with a few additional strategies. Layering these strategies on top of the aforementioned foundational programs can provide the necessary extra level of security to ease management of networks that continue to be besieged by mobile devices.
Let employees keep their devices. As the DHS data indicates, employees will inevitably use their personal devices over government networks, and that’s not necessarily a bad thing. Workers who use their personal iPhone at work are, most likely, happier and more productive. The trick is to make those devices secure, while letting employees continue to use them with minimal inconvenience.
Keep tabs on those devices. Agencies must balance the reality of personal device use with security measures that allow administrators to easily manage and secure those devices, preferably from a central location. Administrators should be able to remotely wipe, lock, set passwords on devices and implement mobile device tracking that uses GPS to find lost and stolen devices. If possible, administrators should also keep track of devices registered to different employees and their associated handset details.
Go beyond the devices into the network itself. Once the plan for device security is put in place, administrators should turn their attention to their networks. Automated threat monitoring solutions that employ constantly updated threat intelligence and continuously scan for potential anomalies are good places to start. Agency teams should consider complementing this tactic with user device tracking to quickly identify and locate unauthorized devices. Monitoring and capturing network logins and other events can also help detect questionable network activity and prevent unwanted intrusions.
Get a handle on bandwidth. Beyond security, device management also involves managing the impact that devices can have on the network. Mobile devices used for bandwidth-hogging applications, such as video, can significantly slow down the network. Multiply this by tens of thousands of devices, and one can see why bandwidth management is so important. Agency administrators should consider implementing network bandwidth analysis solutions that allow them to identify which applications and endpoints are consuming the most bandwidth. Through device tracking, they can also track excessive bandwidth usage back to a particular user and mobile device.
Although most of the focus on BYOD has been on security, mobile device management really must be a two-pronged approach. Security is and will always be important, but the ability to ensure that networks continue to operate efficiently and effectively in the midst of a device onslaught is also critical.
It’s also something that many agencies are still grappling with, nearly 10 years after BYOD was first introduced. We’ve come a long way since then, as the programs initiated by the DHS and other agencies show. Yet, we still have far to go.
Paul Parker is chief technologist – Federal and National Government, SolarWinds.