IDC 1335
I D C V E N D O R S P O T L I G H T
A r c h i t e c t i n g a F l e x i b l e S t r a t e g y f o r S e c u r i n g
E n t e r p r i s e B r i n g Y o u r O w n D e v i c e ( B Y O D )
June 2012
Adapted from Worldwide Data Loss Prevention 2011–2015 Forecast by Phil Hochmuth, IDC #231367;
Organizations Get the Knack for NAC by Chris Christiansen, IDC #206966; and Worldwide Mobile Enterprise Security Software 2012–2016 Forecast and Analysis by Stacy Crook, Charles Kolodgy, Sally Hudson, and
Stephen Drake, IDC #233664
Sponsored by ForeScout
BYOD Trends and Mobile Security Landscape
The traditional enterprise perimeter is becoming more open and extended as the number of mobile and remote employees increases. The use of consumer mobile devices (such as smartphones and tablets) and the increased use of cloud services (individual tools such as Dropbox or business cloud applications such as Amazon Web Services) also challenge enterprise information security and IT risk management professionals. Organizations that leave networks wide open to employees' mobile devices will have a hard time containing access to and controlling the use of sensitive corporate data in today's extended computing environment.
Conversely, enterprises that either lock down these devices or lock them out by configuring networks to offer them limited services are missing an opportunity to make employees more accessible, more productive, and more satisfied with their work environments. The trend toward "bring your own device" (BYOD) adoption is increasing — nearly half of enterprises in IDC's 2011 Security Survey cited this as a top concern for 2012. As organizations go beyond basic wireless and Internet-only access and offer broader network, data, and corporate mobile applications, IT organizations must contend with the risks of this new mobility paradigm.
All these trends are forcing enterprises to move, add, and adapt security controls closer to the data itself, in addition to the network, device, and application infrastructure on which data lives and moves.
Data, Access, and Device Mobility Risks
In a BYOD world, companies can choose to secure and manage the entire mobile device user pool or secure portions of that community. Either way, steps must be taken to prevent unauthorized access to network resources and data loss. Enterprises should consider solutions that allow policies to be applied based on user, device, network, application, and data leakage risks. If the use case requires significant data protection, the IT organization should leverage native device protection mechanisms and possibly look for a corporate container of applications and data or security for each application itself to prevent sensitive information from being leaked to other applications or public clouds. Mobile threats do exist. End users may access seemingly safe WLANs, which are actually rogue and malicious networks. End users may also be tricked into providing sensitive information using email phishing techniques. Mobile malware is also on the rise and poses a serious threat to the security posture of mobile devices. While infected Android applications have received significant press thus far, many users will also open up infected Web sites and unknowingly download malicious code that
may take advantage of root-level exploits on the device. Once a device — iPhone, Android, or other — is rooted, all other security measures that run on the device are compromised; as such, a tethered wireless device attached to a jailbroken smartphone could open access to your intranet.
Enterprises know they must strengthen their mobile security infrastructure. According to IDC's 2011 Security Survey, the top three concerns of enterprises are directly or indirectly related to mobile devices. Data loss and data management are clear mobility issues. Enterprises are experiencing more malicious mobile applications and malware for smartphones and laptops designed to extract sensitive data for these devices or to use the mobile device as a host to carry the malware deeper into a corporate network. Lastly, there are security concerns for unmanaged mobile devices accessing and on the corporate network.
Augmenting Mobile Security Controls
Expediting Policy Development and Acceptance
As with managing any risk, IT organizations need to review use cases concerning corporate and personal mobile device use. Once use cases are defined and accepted by relevant stakeholders, policies, procedures, and technical controls can be more effectively applied with greater acceptance. BYOD adoption and related policy development processes should broadly address business drivers; device and application use; use of and access to network resources; related network infrastructure; devices to be supported; and risks, security mechanisms, legalities, and costs.
New solutions are available to help enterprises tackle these mobile security issues. While there won't be a one-size-fits-all answer, understanding where the mobile security risks and gaps are will help organizations figure out which combination of solutions can best meet their business and mobile security requirements. Additionally, enterprises must set realistic expectations with end users: Corporate networks won't be a free-for-all. End users should expect certain levels of security behind the firewall based on their individual privileges, roles, and access rights. Users should be given greater accessibility via a "carrot and stick" method — IT can grant personal mobile device access to corporate resources and data only after the user agrees to added security controls.
