1. Considerations To Secure Enterprise Mobility / BYOD
Scott Gordon (CISSP-ISSMP)
Vice President – ForeScout Technologies
March, 2013

2. **Forrester Wave Network Access Control, Q2-2011, Forrester Research
About ForeScout
At a Glance
Founded in 2000 — HQ in Cupertino, CA
Dominant independent vendor of Network Access Control (NAC)
#2 market share, behind Cisco
BYOD, endpoint compliance and cloud fueling growth
ForeScout is the leading global provider of real-time network security solutions for Global 2000 enterprises and government organizations.
Innovative Technologies
Real-time visibility and control
Leader ranking by Gartner, Forrester and Frost & Sullivan…
Global Deployments
Financial, healthcare, education, manufacturing and government…
Enterprise implementations (> 250k endpoints)
*Magic Quadrant for Network Access Control, December 2012, Gartner Inc.
**Forrester Wave Network Access Control, Q2-2011, Forrester Research
***Analysis of the NAC Market, February 2012, Frost & Sullivan

3. Framing Enterprise Mobility and IT Consumerization / BYOD
Enterprise mobility is the use of wireless, mobile and consumer devices, as well as mobile and cloud-based applications to enable access to corporate resources. Bring Your Own Device (BYOD) strategy is the extent that an IT organization prohibits, tolerates, supports or embraces the use of personal mobile devices at work and the controls to enforce such policy.
Challenge
Proliferation of mobile devices on corporate networks impacts security
Consumers are setting the rules with personal and mobile device and application use
IT teams need visibility and control; user, device, application, data and network
Risks
Data loss
Lost phone or laptop
Unauthorized access
Compromised system
Unknown data protection
Malware
Phishing, access, mobile/app
Compliance
Rogue devices, unauthorized apps, inconsistent policy

4. Market Research – Mobile Security Product Requirements
Generally, virtually all respondents rate all of these MDM features as being “important” or “essential” (90% or higher). Essential features of “network access control” and “unified policy management” are unavailable from MDM solutions.
Network Access Control
Security
Posture
Security
Management
Software
Management
Unified Policy
Management
Inventory
Management
Boston Research Group, ForeScout Sponsored Mobile Security Study, 2012

5. Framework: Securing BYOD Implementation
Form a committee
Gather data
Identify use cases
Formulate policies
Which corporate applications?
Which users?
How will data be secured?
Who will be responsible for BYOD support?
What happens if the device is lost or stolen?
How will the endpoint device be updated?
Acceptable use policies?
Step 1: Form a committee
You will need a team which includes members from different IT departments (e.g., security, network, endpoint and application) plus a representative sample of users in your organization.
Step 2: Gather data
You need to document the status quo. Review current policies, and make note of the prevailing attitudes toward security and management. Is it supportive, antagonistic or
Indifferent? Identify which departments/groups/individuals have been most active in developing policies in the past. Gather data about your status quo including
Counts of devices in use by platform, OS version, company-owned, personally owned or in the hands of non-company personnel, such as contractors
Assessment of data currently passing onto and through mobile devices
Mobile device applications in use, app ownership and app security profiles
All entry paths used by mobile devices, such as cellular, Wi-Fi, bridge to workstation or VPN
Step 3: Identify and Prioritize Use Cases via Workforce Analysis
To be effective, mobile device policies must be context-oriented to match the reality of a company's use cases. You will need to plan out:
How will mobile devices be used?
Which mobile applications need to be used offline such as on airplanes and in elevators?
What information will be accessible through mobile devices?
What information will be stored on the mobile devices?
Step 4: Formulate policies
If yours is a large organization, you may wish to consider different policies for different populations of users. For example, for the majority of your employees, you might wish to support simple applications like and just a small number of mobile devices, like Blackberry and Apple. For another population of users, for example your sales organization, you might wish to additionally support a sales force automation package, and you might wish to extend support to Android devices in addition to the Blackberry and Apple devices. And for key executives, you will provide best effort support for other applications on these devices, on a per-request basis. Analysts at Gartner are big proponents of this model, which is the opposite of “one size fits all”. They call their model “managed diversity.”
When you decide on your policies, you need to strike a balance between user flexibility and security. The user experience is important and must be taken into account in the new policies. However, user experience is not the trump card. You cannot allow employees to dictate a path that causes the enterprise to accept too much risk. Where applications and data will reside on personal devices, companies should set limits on which personal platforms are supported and should be prepared to limit the types of information made available to personal devices.
Step 5: Decide how to enforce policies
Policies are only as good as the enforcement mechanism. You will need to decide how to protect the integrity of your network, which you are opening up to these devices. And also you need to protect the integrity of your data, which not only resides on your network but will probably also be residing on the mobile devices.
I’m going to be talking much more about enforcement approaches in a few minutes, so I’m going to quickly move onto the next step which is:
Step 6: Build a project plan
You will need a plan for implementing whatever controls you want to implement, which might include
remote device management
application controls
Policy compliance and audit reports
Data and device encryption
Augmenting cloud storage security
Wiping devices when retired
Revoking access to devices when end-user relationship changes from employee to guest
Revoking access to devices when employees are terminated by the company
Step 7: Evaluate solutions
We will be happy to engage with your team and recommend the right solutions for your organization. When you do evaluate a solution , make sure that you consider the impact on your existing network and how well the solution will strike the right balance between cost, security, and user concerns. The most secure solution is never the most usable solution, you need to strike a balance.
Step 8. Implement solutions
Begin with a pilot group from each of the stakeholders' departments
Expand pilot to departments based on your organizational criteria
Open BYOD program to all employees

