Navigating the Flood of BYOD 1

Navigating the Flood of BYOD

Challenges to a Secure Network Architecture

Bob Shaw, President and CEO, Net Optics, Inc.

Net Optics is a registered trademark of Net Optics, Inc. Additional company and product

names may be trademarks or registered trademarks of the individual companies and are

respectfully acknowledged. Copyright 1996-2013 Net Optics, Inc. All rights reserved.

About the Author

Bob Shaw, President and CEO, Net Optics, Inc.

As President and Chief Executive Officer of Net Optics since 2001, Bob Shaw is responsible

for conceiving and implementing corporate vision and strategy. He is instrumental

in positioning Net Optics as the leading provider of Total Application and Network

Visibility solutions in both the physical and virtual environments. Under Shaw’s guidance,

Net Optics has achieved consistent double-digit growth, launched more than 35 new

products, acquired more than 8000 customers, and expanded its global presence

in over 81 countries. The company was recently included in the Inc. 5000 elite list of

highest performing companies and won Best of FOSE honors. In addition, Net Optics

has earned the coveted Red Herring Top 100 North America and Top 100 Global Awards

for promise and innovation, the Best Deployment Scenario Award for Network Visibility

and many other accolades. Shaw’s leadership experience spans startups to Fortune 200

organizations, where he held Senior Vice Presidential executive positions. Shaw earned

both a Bachelor of Arts degree in Business and a Bachelor of Science degree in Economics

from Geneva College in Pennsylvania.

Navigating the Flood of BYOD 1

Today’s ever-growing Bring Your Own Device (BYOD) adoption rates are inundating the network with security and performance issues. When employees use their own devices at work, the risk of security breach or data loss explodes. Unmanaged smart mobile devices and tablets invite mischief with their “anywhere, anytime, any-device” access to corporate data and infrastructure. With networks becoming more of a challenge to manage every day, IT departments must know which devices are connecting to their corporate networks. At the same time, authorized employees using personal iPads and smartphones need convenient, secure access.

The arguments for enabling employees to use their own devices are compelling. BYOD benefits include: improving employee satisfaction, attracting and retaining staff, expanding the number of mobile users in the workforce and cutting costs while allowing low-cost resources to be applied everywhere.

Deploying an effective BYOD program means supporting a variety of devices and their operating systems while maintaining expected levels of service, securely onboarding new devices while keeping costs low, and quickly identifying and resolving problems. In this eBook, we discuss the benefits and considerations associated with BYOD, and how organizations can effectively deploy BYOD programs using Net Optics solutions. We will address some of the challenges posed by BYOD, including:

• Maintainingsecurityandcomplianceintheworkplace(p.8)

• HowApplication-awareNPMcanhelpyouavoidBYODdangers(p.9),

• TacklingvisibilityandsecuritymonitoringwithNetOptics Network Packet Brokers (NPB) (p.11)

• OptimizingtoolperformanceusingNetOpticsxBalancerTM (p. 12)

Navigating the Flood of BYODChallenges to a Secure Network Architecture

2

Always On, Always Around.

The ability to run any corporate workload from anywhere, at any time, and from a device of one’s choice is now the gold standard for computing. This capability makes workers of all kinds more productive, whatever social issues it raises about blurring the line between work and home life. Wireless now reigns decisively over wired, making employees increasingly responsive and productive on their devices running countless services and applications. However, the wired environment also raises new availability, granularity and security challenges.

An InformationWeek 2012 Consumerization of IT survey 2 of 400 business technology

professionals reveals that we are still in the early stages of hard work with regards to BYOD. Right now, businesses are trying to envision the ideal combination of hardware, network infrastructure and software in order to virtualize devices and applications, connect optimally and flexibly, and govern security and policy. Each company must now navigate its own unique route to a resilient and scalable enterprise BYOD architecture.

