Information Technology Services, The University of Hong Kong



here is a massive upsurge of mobile devices in the consumer market. Corporations are also demanding their employees to have instant connectivity to their working environment. These two factors are reshaping the IT landscape. IT consumerization has blurred the lines between work and personal life – especially when it comes to mobile devices. People use mobile devices for their personal life and for work with the desire to access corporation IT systems anytime and anywhere.

According to Forrester, more than 50% of the information workface will use three or more devices. Gartner is also predicting that by 2017, half of the employers will require employees to use their own mobile devices for work purposes.

Bring Your Own Device (BYOD) refers to the arrangement of allowing employees to bring personal mobile devices to perform company work related activities. This trend is becoming inevitable and it is imperative that corporations form a strategy to deal with it.

To examine the prevalence of BYOD, Dell commissioned Vanson Bourne interviewed 1,485 IT heads from across the globe regarding their opinion toward BYOD. The results indicated that companies could realize corporate gains from BYOD4.

69% or more of the surveyed organizations believe that BYOD can help their employees be more productive, respond faster to customers, improve work processes, work better in the future and improve operational efficiencies.

BYOD poses new security threats to companies because companies have little control over employees’ personal mobile devices. Sensitive corporate information can be stored in personal mobile devices with little protection. Malware can be introduced into corporate environment by negligent employees connecting their personal mobile devices into the corporate network.

Mobile Device Management (MDM) is management software that allows corporations to centrally control the policy and configuration for employee’s mobile devices. It helps corporations manage their BYOD program by supporting security, network services, software and hardware management across multiple mobile device platforms. This allows employees to use personal devices for work related activities in a much more controlled and secure environment.

Key Functions and Features

General Policy

General policy refers to the enforcement of corporate security policies on mobile devices. Examples of policy restrictions include restricting user and application access to hardware and restriction to native OS services (e.g. built-in web browser, calendaring, contacts, etc.). Policy can also control the management of wireless network interfaces, automatically monitor, detect and report policy violations, and limit or prevent access based on the operating system version, vendor model, and whether the device has been rooted or jail broken.

Data Communication and Storage

Data communication and storage refers to the capability of encrypting data communications between the mobile

device and the corporation, and encrypting data on both built-in storage and removable media storage. Also, there should be the capability to support remote wiping of the mobile device data if the device is reported to be lost or stolen.

User and Device Authentication

It is important to authenticate a user before granting access to corporate resources. This includes basic parameters for password strength and a limit on the number of retries permitted without negative consequences. The control should also be able to automatically lock a mobile device after an idle period of inactivity.

Application Management

Some MDM solutions even provide the functionality of controlling the installation and execution of mobile applications.

Application control can restrict permissions (e.g. camera access, location access) assigned to each mobile application, verify digital signatures on applications to ensure that only applications from trusted entities are installed and verify that code has not been modified.

There are also some MDM solutions designated to perform finer grained mobile application management. They are often referred as Mobile Application Management (MAM). Besides controlling installation and execution of mobile applications, MAM manage the entire life cycle of mobile applications.

The power of BYOD allows employees to use personal mobile devices to access corporate applications. What if the application does not have a mobile equivalent version which can be managed under MDM?

Virtualization is a technological solution which allows IT departments to present corporate applications securely on user devices regardless of the device model. Virtualization can also provide control over data storage and location. For mobile devices such as tablets, virtualization allows existing applications to be delivered to tablet users without the need to wait for the availability of an iOS or Android mobile version of the application.

Considerations when Exploring Virtualization as part of BYOD

• The touch screen interface will not be suitable for many Windows applications.

• Client-host desktop virtualization is not an option on tablets because they do not have sufficient computing power or memory to run a locally hosted virtual Windows desktop.

• Application compatibility can be a problem. Applications that are available for a certain mobile device platform might not be available on others.

Even if the above challenges can be addressed, virtualization to support delivery of corporate applications to mobile devices should be implemented step by step.

It is important to understand that BYOD is not the same as MDM. MDM is only one of the components of a complete strategy and program implementation for securing personal devices used for business. Corporations are unlikely to succeed implementing BYOD and achieve all its benefits with just MDM alone; they also need a strategy, supporting policies and operational processes.