Technical Control Considerations
With an increasingly mobile and device-diverse workforce, providing secure network access for all internal and external device types has become a top priority for IT. From a security perspective, IT organizations must rise to this challenge by enhancing their network infrastructures to restrict any form of network connection and access to all but authorized and qualified users and their corporate or approved personal endpoints. Enterprises use various technologies, including the following, to tackle these mobility challenges:
Wireless Access Point (WAP) offers the most common and basic means to block or allow access of managed and personal mobile devices onto an enterprise network. Most organizations will use WAP to offer employees and guests Internet-only access or limited network access — preferring employees to come through the firewall via VPN. WAP capabilities vary with regard to guest management and endpoint security.
Network Access Control (NAC) became a popular technology in the mid-2000s as enterprises struggled to control guest and rogue access to network resources and reduce the spread of malware on laptops as they moved back and forth between corporate LANs and untrusted networks. The NAC products and markets have matured significantly. Beyond ensuring trusted network access, the technology involves health checks on endpoints for configuration and host-based security software compliance before allowing network connectivity. More recently, NAC
given the influx of unmanaged devices and the need for network-based defenses to complement device-based defenses. This would include integrating with other platforms such as WAP and mobile device management to manage mobile guest access, facilitate provisioning, ensure endpoint posture checking, and eliminate rogue WAP risks on the corporate network.
Mobile Device Management (MDM) is one of the hottest security/management markets in IT right now. MDM provides life-cycle management of corporate-issued and personal mobile devices with the means to provide device provisioning and security with various forms of application and data containerization including dual persona. Beyond BlackBerry Enterprise Service, the MDM market is relatively nescient and maturing quickly with dozens of platforms to manage Android, iOS, Windows Mobile, and BlackBerry handhelds. MDM is a strong technology for device-level security of managed devices, but enterprises should consider complementary tools to address unmanaged mobile devices, facilitate enrollment, and fortify network-based defenses. MDM has become an essential tool for compliance-regulated enterprises or for those organizations that require greater management and control over devices, data, and applications.
Mobile Enterprise Application Management (MEAM) is an approach that involves the in-house development of mobile applications, designed to deliver functionality and data access tailored to the mobile device form factor (smaller screen size, varying input capabilities, etc.). MEAM development platforms can be used to deliver applications across multiple handheld devices, which can limit access to certain types of sensitive data or allow the data to only reside in the application session and not be cached or downloaded to the endpoint. Enterprises taking this approach are committing time and resources to mobile-enable their employees with corporate-developed mobile applications and at the same time realizing the competitive advantage of custom applications.
Virtual Desktop Infrastructure (VDI) essentially opens a tightly controlled window/virtual session on the end user's device into the enterprise, through which the end user can access only predefined programs and data. When the user's session ends, sensitive data and applications are not put at risk because they were never downloaded to the endpoint. VDI user experience can vary by device, and the VDI session will require adequate connectivity. Even with VDI, organizations should still be concerned with the security posture of the endpoint.
Trends
Applying Next-Generation NAC and MDM to BYOD
Over the past several years, NAC has established itself as a valuable security component for IT and security professionals within a broad spectrum of industries and businesses worldwide. As NAC vendors respond to IT expectations and continue to assimilate additional security features into their NAC solutions, IDC sees increased NAC acceptance and growth. Next-generation NAC platforms offer an essential function for enterprises requiring network visibility, varying levels of identity and device-based access control, and endpoint compliance. NAC platforms can allow IT staff to:
See and control all network devices, including those that are unknown (not prior accounted for) or unmanageable (where corporate controls are not yet or can't be enforced)
Provide Internet-only or limited network access to temporary workers or visitors connecting to a LAN based on user and device policy
Have real-time classification of network assets leveraging the means to identify mobile devices in order to support inventory, security assessment, and incident response processes
Pinpoint and attempt to remediate endpoint compliance issues, either by user guidance or by background script execution
NAC solutions can vary widely. Some NAC products are available within the network fabric; others can be integrated on a separate appliance and work with an enterprise's existing network
infrastructure with minimal impact. Another functional difference is in how the NAC product employs pre-connect and/or post-connect identity and device authentication. Some NAC products require software or an 802.1x supplicant on a managed device to authenticate and allow a device onto a corporate network, while others do not require a device to be managed or have optional agents. Depending on a company's policy, risk profile, operating environment, and administration capacity, managing 802.1x agents on endpoints and mobile devices to control access can be operationally expensive and challenging.