The Way We Were

Four major factors had to come together to make BYOD a viable resource: technology, business readiness, employee demand—and now security. Back in the 1980s, workers faced a fairly narrow range of options for performing their jobs: Employees still worked overwhelmingly on employer premises, and so most work product remained confined to those premises. The majority of work was performed by full-time employees. Costlier though they were, most companies preferred this type of workforce rather than deal with the drawbacks of contractors and part-time workers, including tax complexities, confidentiality, longevity, and loyalty.

Nevertheless, the winds of change—more accurately the global typhoons—were already in motion, with the entire concept of work and employment set to evolve radically. The emergence of LAN technology in the 1980s began lengthening the cord that bound the worker to the workplace. Soon, employees could transport information digitally. Although that made it vulnerable to intrusion and corruption, this vulnerability itself spawned a whole industry engaged in protecting that data, wherever it went. With the needs for mobility and security recognized, if not solved, only one factor remained in order for BYOD to take off.

Employees Speak Out—and Sometimes Act Out

Technological progress was not the only pressure besieging the traditional workplace. Increasing employee pressure for family time was building, and the nature of the workforce itself was changing in the face of increased downsizing and outsourcing. Thecontractandpart-timeworkforcescontinuedtogrowsteadily.AMay9,2012article in Knowledge@Wharton3 asserts a growing reality: that employees are becoming “short-term resources.” The article might have added the other half of the equation, namely that the employer itself may be a short term resource as well.

With lifetime employment increasingly a nostalgic memory, job security has become a more fluid concept. But on the other hand, employees themselves now feel less ironclad loyalty and more freedom to move around; a job is seen more as the building block of a larger career strategy. The Internet, of course, feeds into and intensifies these trends, creating a river of jobs flowing across industries and regions, at which both employees and employers now drink.

Navigating the Flood of BYOD 3

BYOD: Inevitability and Reality

With change driving both workplace and workforce into cyberspace, and with connectivity soaring, the BYOD juggernaut was set in motion and was soon threatening to overwhelm corporate IT departments. According to a recent survey by IDC4, IT groups typically underestimate by 50 percent the proportion of employees using their own devices for company business.

The day will soon arrive when the majority of devices used to access business applications will be consumer-owned.

By 2014, according to Gartner, 80 percent of professionals will use at least two personal devices to access corporate systems and data.5 So “…saying ‘no’ to business use of smartphones, tablets and similar devices in the enterprise is no longer an option,” according to John Pescatore, vice president at Gartner Research.

On the positive side, BYOD has the potential to raise employee productivity significantly, streamline and increase collaboration, broaden information flow and enable faster, more agile response to market opportunities. Organizations allowing employees to choose their devices experienced a 200 percent increase in user satisfaction and a 25 decrease in associated costs.6 The key is to give employees what they need, according to device type, and to implement security at the same time to safeguard the value of all this progress.

Not surprisingly, companies want BYOD programs that provision, secure and manage anydeviceanemployeewantstouse.ManypeoplethinkthatBYODsecurityrefersonly to devices such as smartphones, iPads and Android-based tablets and laptop computers. However, the concept of BYOD security must also apply to personal online service accounts such as cloud storage used by employees in the workplace.

50% 80%

50% of employees use their own devices for

company business.

80% of professionals will use at least two personal devices to

access corporate systems and data.

4

Taking the Reins of Network Access Control

Nowadays, employees are demanding—or simply seizing—the freedom to use mobile devices of any type, anywhere, whether company- or employee-owned. Control of network access is critical to supporting business demands and managing BYOD risk over this growing range of devices and applications. BYOD has the potential to disrupt IT significantly, so comprehensive security and governance of a company’s BYOD program are critical.

New devices inundating the workplace bring a variety of new operating systems, such as iOS and Android, along with multiple applications. This ubiquity challenges IT to create a secure and effective BYOD strategy, not only to safeguard company confidentiality and integrity, but to support employee morale, trust and productivity.