BYOD Strategy

The first upmost step is to define the BYOD strategy and the scope of coverage. Part of this strategy can be to implement a stipend program to encourage employees to use their own personal devices for work. Whatever the strategy is, the strategy should be clearly defined, including how to realize the stated objectives and benefits. The corporation should also be clear about whether BYOD will only include personal smartphones, tablets or even laptops.

Associated IT policies supporting BYOD should also be defined so that the users understand what is deemed acceptable and what is not. If the corporation has sensitive data, the corporation will have to determine whether they allow certain employees to access and store such sensitive data in their personal devices.

MDM and virtualization should be regarded as the technological enablers for BYOD. A suitable MDM solution as well as the supporting virtualization technology should be sourced through careful testing and selection.

Important Preparations

Corporations should prepare for the worst and know how to deal with incidents such as employees losing their personal mobile devices, which have been enrolled in the BYOD program. Moreover, employees may have questions and require technical assistance as part of the operational support. All these operational processes should be developed as part of the BYOD implementation strategy. It is also important that security fixes are taken into consideration so that the latest mobile security threats do not compromise a corporation’s IT security.

The business nature and operating environment of universities is different from those of commercial corporations. Universities advocates openness and freedom of knowledge sharing. Also, there are vast number of students and staff requiring network and computing access in a university. The turnover of students is very dynamic with new freshman and students graduating every year. Universities also has to support many different work conditions including full time staff, part time staff, visiting scholars, research assistants, etc. Because of all these complicated factors, the way corporations uses MDM to control the usage of personal mobile devices may not be entirely applicable to universities.

Nevertheless, BYOD has already been somewhat implemented in university environments. Staff and students are already connecting their personal devices to the campus network, and authentication is required before granting these personal computing devices access to university IT applications and resources. Facing the current wave of BYOD and constant alerting security threats affecting mobile devices, universities will have to look further to tighten the way BYOD should be supported.

IT Security Strategies for Universities

Universities can explore using Network Access Control (NAC) to ensure that mobile devices meet a set of security requirements and IT standards before they are allowed to be connected to the network. NAC can scan device operating systems, applications, and security software to ensure they are up-to-date and that the security software has recently run so that the device is clean. A self-provisioning portal can be setup to ease the burden of IT department registering every single device, and also speed up the process of registering and validating a device with the additional benefit of managing an inventory of devices.

Depending on the need to control security, MDM can still be implemented in phases according to the supported devices and user community. The first batch of supported devices can be university issued devices and then gradually cover personal devices. As for user community, the rollout can be initially to support full time staff, then

faculty members and non-full time staff, and eventually the student community.

Mobile device has become an indispensable component in our personal life as well as work life. Many people are already using personal mobile devices in their work environment to perform work related activities. The wave of BYOD is becoming inevitable that corporations have to look into how to support BYOD with the proper implementation of security controls such as MDM and virtualization technology.

Although the work nature of university is different from commercial corporations, similar controls can be adopted to better govern the usage of personal mobile devices in the university environment.

[pic]

-----------------------

BYOD Cases

Insurance claim adjusters routinely use mobile devices and applications to help policy holders immediately file insurance claims after an accident.

In healthcare, doctors and nursing staff conduct a wide range of bedside care activities using mobile technology; allowing them to immediately share information with hospital pharmacies, admission offices, insurance companies and compliance departments.

HP – Five Steps to Enabling a Mobile Workforce

Vanson Bourne Survey Commissioned by Dell4

Information Security Updates

Mobile Security – Bring Your Own Device

T

BYOD Security Concerns

Case Study

The University of Kent serves more than 16,000 undergraduate and post-graduate students and 2,000 staff. The University provides a Study Bedroom Service (SBS) with nearly 4,000 wired connections to its main campus network to enable students to access email, networked files, course material, library resources, and the Internet using their own devices.

At the start of each term, students now follow a simple, online process to register their devices for access to the campus network.

Bradford Networks Case Study5

Mobile Device Management

Virtualization in Stages

Apigee, an application programming interface platform company in Palo Alto, United States, advised that mobile application deployment be implemented in three phases.

The first is to use virtualization to deliver existing application to mobile devices. The second takes an existing application and turn it into a cross-platform mobile app. The third decouples the data from the application and picks the appropriate application for the platform or device being used.

Case Study

The University of São Paulo (USP) is the largest Brazilian university, serving over 100,000 students on 11 campuses.