Alongside NAC, MDM adoption is taking off; IDC predicts the worldwide MDM market will reach $1.2 billion in the next three years, representing a 32% CAGR from 2010 to 2015. Enterprises are turning to MDM vendors with security and management capabilities to address a range of use cases. One major driver for adoption of MDM is containerization, which is the ability to "contain" corporate data and applications such as email or productivity applications and securely segregate them from personal use. Containerization features essentially "seal off" the corporate persona on the mobile device, creating a safe space for accessing corporate email, sharing and managing documents, or using enterprise applications (i.e., corporate "app stores").
Another major driver of MDM is provisioning: centralized provisioning (and deprovisioning) of end users' access rights, applications, and data on these endpoints. Provisioning capabilities allow enterprises to control the configuration and data footprint ― with features such as application and document revocation, remote wiping of sensitive data, and other capabilities such as reporting and expense management.
An additional significant MDM driver is the rapid emergence of SaaS-based MDM deployment. SaaS MDM provides advantages with regards to rapid deployment/integration, as well as the means to provide continual updates as changes are made to mobile hardware and software platforms. During the past 12 months, IDC has increasingly seen "hybridized" or joint NAC and MDM offerings whereby more progressive NAC vendors are integrating or offering their network-based security with MDM device-based security and vice versa. Supporting reasons why IT professionals are looking at the combined approach of NAC and MDM capabilities to help them address BYOD include the following:
MDM products can secure only the devices that they manage. They do not address unmanaged, personal mobile devices and are typically focused on smartphones and tablet devices. NAC can identify and associate users and their mobile devices that could qualify for MDM installation, and as such, NAC can be used to automate MDM enrollment processes versus more manual MDM enrollment processes.
NAC products have device fingerprinting technology, which can allow them to identify mobile devices and MAC and IP addresses in order to apply access policy, but they require agent or MDM technology in order to gain comparably strong identity and device configuration details. However, as a network-based control, NAC can restrict MDM managed devices from accessing inappropriate network resources such as an iPad accessing SOX-relevant file servers.
MDM products can scan for and assess if a managed mobile device is secure and following policy. Hence, the greater the scanning frequency, the shorter the battery charge left for the device. As such, there is a security risk should a device deviate from policy between scans while accessing network resources. NAC can be integrated with MDM to request that MDM scan mobile devices as they attempt to access the WLAN or at more frequent intervals while on the intranet.
NAC and MDM are typically controlled by different IT groups — enterprise security and
communications/applications or desktop teams, respectively. However, these groups often lack visibility into important aspects of the other's domain. NAC/MDM integration allows the security operators to gain mobile security visibility and control across mobile and nonmobile devices. MDM products provide more than just device-level security. These products also provide
provisioning, expense management, data containerization, and application management, which are outside the scope of NAC solutions.
MDM policy assessment does not always provide flexibility to allow users to use their device outside of policy. Depending on the policy, certain data and applications of the mobile device NAC would be deactivated or wiped. For minor violations, NAC would be able to quarantine a noncomplying mobile device on a corporate network while allowing the user to use the device on the Internet, modify the handheld configuration, and initiate an MDM recheck, which would be a less disruptive response.
It is not likely that standalone MDM vendors will build those capabilities themselves. IDC believes if MDM vendors decide to include network-based security and other security functions as described above, they will need to partner or acquire to gain the functionality.
A Tiered Service Approach to Enterprise Mobile Security
There are three basic levels of controlling the type of access received by different types of devices and end users in a BYOD environment. The first level is basic blocking — i.e., keeping out unwanted machines and people. The second level is limited access such as Internet access to visitors or email access for employees. The third level, which gets to the heart of the BYOD challenge, is extending applications and data stores to certain users and devices while enforcing security controls. Identity is a core component of a successful NAC and BYOD security deployment. A tiered identity-based service model allows the enterprise to provision varying levels of mobility services to end users based on their roles in, or affiliations with, the organization; the level of risk associated with the device, application, and data; and the relative cost of security. Tiered controls are especially useful in securing mobile devices in an enterprise in which IT organizations expect employees and guests to use a wide range of devices and applications. A tiered mobile security service architecture may include:
Network-based controls to offer segregated LAN access and Internet-only access for certain users, such as guests, and their personal mobile devices
Internet- and VPN-only access for certain types of users who do not require access to more sensitive network resources and data
Limiting employees to certain mobile device use on the network such as email on certain file servers by leveraging network-based controls and more modest mobile device–level controls Offering life-cycle mobile device management with application and data provisioning, data
containerization, and user/employee persona security mechanisms using MDM
Considering ForeScout
ForeScout offers both NAC and mobile security solutions that enable IT organizations to support BYOD and better control managed and unmanaged mobile device use on a corporate network. ForeScout CounterACT, the NAC platform, can identify mobile devices as they attempt to access network resources. The network-based approach gives the operator the option to allow, limit, or block access based on user and device attributes. For more advanced mobile security, the company also offers ForeScout Mobile and ForeScout MDM.