In light of this urgency, it is alarming to learn that many IT departments remain unaware that employees are even using their personal devices on the corporate network. An important first step of any security program is to conduct an inventory to find and classify all devices on the network and then establish network access policies based on the risk potential of each device. Secure, convenient access for authorized devices is a first priority, while unauthorized devices will need their own controlled and limited access program.

All BYOD users want the speed and performance they are accustomed to on their local desktops. For this to happen, proper planning for sufficient capacity is key. Service-level agreements must be defined for the BYOD infrastructure. Encryption and login procedures for all endpoint devices (wired, wireless, physical and virtual) must be clearly documented. Related audit procedures must be set forth. Also, centralized management of the BYOD infrastructure, including device, state/session and profile management, must be in place.

The BYOD Security Architecture: Necessity Replaces “Nice-to-Have”

According to a new Gartner study, 90 percent of enterprises have deployed mobile devices; 86 percent of enterprises surveyed plan to deploy media tablets this year. This momentum also creates new security concerns—namely, “use of privately owned devices” and “deployment of new enterprise mobile platforms.”

To ensure BYOD security and support, Gartner suggests that enterprises leveraging increased mobility should develop a strategy that incorporates mobile data protection (MDP),networkaccesscontrol(NAC),andmobiledevicemanagement(MDM)tools.

90% 86%90% of enterprises have deployed mobile devices.

86% of enterprises surveyed plan to deploy media tablets this year.

Navigating the Flood of BYOD 5

BYOD has opened up a rich field for mischief of all types. Threats are evolving so quickly that networks need far more than an incident-by-incident, product-based response. Rather, they need a transparent, nondisruptive, integrated management and security architecture. The focus of security should no longer be solely on the perimeter, because threats are well-distributed within the perimeter as well. Lack of an integrated approach means security holes—tunnels, really, in light of the sophistication of these threats.

Ideally, a BYOD architecture should enable access to such functions as email and Internet for the privately owned devices, but deny these applications access to the corporate network anywhere sensitive business-critical information resides. If an employee brings in a tablet, for example, then IT should be able to detect and classify it as an “intruder” and limit its access to a guest network.

But identifying devices on the network is only the beginning. The real challenges are ongoing management and integrated security. As network technology evolves and security needs climb, IT must seek out best-of-breed technologies, find the right vendor, and deploy solutions that fit its business needs.

Network equipment such as switches, routers, wireless controllers, and firewalls are the first line of defense and should enable the most unequivocal security. Intrusion detection and prevention, deep packet inspection (DPI) and monitoring tools and analysis systems are absolutely vital to providing that high security. While the traditional security approach of blocking the villains and locking everything down to stay in control of outside threats will always be relevant, this approach can be overwhelmed and inundated by the number and diversity of personal and corporate mobile devices. It is not a panacea.

Security must be continuously analyzed and upgraded. A coherent and effective security policy must break down silos to leverage and integrate security across every device, geography and solution. Furthermore, this architecture should not demand a forklift upgrade, major redesign or massive investment in new capital. It should take advantage of current infrastructure wherever possible and optimize network security investment.

Making the Network Both More Accessible and More Secure

After performing a baseline inventory of employee devices, a BYOD program should be ready to provision access to both corporate-owned and personal devices. Flexible provisioning can accommodate personal mobile devices. Once a company has an infrastructure in place, no new devices should be able to connect undetected. Instead, the appropriate policies should be automatically applied and launched whenever a device connects to the network, whether a corporate or personal device, an iPhone or an Android tablet. This both ensures consistent security and saves the time that would be spent battling each new security incident manually. Understanding which devices are on the network also saves costly rip-and-replace upgrades. Keeping a hawk’s eye on network trends and behaviors will also help a company understand the various devices to watch for and enable improved decision-making.

