Bring Your Own Device (BYOD) policies are growing increasingly popular. It means that employees are working from the devices that they are most familiar with are often more efficient and effective. Additionally, it removes the requirement for organizations to supply and maintain corporate-owned devices for their employees.
However, securing a BYOD workforce can be difficult. To do so effectively, organizations require a secure and efficient corporate WAN, which requires an understanding of what is SASE and how it is superior to traditional WAN solutions.
Security Challenges of a BYOD Workforce
A BYOD policy can help to increase employee productivity. However, a poorly designed BYOD policy can achieve this at the cost of enterprise security.
One of the most challenging parts of building a BYOD strategy is balancing enterprise security requirements with employee privacy. On the one hand, the company needs to be able to protect its data and systems against cyber threats. On the other, supporting BYOD means that the organization is allowing employees to work from personally-owned devices, over which the organization has limited control.
Without this control, these devices are more likely to be non-compliant with enterprise security policies and more vulnerable to cyberattacks. As a result, organizations need to consider how to minimize the risk posed by these devices despite their limited access to and control over them.
VPNs Don’t Meet BYOD Security Needs
While an organization may have limited ability to secure a BYOD device itself, it can control how that device connects to the enterprise network and handles enterprise data. Instead of allowing these devices to connect directly to the enterprise network, it may be best to have them connect via a guest network or a secure remote access solution. This ensures that all traffic from potentially compromised BYOD devices passes through the organization’s security stack before reaching the corporate network.
Virtual private networks (VPNs) are some of the most widely used secure remote access solutions.
However, they have a number of limitations that make them a poor choice for effectively securing a BYOD enterprise, including:
- Lack of Integrated Security: A VPN is designed to provide an encrypted tunnel over which network traffic can flow between two points. This is commonly used to connect a remote user or satellite site to the corporate WAN. However, the entire goal of the VPN is to provide a connection that is resistant to eavesdroppers, it performs no security inspection of the traffic that it carries. As a result, unless VPN traffic is routed through an organization’s security stack, it can leave the enterprise network vulnerable to compromise or malicious BYOD devices.
- Limited Access Control: VPNs have high-level access control in the form of user authentication, but they are not designed to perform any other access management. A VPN user is provided with full access to the target network. This is problematic with BYOD devices since an attacker that has compromised one of these devices could easily use its VPN connection to access and explore the enterprise network.
- Poor Mobile Device Support: VPNs are resource-intensive and session-focused. This means that every time a mobile device goes to sleep, the employee needs to reconnect. Since smartphones and tablets are becoming many users’ device of choice, this makes VPNs a poor choice for a BYOD workforce.
Designing Security for the Modern Workforce
A BYOD policy means that an organization’s employees will likely be working from insecure and dual-use devices, increasing their exposure to cyber threats. At the same time, the growth of remote work means that these devices will likely be used in insecure environments, such as connected to public Wi-Fi networks.
With the limitations of VPNs, organizations need a different solution to manage connections between BYOD devices and the enterprise network. Secure Access Service Edge (SASE) provides a solution.
SASE is implemented as a Secure SD-WAN solution deployed in the cloud. This means that SASE incorporates both SD-WAN optimized traffic routing and a full security stack. This also enables it to address the shortcomings of VPNs for BYOD:
- Security Integration: A SASE node includes a full security stack. This enables any cloud-based node to provide the same level of security inspection and protection as an organization’s on-site security infrastructure but is seamlessly integrated into the network layer.
- Access Control: One of the functions in a SASE node’s security stack is software defined perimeter (SDP). This enables organizations to implement access controls that are enforced at the network level, limiting insecure devices’ access to corporate systems.
- Mobile Support: Some SASE offerings include solutions specifically designed for mobile device users. This eliminates the overhead and inefficiency of VPN-based remote access.
Companies with BYOD policies have limited power to police and secure the devices that they allow their employees to use for work; however, they have a responsibility to protect their systems and the sensitive data that they contain. SASE provides a usable and effective solution that provides employees with the ability to use the devices that they prefer while minimizing an organization’s cybersecurity risk.