6. Framework: Securing BYOD Implementation
Decide how to enforce policies
Network controls?
Device controls?
Data controls?
App controls?
Build a project plan
Device enrollment
Remote device management?
Cloud storage?
Wipe devices when employees are terminated?
Evaluate solutions
Ease of implementation?
Cost?
Security?
Usability?
Step 1: Form a committee
You will need a team which includes members from different IT departments (e.g., security, network, endpoint and application) plus a representative sample of users in your organization.
Step 2: Gather data
You need to document the status quo. Review current policies, and make note of the prevailing attitudes toward security and management. Is it supportive, antagonistic or
Indifferent? Identify which departments/groups/individuals have been most active in developing policies in the past. Gather data about your status quo including
Counts of devices in use by platform, OS version, company-owned, personally owned or in the hands of non-company personnel, such as contractors
Assessment of data currently passing onto and through mobile devices
Mobile device applications in use, app ownership and app security profiles
All entry paths used by mobile devices, such as cellular, Wi-Fi, bridge to workstation or VPN
Step 3: Identify and Prioritize Use Cases via Workforce Analysis
To be effective, mobile device policies must be context-oriented to match the reality of a company's use cases. You will need to plan out:
How will mobile devices be used?
Which mobile applications need to be used offline such as on airplanes and in elevators?
What information will be accessible through mobile devices?
What information will be stored on the mobile devices?
Step 4: Formulate policies
If yours is a large organization, you may wish to consider different policies for different populations of users. For example, for the majority of your employees, you might wish to support simple applications like and just a small number of mobile devices, like Blackberry and Apple. For another population of users, for example your sales organization, you might wish to additionally support a sales force automation package, and you might wish to extend support to Android devices in addition to the Blackberry and Apple devices. And for key executives, you will provide best effort support for other applications on these devices, on a per-request basis. Analysts at Gartner are big proponents of this model, which is the opposite of “one size fits all”. They call their model “managed diversity.”
When you decide on your policies, you need to strike a balance between user flexibility and security. The user experience is important and must be taken into account in the new policies. However, user experience is not the trump card. You cannot allow employees to dictate a path that causes the enterprise to accept too much risk. Where applications and data will reside on personal devices, companies should set limits on which personal platforms are supported and should be prepared to limit the types of information made available to personal devices.
Step 5: Decide how to enforce policies
Policies are only as good as the enforcement mechanism. You will need to decide how to protect the integrity of your network, which you are opening up to these devices. And also you need to protect the integrity of your data, which not only resides on your network but will probably also be residing on the mobile devices.
I’m going to be talking much more about enforcement approaches in a few minutes, so I’m going to quickly move onto the next step which is:
Step 6: Build a project plan
You will need a plan for implementing whatever controls you want to implement, which might include
remote device management
application controls
Policy compliance and audit reports
Data and device encryption
Augmenting cloud storage security
Wiping devices when retired
Revoking access to devices when end-user relationship changes from employee to guest
Revoking access to devices when employees are terminated by the company
Step 7: Evaluate solutions
We will be happy to engage with your team and recommend the right solutions for your organization. When you do evaluate a solution , make sure that you consider the impact on your existing network and how well the solution will strike the right balance between cost, security, and user concerns. The most secure solution is never the most usable solution, you need to strike a balance.
Step 8. Implement solutions
Begin with a pilot group from each of the stakeholders' departments
Expand pilot to departments based on your organizational criteria
Open BYOD program to all employees

