World of BYOD
Bring your own device (BYOD) initiatives are enabling employees to bring their own personal devices to work and allowing them corporate access to services such as Email. We did a recent audit using our ability to integrate with security incident and event management (SIEM) systems for a customer. The audit provided visibility into their ActiveSync traffic and found devices that belonged to executives that were not under IT management. Here’s a snapshot of their BYO devices.
There are several reasons to enable such access – for example, to boost employee productivity or convenience of accessing email from any device. Having said that, as Uncle Ben puts it, “with great power comes great responsibility”, and this responsibility is on the IT administrator from a security point of view. It’s IT’s responsibility to make sure that corporate data is not compromised or leaked in the following scenarios:
- What happens when this personal device is lost or stolen?
- What happens if this device is jailbroken or rooted?
- What happens if this device ends up outside an approved geofence. For example, outside of the US?
- What happens if the user inadvertently installs an application that has the ability and access to the entire device memory, thereby having unauthorized access to corporate data?
End User’s perspective on Enterprise Mobility
End users want access to corporate services such as email, intranet, ability to share and collaborate over documents, and also use 3rd party applications such as Evernote, Quick Office or GoodReader. With mobile solutions such as XenMobile MDM, CloudGateway, ShareFile and GoToAssist, Citrix provides ubiquity i.e. ‘access any app. from any device’, and a unified view for applications with an enterprise app store, documents via ShareFile. Having said that, since the user is accessing multiple applications; end user experience is a key component of mobility solutions. For example, bootstrap authentication and provide single sign on (SSO) to other applications.
Enterprise IT perspective on BYOD
As IT is providing access to corporate services, the main concern is around data loss prevention (DLP) and protecting corporate content on the mobile device. This means, encrypting data at rest for application data, and documents that are hosted either on Sharepoint, Network File share or Cloud storage. From a DLP perspective, for security conscious organizations, the mobile solutions bundle, which includes XenMobile MDM and CloudGateway, can provide a secure email solutions that prevent sensitive data from leaving the control of the enterprise. This prevents users from uploading email attachments to an unsecure cloud storage account.
Regulated Environments and BYOD
Our financial and federal customers do not want to expose ActiveSync service to the DMZ. In this scenario, CloudGateway is able to provide a sandboxed environment for corporate email and intranet access via @WorkMail and @WorkWeb applications. These applications are sandboxed, tamper-proofed, and protect corporate data on the device. This approach provides separation of corporate and personal data on the device while respecting end user privacy on the device.
Cisco ISE and XenMobile MDM
Citrix XenMobile MDM integration with Cisco ISE, provides IT administrators a view to unmanaged and non-compliant devices from the ISE management console, but also provides the ability to either selectively allow, deny or quarantine access to corporate services. For example,, Cisco ISE can deny access to Intranet but allow Internet access; if the device is rooted or not managed by XenMobile MDM.
For e.g. Architecture with Cisco ISE and Citrix XenMobile MDM is shown below: