Clear policies for a consistent infrastructure
A brief and general analysis of the BYOD approach has revealed a clear situation: there are so many possible solutions that specific policies must be implemented. The only way to maintain a manageable environment of this kind is to have strong references during the phases of purchase, configuration and usage of the devices. The definition of those references and requisites is an important problem that must be dealt with. Rules have to be consistent yet -as the consumerization dictates as we talked before-flexible and constantly updated in order to keep up with the technologic progress.
For instance, in the business sphere most PCs run Windows 7 while an user that buys a computer for a personal use probably will end up using Windows 8 or 8.1. An Apple enthusiast manager may own a brand new iPhone 6, but some consultant into new technologies to a lesser extent may keep on using his old but trusty Blackberry. The transition to BYOD has to be carefully evaluated and pondered over every facet. The definition of detailed and up-to-date policies and technical specifications is fundamental because a wrong planning of the approach can bring with itself severe damages under a technical and economic aspect to the company infrastructure.
CYOD: a possible alternative
As it often happens when two solutions are available, a good approach is to get the best from both worlds. We’re talking about CYOD, which stands for Choose Your Own Device: in this scenario the user can choose the device to utilize, but that device must be choose among a list drafted and approved by the IT staff. Usually the company owns the device, freeing the user from buying it while granting a proper configuration, policies application and the control of the devices in use. Another advantage is the possibility to regulate the offering according to the grade or role of the employee.
What the employee thinks
BYOD involves both the company and the employee. Let’s analyze the approach and the perspective of the two, trying to offer some useful advice.
Let’s start with the employee: we already saw that using a personal smartphone or notebook has some cons, in addition to that it brings some difficulties in the practical use. For instance, the internal IT staff may be very keen to do maintenance and assistance on private devices, so it’s the user’s duty to autonomously intervene in case of problems.
Email and business calendar are the two most common activities but also the ones that expose to risks linked with carelessness. Using a personal account instead of the business’ is easier than you might think. The consequences of a private email sent as a business one, or the diffusion of sensitive information to external people might be very severe. It’s not enough to separate the business account and a personal account with two completely different emails (perhaps a Gmail and a @companydomain), using dedicated clients may be of help. In the Android sphere, Gmail app offers a total integration with Google’s email accounts, but it can’t be configured for other accounts; Acquamail and the native client e-Mail are free and multi-user, but they are far from professional solutions like Microsoft Outlook Outlook is offered in the Office 36 Business package, includes calendar, address book and agenda and has a complete integration with the business Exchange infrastructure and the desktop client. Speaking about desktop computer, the most common alternative to Outlook is Thunderbird by Mozilla, while Apple offers the client Mail natively on desktops as well as on mobile devices; Mail is complete, functional and offers a good integration with the main email services.
We’d like to make a note on the multi-user solution implemented by Android on tablets. Since version 4.2, “Jelly Bean”, it is possible to create two or more users with completely separated data, applications and settings, an excellent solution to let private and business life live together on the same device. In the recent 5.0 release, “Lollipop”, this feature has been finally implemented without limitations. For instance, regarding the importance of constantly updated policies, this is a situation where an update of the Operative System becomes determinant in the choice of the smartphone to be used as a BYOD device.
The notebook world is different as both Microsoft and Apple have a native data and application multi-user separation. Other useful solutions to separate the private and the professional life
include the use of dual-sim smartphones, mostly based on Android OS offering good performances and the opportunity to have two different phone numbers on the same device and not on two different, unpleasant to carry, awkward cellphones.
The approach of the company
While the user has to evaluate problems relate to the daily usage of the devices, the company has to take into account many more factors. We’ve already talked about data security, connectivity and remote access to services; another side of BYOD is its employment in the different sectors of the company. We’re obviously talking about medium to big companies that have several departments and in this case too it’s fondamental a specific evaluation for each enterprise.