6

BYOD Brings New Compliance and Growth Challenges

An effective BYOD architecture must also take compliance into consideration. The ability to automate discovery and profiling of devices on the network and to securely provision network access is essential to sustainable compliance as well as to security. With automated reporting procedures, IT staff will be able to smoothly incorporate a new BYOD program into current compliance procedures and respond promptly to audit requests.

As consumer devices grow more sophisticated and portable, corporate IT departments that look the other way or cling to their pre-BYOD architecture put their companies at a disadvantage—and all to achieve some fairly short-term benefits. Now is the time to implement a long-term, scalable BYOD architecture for security and manageability, timeliness, productivity and business advantage.

Gaining a Progressive BYOD Program While Preserving Current Investment

There is no question that BYOD is winning the workplace race. Acknowledging this reality, many companies are adopting a hybrid model in which the corporate workforce combines company-owned and employee-owned devices. Either way, security must be paramount.

In the enterprise environment, thousands of devices and applications must be able to seamlessly access network resources simultaneously while supporting the highest availability, SLAs, and QoS; enabling companies to gain the full benefit of their monitoring tool investments and protect the business capabilities that make BYOD so popular and successful.

BYOD and the EEOC The U.S. government is implementing pilot BYOD programs in key agencies, including the U.S. Equal Opportunity Commission (EEOC) where the pilot program has been very successful. Employees are now able to use their smartphones with third-party software installed. The agency gains the ability to manage device security settings and also to remotely wipe the device clean of confidential information if it is lost or stolen. The agency has realized a cost reduction of 15 percent while reducing software maintenance costs.

The two most important elements in its success were that the agency leveraged its size and prominence to obtain the most advantageous rates (a tactic that a business should also employ); and establishment of a pilot program before rollout. The pilot program gave the agency a chance to work out eligible devices, cloud provider, configuration and technical support.

Navigating the Flood of BYOD 7

Best Practices for Maintaining a Safe and Efficient BYOD Environment

With BYOD, a company wants to streamline management, optimize cost-effectiveness, minimize IT overhead and maintain unbreachable security—all while ensuring that BYOD services and applications perform reliably whether on or off premises. Applications such as social media, blogs, and P2P networking, as well as core business applications need constant vigilance. The ability to monitor web-based applications demands total, end-to-end visibility, including the ability to search traffic using Deep Packet Inspection (DPI) and real-time, session-based analytics, is crucial to a BYOD program.

With major resources a company has at stake in its network, the ability to see and monitor the network, applications availability, and network performance is critical. In order to handle the flood of BYOD traffic and ensure network security, a company may need to invest in more tools. In addition, users will demand better quality for portal services; as more video is consumed, network latency and application performance become an issue.

Visibility and Security Monitoring Are Vital to Avoid the BYOD “Danger Zone”

AnAA-NPMsolutionlikeNet OpticsSpyke™isanimportantBYODresource,offeringcritical insights into the network and the impact that employee devices are having in terms of both security and performance. Spyke delivers a rich set of capabilities to monitor and review the network, seeing through its layers for total visibility. This real-time visibility supports constant network intelligence; it ensures that applications are safe and performing up to par and can find, diagnose and resolve issues before they become crises. With Spyke, IT can monitor and optimize for provisioning, security and high application performance cost-effectively without any disruption.

VoIPMonitoring

Spyke™Email

Attachments

Top Talkers

BadwidthUsage

Application-speci�c intelligence is critical to timely root cause analysis for BYOD security.

Application Aware Network Performance Monitoring (AA-NPM)

8

ByunitingPerformanceManagementwithIntelligentAccess,Spykeforgesthetotalnetwork monitoring and access architecture needed by BYOD, extending visibility and control to the critical application layer. Spyke as a BYOD resource can be used in tandem with existing performance and availability solutions to plug visibility holes in the monitoring infrastructure.