ForeScout Mobile provides two capabilities to extend mobile security functionality to CounterACT and is licensed as an add-on module (ForeScout Mobile Security Module) for CounterACT. The first module provides native, device-level security controls for Android and iOS devices. For Android, the package includes a plug-in application for CounterACT and an Android application. For iOS, the package includes a plug-in application for CounterACT, which integrates into Apple's MDM and Live Push Services, and an Apple iOS application to provide additional capabilities such as the detection of root-broken devices.
Similar to how CounterACT secures PC access, ForeScout Mobile offers assessment and
remediation capabilities for smartphones and tablets. ForeScout Mobile core security functions are comparable to the security functions of MDM, such as device specifications and inventory, application white listing and black listing, password and encryption management, basic certificate management, the ability to set up a separate profile (iOS), device wiping and locking management, and more. The implementation is unobtrusive and maintains the mobile user's experience. However, ForeScout Mobile's perpetual license is significantly less expensive than the subscription-based licenses of many MDM platforms. This pricing is appropriate because there is less provisioning, as well as device management features such as expense control. Also, there is limited platform support, limited
application management, and lack of strong containerization.
For more advanced mobile protection, the ForeScout Mobile integration module allows operators to obtain MDM managed device information from third-party MDM platforms and also to push
policy/action commands (either on demand or automatically) to the MDM platform. In that sense, ForeScout bridges the operational gap between the security operator and the MDM operator. The result provides numerous benefits, as described in the previous section. Currently, ForeScout supports Fiberlink's Mobile-as-a-Service 360 (MaaS360) and Apple's native MDM services, but the company plans to support other leading MDM vendors in order to maintain its vendor-agnostic approach to NAC.
ForeScout also provides an even deeper level of endpoint control and broader device management coverage via its ForeScout MDM product, which is powered by MaaS360. This ForeScout branded, customized, and supported MDM solution leverages Fiberlink's managed MaaS360 platform — a complete cloud-based mobile device life-cycle management platform used by over 1,000 companies worldwide.
The ForeScout/MaaS360 solution provides sophisticated MDM functionality such as cloud-based provisioning and device management, over the air configuration control, policy deployment and monitoring, reporting, and deprovisioning features. Advanced management is also part of the MaaS360 platform with features such as mail and directory service integration, certificate
ability to shield personal identifiable information from the administrator. This combination of
extensive, cloud-based MDM management features and broad mobile device–level security, coupled with an on-premise NAC platform, provides a wide-ranging BYOD solution.
The hybrid approach preserves an often-required separation of duties between network/application and security operations while preserving the value for the security operator to see and manage all devices in one CounterACT console. ForeScout reports that about 1,300 commercial enterprises and government organizations are using CounterACT for network access control and endpoint
compliance. With demand for mobile security and BYOD rising, the emergence of ForeScout Mobile and MDM leveraging MaaS360 provides an extensible mobile security offering for ForeScout's customer base, as well as enterprises that may be new to or considering NAC and MDM in general. IDC believes the ForeScout NAC and mobile security product line provides IT organizations needed flexibility to execute BYOD strategies and provide the means to deliver a tiered mobile security offering. The following customer examples serve to illustrate ForeScout's value as applied to a tiered BYOD strategy.
Use Cases
A large U.S. financial institution that uses ForeScout CounterACT network access control to monitor more than 150,000 endpoints sought to fortify controls and progress its BYOD policy. CounterACT appliances are deployed at more than 100 locations and is centrally operated using the CounterACT Enterprise Manager appliance. These appliances interface with a secured WiFi network to automate guest registration and enforce Internet-only access or segregated access to a limited number of network resources if the user logs in via VPN. This device enforcement, which also checks to see if basic security policies (such as active host security settings and no illicit peer-to-peer applications) are enforced on the endpoint, is made possible using CounterACT and the platform's virtual firewall technology. The organization is compliance regulated, highly risk averse, and cautious but anticipates increased company-owned and managed personal mobile device use. It reviewed options, which included certificate enforcement and MDM's built-in security provisions. The security team felt that the certificate management would be not be enough and would not address device-level security. It also felt that MDM device-level controls alone would be insufficient.