7. Framework: Securing BYOD Implementation
Form a committee
Gather data
Identify use cases
Formulate policies
Decide how to enforce policies
Build a project plan
Evaluate solutions
Implement solutions
Network controls?
Device controls?
Data controls?
App controls?
Step 1: Form a committee
You will need a team which includes members from different IT departments (e.g., security, network, endpoint and application) plus a representative sample of users in your organization.
Step 2: Gather data
You need to document the status quo. Review current policies, and make note of the prevailing attitudes toward security and management. Is it supportive, antagonistic or
Indifferent? Identify which departments/groups/individuals have been most active in developing policies in the past. Gather data about your status quo including
Counts of devices in use by platform, OS version, company-owned, personally owned or in the hands of non-company personnel, such as contractors
Assessment of data currently passing onto and through mobile devices
Mobile device applications in use, app ownership and app security profiles
All entry paths used by mobile devices, such as cellular, Wi-Fi, bridge to workstation or VPN
Step 3: Identify and Prioritize Use Cases via Workforce Analysis
To be effective, mobile device policies must be context-oriented to match the reality of a company's use cases. You will need to plan out:
How will mobile devices be used?
Which mobile applications need to be used offline such as on airplanes and in elevators?
What information will be accessible through mobile devices?
What information will be stored on the mobile devices?
Step 4: Formulate policies
If yours is a large organization, you may wish to consider different policies for different populations of users. For example, for the majority of your employees, you might wish to support simple applications like and just a small number of mobile devices, like Blackberry and Apple. For another population of users, for example your sales organization, you might wish to additionally support a sales force automation package, and you might wish to extend support to Android devices in addition to the Blackberry and Apple devices. And for key executives, you will provide best effort support for other applications on these devices, on a per-request basis. Analysts at Gartner are big proponents of this model, which is the opposite of “one size fits all”. They call their model “managed diversity.”
When you decide on your policies, you need to strike a balance between user flexibility and security. The user experience is important and must be taken into account in the new policies. However, user experience is not the trump card. You cannot allow employees to dictate a path that causes the enterprise to accept too much risk. Where applications and data will reside on personal devices, companies should set limits on which personal platforms are supported and should be prepared to limit the types of information made available to personal devices.
Step 5: Decide how to enforce policies
Policies are only as good as the enforcement mechanism. You will need to decide how to protect the integrity of your network, which you are opening up to these devices. And also you need to protect the integrity of your data, which not only resides on your network but will probably also be residing on the mobile devices.
I’m going to be talking much more about enforcement approaches in a few minutes, so I’m going to quickly move onto the next step which is:
Step 6: Build a project plan
You will need a plan for implementing whatever controls you want to implement, which might include
remote device management
application controls
Policy compliance and audit reports
Data and device encryption
Augmenting cloud storage security
Wiping devices when retired
Revoking access to devices when end-user relationship changes from employee to guest
Revoking access to devices when employees are terminated by the company
Step 7: Evaluate solutions
We will be happy to engage with your team and recommend the right solutions for your organization. When you do evaluate a solution , make sure that you consider the impact on your existing network and how well the solution will strike the right balance between cost, security, and user concerns. The most secure solution is never the most usable solution, you need to strike a balance.
Step 8. Implement solutions
Begin with a pilot group from each of the stakeholders' departments
Expand pilot to departments based on your organizational criteria
Open BYOD program to all employees

