The BYOD movement has caused many organizations to dabble, experiment, and eventually allow end users the flexibility to use personal devices in the workplace. This has been driven by a competitive business environment where increased employee productivity and decreased CAPEX and OPEX can make a real difference. The initiatives are often driven at the executive level, causing IT Security to cobble together solutions in attempts to protect corporate data without restricting users unnecessarily.
The MDM/MAM mix of solutions causes IT to focus on securing devices and apps which often requires complex and continuous management overhead ($$$).Even with a solution deployed, there is still a lack of visibility into SSL traffic - decryption is required for IT to effectively protect corporate data. Since MDM/MAM can’t meet this challenge, NGFWs and VPNs are often introduced to fill the gap...
Unfortunately, adding VPN capabilities in order to decrypt mobile traffic is another complex and costly solution. Now IT has to think about managing certificates, proxy or VPN configurations, and the repercussions of controlling employee owned devices. Decryption causes issues for users since it almost always means decrypting personal traffic in addition to corporate. The per-app VPN feature in iOS 7 helps, but since it works at the app level, employees lose the ability to use the same app for corporate and personal use.
Lauren Weber from the Wall Street Journal wrote about BYOD woes during a job change:
"Phone wiping is just another example of the complications that emerge when the distinctions between our work and personal lives collapse. Employers increasingly expect workers to be available 24/7 but don't always provide company equipment to make that possible, leaving workers in a bind: Expose themselves to losing personal information when a phone is erased, or refuse to use a personal device and risk looking disengaged."
While there are solutions that offer a suite of corporate apps (e.g. Mail, Contacts, Calendar, File Sharing, etc) to manage and secure traffic/data separately from personal data, these solutions force employees to use entirely new apps and to switch context been business and personal app usage – inhibiting the ability to transition effortlessly between work life and personal life. Essentially, these app suites quarantine corporate data, and are frequently viewed by employees as a set of handcuffs, limiting user flexibility and convenience. IT gets pushback from employees during roll-out and IT groups tend to feel the solutions deliver a lackluster, glass half full, experience compared to how good they originally sounded during the vendors solution pitch.
Nir Zuk (Palo Alto Networks CTO) recently was quoted in CIO magazine:
“Mobile devices are changing everything,” he said. “In the past year or two, we've seen attempts by security groups to mandate the management of mobile devices by the enterprise.
“However, we're now seeing that backing off a bit and finding something in the middle, where devices are only partially managed by the security group and the end user who has brought the device to the enterprise gets more control over it. I think that business and security are finally learning how to live together.”
Companies need a new breed of solutions that secure corporate data, maintain user privacy, and deliver flexibility, convenience, and ease of use.