Driven by an initiative to roll out mobile tablets and specialized applications to a group of
approximately 1,000 users as an initial test phase, the team addressed security risks by employing controls provided by both NAC and MDM. While the tablets are corporate owned and employ the MaaS360 MDM cloud, the institution is taking advantage of the ForeScout Mobile Integration module to jointly protect MDM managed mobile devices. Preventing unmanaged or noncompliant mobile devices from connecting to the network, granular control over where devices can go onto the network, and greater efficiencies for security operations were all cited as key benefits of the NAC/MDM integration. Two critical features were the means to trigger MDM controls through the NAC, such as mobile device posture checking on network access while the device is on the network, and the means to automate MDM enrollment. This institution foresees NAC continuing to play a key role in future mobility projects.
Another example of a ForeScout customer is a large manufacturer in the Midwest that is rolling out its BYOD initiatives. It too is using CounterACT ― having deployed more than 15 appliances across multiple sites, which are centrally managed to support more than 34,000 endpoints. The IT staff uses CounterACT extensively for network visibility, access control, guest networking, and endpoint
compliance. Driven by executive and business unit requests, as well as seeing the actual number of mobile device requests for network access, the IT staff was confronted with defining and supporting a BYOD plan. The plan, which the IT staff expects to roll out over a couple of years, involves allowing parts of the organization to use their own and corporate-provisioned mobile devices, as well as allowing specific user groups to have greater accessibility beyond email, which includes access to applications, servers, documents, and a variety of data.
In reviewing its program, the organization also considered device and user types, access
requirements, data protection, and capital and administrative expenditure. It scoped an initial program to support 2,000 users, of which 10% would need strong mobile device data containerization. It wanted to apply NAC-like features for the remaining constituents, which would have to adhere to corporate mobile security policy for corporate and personal device use. The company opted to move forward with ForeScout Mobile and ForeScout MDM, which would satisfy its requirements and be significantly more cost effective than a sole MDM approach. It also would allow the company to more easily adapt its BYOD program, which in the future may include a different technology or MDM altogether. The customer indicated that ForeScout Mobile functionality, such as password and profile management, device security, application controls, data wiping, and other control mechanisms, satisfies the vast majority of its needs. The company had confidence moving forward with ForeScout MDM because of its comprehensive functionality and because as a cloud-based solution, it would be easier to deploy. Beyond being well invested with CounterACT, the company felt more assured about working with a trusted vendor because it had received excellent customer service and was very pleased with its ForeScout relationship.
Challenges
ForeScout will face several challenges as it seeks to expand its NAC and MDM share in the enterprise to enable BYOD and control IT consumerization. Among the challenges are:
A strong, emerging field of MDM vendors with network/systems integration ties. Symantec, McAfee, Cisco, and Juniper are all entrenched in enterprise networks and all offer varying
solutions to integrate mobile device control into their respective products.
A device-centric view of security. Some enterprises look at the mobile security problem as a device-only issue and look to deploy software approaches tied to the operating system of the endpoints.
Reluctance to adopt cloud-based MDM. While security SaaS offerings gain traction and credibility, some enterprises have no plans to adopt cloud-based security solutions in the near future. This could change over time, but it still represents a good minority of the end-user community.
Conclusion
When companies think about developing a BYOD strategy, some of the most complicated pieces of the equation are not technology issues but those that fall in the realms of liability, ownership, and privacy. Companies need to develop an adequate set of policies around any situation that can possibly introduce security risks and then enforce those policies via technology where possible. Enterprises should plan a BYOD security strategy that takes into account tiered levels of access, privileges, and controls. They should also look at solutions that span network, device, user,
Given ForeScout's ability to execute, solid footing in the network security ecosystem, and broad mobility offering that includes a comprehensive NAC and proven MDM platform, IDC would count ForeScout among solid contenders in the mobile security market that can equip IT organizations to meet burgeoning enterprise BYOD challenges.
A B O U T T H I S P U B L I C A T I O N
This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T A N D R E S T R I C T I O N S
Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or [email protected]. Translation and/or localization of this document requires an additional license from IDC.
For more information on IDC, visit www.idc.com. For more information on IDC GMS, visit www.idc.com/gms. Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com