8. Framework: Securing BYOD Implementation
Form a committee
Gather data
Identify use cases
Formulate policies
Decide how to enforce policies
Build a project plan
Evaluate solutions
Implement solutions
So I can’t help with step 1 or step 2 or many of these other steps, you’ll need to do those yourself. But I would like to go back to step 5 and give you an overview of the various types of enforcement solutions that are available.
Forming a strategy for BYOD is not simple. This is not like buying a firewall or an antivirus. There are many different approaches you can use. And I’d like to help you understand the landscape of solutions.

9. Enterprise Mobility Control Characteristics
NAC is Fundamental to Secure BYOD/CYOD
APPROACH
CHARACTERISTICS
Block all personal devices
Very secure!
Career limiting… 
Manage all personal devices (MDM)
Good security at the device level
Phones/tables… not Win & Macs
Separate management console
Restrict the data (VDI)
Strong data protection
Varying user experience
Not for the road warrior
Control apps (MEAM, MAW)
Secure the app and data
Must be used with other controls
Control the network (NAC)
Foundational, simple, real-time coverage
Network-centric visibility and control
The first approach is to block all personal devices. This is the “Just say no” method. Now, this might still be the right approach for some organizations -- the military and some banks come to mind. But for most enterprises, not so much. It’s becoming a career-limiting approach. We are seeing organizations moving away from this approach.
Second, you could try to manage all the personal devices on your network. This is what’s called “Mobile Device Management”, or MDM. This has become quite popular. This approach has gained a lot of traction, and it definitely allows you to secure the device itself – assuming the device has actually been enrolled in the MDM system and has an agent installed. But MDM usually does not support all the mobile devices that employees are bringing into the office, for example it doesn’t help you secure personally-owned MacBooks and windows PCs. Another problem is the fact that MDM is usually installed as a separate system, with a separate management console, not integrated with anything else.
Your third option, you could restrict the data so that it never gets onto mobile devices. You say “I don’t care whether the device is secure, I’m just going to worry about securing the data.” And you just let the users see the data, through a virtual desktop interface, using products from Citrix or VMware. The data never gets copied down to the device. This is very strong data protection, but it does not provide a good user experience for owners of phones and tablets. Moreover, VDI does not work if you don’t have a live Internet connection. So for large populations of mobile users who work on airplanes and taxis, this is a non-starter.
The next option is that you can control the applications that mobile users run. You can build your own enterprise applications using a mobile enterprise application platform (MEAM), or you can use a mobile application wrapper (MAW) from vendors like Mocana and Nukona. These application wrappers help you encrypt and contain the data that the applications use. These approaches are fairly new, it is a niche market. You would probably need some in-house development expertise to roll it out. It looks like a promissing approach. But even this approach is not a panacea, because if you read the whitepapers written by these vendors, you’ll see that they rely on you having a distribution mechanism like MDM to distribute and manage the apps. And they don’t necessarily work with , which is the most common application.
Lastly, you can control network access in a very intelligent way. I’m not talking about “blocking all personal devices” from the network, that was solution #1, I’m talking about granting specific network access on the basis of who the user is and what the user has, and how secure that device is. This too is not a panacea, but it’s simple, it’s future-proof, and if you buy your NAC from ForeScout you will immediately get 100% visibility and control over everything on your network, and you won’t need any software agents. Some vendors’ network access control systems require agents, but not ForeScout’s. Our solution is an appliance that you drop into your network. Now, one of the shortcomings of this approach is the fact that NAC doesn’t protect the device itself, so if you decide to allow mobile devices onto your network, and you decide to allow data onto the mobile devices (or unbeknownst to you, data winds up on the mobile device), you’ll need something else to protect that data. For example, mobile device management.