Granting a safe remote access, beyond the bandwidth limits imposed by the national network service, some consideration on a system administration side must be pondered upon. In some case opening some ports on the firewall could be enough to guarantee a proper connection between off-premises applications and internal service. It’s self-evident that this kind of communication can’t be unencrypted, they absolutely need some kind of encryption, for example the TLS/SSL technology. An alternative approach on which planning the internal access from the outside is to utilize VPN solutions which guarantee a dedicated and secure access to the business network for instance allowing an employee’s notebook to function as it were connected to the office LAN. The advantages are clear: the off-premises can accomplish his business jobs wherever an Internet connection is available.
Severals solutions do exist, but given the professional nature of the matter it’s essential to consider well-known, reliable and qualified platforms like IPSec or OpenVPN. It goes by itself to say that those software must be properly installed and configured before the actual usage, we still insist on the importance of the centralized control of the adopted devices by the IT staff. The utilization of a VPN has some aspects that must be treated with care: since remotely working is like locally working from the employee’s perspective, resource access should be regulated. For instance, an user that has administrative access on machines (servers, network devices, storage, etc..) when in the office may not have the same access permissions when working from the outside.
Those who haven’t installed a commercial firewall yet, should be considering the open source project pfSense (www.pfsense.org); base on FreeBSD, it can be installed without any particular problem on a common computer, even an older one, as a virtual machine or on dedicated appliances (like PC Engines’ Alix based platforms). Developers also offer, if needed, commercial support (available in English exclusively, starting from 400$ US).
pfSense supports IPSec, Pprtp and OpenVPN. It’s interesting to note that creating a VPN with OpenVPN, one of the most complex technologies available, can be assisted by means of an helpful wizard and of a plugin (Client Export) that directly exports the necessary files for the connection to the main Operative Systems (Windows, Linux, Mac, iOs, Android).
An interesting commercial alternative is Kerio Control (www.kerio.com), very easy to use, with an intuitive interface and with control on content, a feature not implemented on free products. Most operations are easily performed thanks to the ease of the interface, which is completely translated in Italian. Furthermore, there’s the opportunity of a complete support thanks to the two italian distributors (Coretech, www.coretech.it and Multiwire, www.multiwire.net). The price is quite interesting too: 258,64€ (including VAT) for the first 5 users.
We saw that a fundamental aspect of a functioning BYOD in the company is a complete WiFi coverage, but that can expose the internal resources to an too easy access by employees or, if not properly configured, to former employees or even guest users.
Regarding this topic, it’s a good habit to provide Internet access (or access to a limited set of business functions) to those who use the WiFi connection in an occasional way by means of a dedicated Guest network. This network usually doesn’t grant access to the infrastructure of the company (server, network devices, storage, etc..). This solution can be implemented in different ways, the best approach is to buy devices that feature a native management of Guest networks.
Ubiquiti (www.ubnt.com) offers the UniFi platform to create such networks: it’s a series of Access Point with centralized management software. Those devices can implement a native Guest network, the configuration is easy and they can be managed by a centralized control interface. Creating several subnets is possible as well as defining sets of policies for their access. UniFi is distributed in Italy by Sice Telecom (www.sicetelecom.it). Naturally many other solutions are available on the market, like D-Link and Netgear.
This type of solutions are however closer to a domestic or SoHo usage rather than a corporate, but the dimensions of the company architecture and the criteria for security must grow together. When talk about medium to big enterprises it’s essential to switch so advanced solutions based on the WPA protocol and integrated with Active Directory in a Windows Server environment, for example. Those systems use a centralized authentication system called Radius (Remote Authentication Dial-In User Service) that requires one or more dedicated servers. This kind of management, albeit being more demanding in terms of hardware and software resources, guarantees more advanced security features, like access ban to not anymore authorized personnel without changing passwords on the entire network.
Another possible solution often utilized when the number of guest users is high, like airports, stations, public areas, is the implementation of a Captive Portal. With this technology, the first access of a device requires an authentication from the gateway, and from that moment onwards the session is uniquely bounded to that very device. It may not be the most comfortable system, but it’s surely useful in many contexts. This feature can be directly managed by the firewall (like the aforementioned pfSense or Kerio Control) as well as centralized WiFi infrastructures like Ubiquiti’s UniFi.