USP deployed Citrix and NetApp technologies to build a university-wide cloud orchestrated by Citrix CloudPlatform. A self-service portal built with Citrix CloudPortal Business Manager provides services to teaching and research sites. XenDesktop powers centrally managed desktops and streamed applications.

Citrix and Netapp Case Study9

Virtualization

Implementation Strategy

Case Studies –

Adopting Technologies and Implementing Controls

Roanoke College (Va.) uses Apple Mobile Device Manager and Dell’s KBOX to manage institution-owned Apple devices and Dell laptops. These “managers” push out apps that are volume purchased and sets up policies and settings for wireless devices for faculty members. IT can also wipe lost, stolen, or infected devices remotely and Students can wipe their own BYOD gadgets through a web page.

New York Law School uses a ForeScout CounterAct NAC appliance to gain visibility into the network and provide mobile security, endpoint compliance (keeping devices clean and up-to-date), and protection against network security threats.

Implication to University

|Define strategy, coverage and policies |

|Determine data classification and protection |

|Source for MDM and virtualization solutions |

|Plan in case of incidents |

|Revise new technologies |

|Monitor against OS vulnerability updates |

|Consult security professionals |

STATS

Monthly cost of Company Owned Device

• Average USD80/month for a company-owned device

• 77% able to reduce mobile users using company-owned devices to 60% or less

• 50% can reduce even further to 20% or less

Good Technology - State of BYOD Report12

Case Study

At Ohio State, MDM will allow the university to containerize personal applications so it can wipe a BYOD with user permission, in the event of a virus infection or other security issue.

According to Robinson, York College uses Bradford Networks’ Campus Manager to monitor student devices. It recognizes if they are registered as soon as the browser is opened. Unregistered devices get put on a separate VLAN, where they have access only for registration.

University Business – Device Management Across the Network13

Conclusion

References

1. "BYOD Stats: What Business Leaders Need To Know Right Now." Leapfrog Extraordinary IT Services. Mar. 2013. Web. 02 July 2014.

2. "SAMSUNG Mobile Index Reveals BYOD Trend." Samsung Electronics America. Samsung U.S. News, 08 Jan. 2013. Web. 02 July 2014.

3. Jones, Jeff. "Microsoft Security Blog." BYOD- Is It Good, Bad or Ugly from the User Viewpoint? Microsoft, 26 July 2012. Web. 02 July 2014.

4. A Vanson Bourne Survey Commissioned By Dell. BYOD: Putting Users First Produces Biggest Gains, Fewest Setbacks. Vanson Bourne. Web.

5. "Bradford Network's Network Sentry Helps University of Kent Control and Manage Its Student Residence Network." Network Access Control (NAC), Network Security, BYOD, Mobile Security, Consumerization, Bradford Networks. University of Kent, Web.

6. Souppaya, Murugiah. "NIST SPECIAL PUBLICATION 800-124." Guidelines for Managing the Security of Mobile Devices in the Enterprise. National Institute of Standards and Technology, June 2013. Web.

7. "Mobile Application Management." Wikipedia. Wikimedia Foundation, 18 May 2014. Web.

8. "Embracing Bring Your Own Device (BYOD) by Dell Software." Embracing Bring Your Own Device (BYOD) by Dell Software. Dell. Web. 02 July 2014.

9. Bowker, Mark. "Desktop Virtualization." White Paper. Enterprise Strategy Group, Oct. 2009. Web.

10. Farbush, James. "Mobile App Virtualization Eases Deployment Headaches for IT." Mobile App Virtualization Eases Deployment Headaches for IT. Search Consumerization, 24 Oct. 2012. Web.

11. For Kaspersky Lab, The World’s Largest Private Developer Of Advanced Security Solutions For Home Users A. Global Corporate IT Security Risks: 2013. Kaspersky Lab, May 2013. Web.

12. "Good News: Good Technology’s 2nd Annual S... | Good Community." Recent Posts. Good, Web.

13. Geer, David. "Device Management Across the Network." University Business Magazine. UB University, Feb. 2013. Web. 02 July 2014.

Copyright Statement

All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.

A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below:

copyright@jucc.edu.hk

Joint Universities Computer Centre Limited (JUCC)

c/o Information Technology Services

The University of Hong Kong

Pokfulam Road, Hong Kong

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download