10. CounterACT: Continuous Monitoring & Remediation
 Proven Platform for Real-time Visibility and Automated Control
Port-based Enforcement
[With or without 802.1x]
Natively or with
3rd party Integration
SIEM, MDM Identity, HBSS
Complete
Visibility
Enforcement
Remediation
System
Integration
Endpoint Authenticate & Inspect
Device Discovery, Profiling [HW/SW USER LOC ...]
Multi-factor, Complete,
Clientless Interrogation
Continuous
Monitoring

11. CounterACT: Continuous Monitoring & Remediation
 See Grant Fix Protect
Real-time Network Asset Intelligence
Device type owner, login, location
Applications, security profile
Policy-based Controls
Grant access, register guests
Limit or deny access
CRM
Web
Guest
User
Sales
Automated Enforcement
Remediate OS, configuration, security agents
Start/stop applications, disable peripherals
Block worms, zero-day attacks, unwanted apps
Phased-in, manual or fully automated X

12. What is Mobile Device Management
The Essentials
Device enrollment
OTA configuration
Security policy management
Real-time reporting
Remote lock, wipe, selective wipe
Self-service portal
Enterprise App portal
Advanced Management
access controls
Application management
Document management
Certificate management
Profile lock-down
Corporate directory integration
Geo sensing
PII Protection
Device Enrollment, Acceptable Use
MDM Actions
Customers we speak with are usually looking for basic security and management right off the bat. These are the must have abilities. Like being able to remotely locate and wipe a lost or stolen device. The ability to understand if a device is rooted / jailbroken. Even having the ability to manage Wi-Fi profiles. Having the ability and tool for real-time deployment, reporting and actions.
(Mention some others from the list)
Then, the desire to implement more advanced management capabilities comes into play. This includes the ability to deploy applications, distribute documents to your sales force or other groups, even create rules which govern the device. A common rule we hear about is setting up restrictions if a user has installed an application which is not authorized by IT. For an iOS device, there is no actually way to force the user to uninstall the application. Using our rules based engine, you can automatically message the user to remove the application. If they do not, their corporate access is taken away.
MaaS360 allows for the progression of features in a seamless fashion. Providing what you need now and allowing you to be prepared for the next generation of support. (Application storefront is a good example of this)
Corp App Storefront
Event-based Security & Compliance

13. NAC+MDM Synergies: 1+1=3
Unify visibility, compliance and access control
NAC focus is network
MDM focus is mobile device
MDM Alone
NAC Alone
NAC+MDM
Visibility
Full info on managed only.
Basic OS info on all devices
Complete
Access Control
For managed and only
Partial (Missing endpoint info)
Deployment
Pre-reg agent
Network-based, Automated
Enforcement
Polling rate
On network access
Network control No
Yes
Root detection
On profile check

14. ForeScout CounterACT

15. Unified Visibility and Control
Security operators gain greater visibility and control

16. ForeScout CounterACT Advantages
Easy to use and deploy with Low TCO Hybrid 802.1X/Agentless approach; works within existing/legacy environment Easy, centralized administration; high availability, scalable, non-disruptive
Real-time situational awareness All users, devices, applications - infrastructure agnostic Wired, wireless, managed, rogue, VMs, PC, mobile, embedded
Flexible, Integrated Mobile Security Value of NAC with MDM device security ForeScout: broadest integration with leading MDM vendors
Rapid results and time-to-value Extensible templates and controls with robust SIEM, HBSS, CMDB, MDM and directory integration

17. This Magic Quadrant graphic was published by Gartner, Inc
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
** The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
***Frost & Sullivan chart from 2012 market study Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Base year 2011, n-20