We brought our devices, now what?
Bring Your Own Device (BYoD) is a way of life now - are we doing it right?
In 2015, ACCA asked me to write an article explaining the relatively new concept of "BYoX" or "BYoD," which we seem to have settled on as a term. Much of the original advice in that article is still valid today; however, after seven years of figuring out what this could/should look like in business, we collectively have come a long way.
The previous article addressed the primary drive behind BYoD and the required changes in mindset, technology & governance needed to do that properly. Many previously proposed concepts are collectively grouped and understood as "Zero Trust" principles. Zero Trust is a way of rethinking the technology landscape that suits modern, flexible working scenarios with multi-cloud SaaS data access models. The remainder of the concepts discussed in the previous article centred around approaches to managing BYOD. While these have not substantially changed, they have evolved to deliver far greater value.
Let's start with a technical concept... MAM vs MDM. These acronyms achieve the same goal but in very different ways. MAM, or Mobile Application Management, is a way of securing specific applications on a device where those applications have access to company data. The best example of this people interact with most commonly is email. Usually, the Outlook App for work email with a pin on your device is a typical example of MAM in action.
MDM, on the other hand, ensures that the device and everything on it, regardless of what data it's trying to access, is secure. This means it is fully managed and controlled by the MDM platform, and every application, feature, and function is infinitely controllable, auditable, and governable. This is the most common scenario for a "company phone", where you are issued a mobile asset as part of your overall technology pack and would usually not use that device for personal use.
Why two models? Arguably the most prominent distinction as to why is that with MAM, applications used explicitly on the device for accessing the company data are controlled, and all other aspects of the device are entirely under the control of the owner of the device itself. MAM can protect the app up to a point and remove associated data from the remote asset if lost or stolen, but it does not provide complete visibility over the endpoint or its use. Handy for the privacy-conscious amongst us.
So why don't we use MAM, then? MAM is not without its shortfalls. For the reasons above used to provide privacy-conscious people with comfort, we cannot tell, realistically, if the endpoint is compromised using MAM alone. This distinction was enough for the National Cyber Security Centre to revise its guidance about Cyber Essentials such that MAM alone would no longer be enough to ensure the security of a device with access to company data. To protect against many threats, any device used to access company data should be verified as being free from malware, patched to the latest version with all security fixes applied, be encrypted to prevent data loss, and have robust device and user-level authentication. That rules out MAM alone.
So, MDM it is, then? Yes, and No. MDM or Mobile Device Management covers the whole device, so you can mandate all the previous NCSC requirements easily, centrally, and arguably, without inconveniencing the end users... But you can now see every app on the device and data about usage. How much and what depends on which MDM, but when a privacy-conscious user is presented with the "we can do/see X" "click accept to continue" prompt, they are no longer interested in receiving that urgent work email on their asset in their time. Arguably, it’s unrealistic to expect a personal device to submit to complete corporate control via MDM, so you need both; MAM for ByoD and MDM for the corporate assets.
The reality of the current threat landscape is that Mobile assets are very much a target, and no, just because your iPhone doesn't "get viruses" does not mean it does not have vulnerabilities and exploits, so it needs to be secured just like a PC. It's still a computer, after all. Because of this, we need another tool, specifically something that can bridge the gap between MAM and those Security requirements that the NCSC consider to be the basics that need to be covered. In my personal experience, I have found Microsoft's Conditional Access Technology a valuable tool to ensure that the endpoint is at a suitable level to be allowed to access company data via a MAM policy. This assumes you are in the Microsoft cloud ecosystem, but most companies are these days. If you are not, any technology that can first profile the end user device against a security baseline and then grant access to the data based on the result will do the same job.
To that end, those in the Microsoft Ecosystem can leverage robust, fully integrated security solutions for all of the concepts discussed in the 2015 and 2022 articles and just about every topic I have ever covered on behalf of the ACCA! They quite literally have a tool for every potential scenario. A well-designed Microsoft Zero Trust deployment with a sprinkling of AAD/CASB/DLP/SIEM/SOAR/EDR, combined with some decent hybrid Azure infrastructure design, and you are living in the year 3000 from a security and governance perspective. This doesn’t mean boring grey devices anymore, either. Between Microsoft now fully supporting Macs, iPhones, iPads etc., with native applications and security management just like any PC combined with Microsoft's take on "shiny things", to quote the 2015 article. There are not that many arguments against 365/Azure for business anymore.
So what about that Zero Trust stuff? BYOD's legacy is that it forced us to refine the Zero Trust model. When faced with an eroding network boundary and suddenly not even owning or being able to control the end-user device. Innovation had to happen. The evolution took time, and I would suggest that even in 2022, Zero Trust deployments are the exception, not the rule. Still, we are headed in this direction from an architectural design pattern perspective.
There are plenty of vendors in this space now, though (for balance); all the usual big security players that used to have web filtering, anti-virus, or firewall tech are currently offering zero Trust solutions. There are some interesting new players in the market as well. However, there are some very unhelpful distinctions between entirely zero trust and "almost" zero trust that are unclear, with some vendors being able to offer every aspect of zero trust (including intelligent data transport for on/off-premises) and others saying they do but missing vital elements of that facility when pushed. Or the "it’s our cloud" statement being made about data transport claims, but when pressed, it’s a few Colo’ a DC or two and a bunch of VMs in GCP/AWS or Azure doing the heavy lifting.
The most significant difference between the article I wrote in 2015 and now is the barrier and cost of entry. A substantial level of security, control, and governance over not just BYoD but the entire estate is now commodity numbers. You don't need to buy "6-figure solutions" to every security problem. You could spend a fractional monthly fee per user. Put everything in 365/Azure and switch on the correct licensing. Find a good partner to help "pull the right levers", and voila. You are safe, secure, flexible, and resilient and don't need an army of IT to run it. That's what post-pandemic technology looks like, and it’s here to stay (until we start to put it all back on premise due to cost increases and monopolies, but that’s at least another 5-7 years out 😊).
Jay Abbott, Nellcote Cyber