Spyke’s real-time monitoring addresses critical business needs at gigabit speeds and provides insights and analysis on a sub-minute level. Application-specific intelligence is critical to timely root cause analysis for BYOD security—including identification of actual user names, individual VoIP calls, and deep visibility of email traffic. With a near real-time and historical view of key performance indicators (KPIs) such as traffic volume, top talkers, application and network latency, top conversations and application distribution, the IT department can monitor bandwidth usage and acquire needed information to quickly resolve issues for application performance. IT can also perform capacity planning and trend analysis to see how the BYOD program affects the baseline of network resources.

Spyke automatically discovers applications using Deep Packet Inspection (DPI). This allows for detection of which applications and clients use the network and how they use it: when users/applications go through a non-standard port number, IT can then distinguish legitimate from illegitimate traffic. Continuous and ad-hoc packet capture andanalysisandVoIPmonitoringwithJitteranalysisandMOSscoreaddressissuesof user satisfaction. All of this can be done through a single pane of glass with easy-to-useinterfaceforalowcostwaytoreduceMTTRandquickly,accuratelyresolvenetwork and application issues. There is less reliance on costly network engineers, better business continuity and a more satisfactory user experience.

Network Packet Brokers (NPBs) and BYOD: Key Security Resources

AnNPBsuchastheNet OpticsDirector™Familyisanothermajorresourceforenablingsuccessful BYOD security. Director forwards relevant network traffic from multiple links to multiple monitoring tools for centralized monitoring and analysis. Its flexible, high-performance features give customers the ability to view more traffic with fewer monitoring tools as well as prevent oversubscription.

Layer 7Filtering

Director™

TapFlow™Filtering

Low Latency

Aggregation & Regeneration

Security

Audit and Privacy

Performance

Forensics

Network Packet Brokers (NPB)

Director forwards relevant network tra�c from multiple links to multiple monitoring tools for centralized monitoring and analysis.

Navigating the Flood of BYOD 9

Director also makes it simple for users to connect additional tools for reinforced security. Using Director as part of the BYOD security architecture makes the program more cost-effective and scalable by leveraging existing monitoring tools to maximize performance while increasing security, compliance and scalability.

This access switch provides intelligent, flexible centralized control and monitoring of all traffic streams in the network operations center. It heightens security and compliance, providing advanced filtering options based on packet headers and protocols (layer 4 filtering) as well as packet payload (layer 7 filtering); filtering by VLANtagsandMPLSlabelsaswellaspatternmatchinganywherewithinapacket(e.g.,HTTP headers). Director performs forwarding, aggregation and regeneration of traffic receivedin-lineoroutofband.Low-latency,hardware-basedTapFlow™filteringmakessure that only traffic relevant to each tool is forwarded. Director increases performance and scalability through its ability to share tools and data access among groups without contention. A BYOD program becomes more efficient and cost-effective by maximizing utilization of existing monitoring tools

Director can aggregate traffic from multiple links and load balance the traffic to multiple tools—ensuring that all monitoring tools are utilized efficiently and maximizing the monitoring capacity of the entire network. Without investing heavily in additional tools or risking oversubscription, a company can achieve peak network performance. With its ability to support Network intelligence statistics such as volume, oversubscription and protocol distribution, Director keeps traffic flowing even in the event of a power loss using its Zero Delay technology—helping a BYOD program to please users.

Load Balancing and BYOD: Cost-Effective Assurance That Tools Perform Optimally

As the BYOD phenomenon expands and networks grow under the influx of ever-increasing traffic, the need for a cost-effective way to protect and optimize tool performance rises accordingly. Load balancing has become a key element of maintaining tool performance within a BYOD security architecture. By providing a cost-effective way to prevent overburdening and consequent loss of tool function, a solution like the Net Optics xBalancer can help companies achieve and maintain

DynamicLoad Balancing

xBalancer™

TapFlow™Filtering

PacketSlicing

Aggregation & Regeneration

Security

Audit and Privacy

Performance

Forensics

Network Packet Brokers (NPB)

Scalable load-balancing that supports virtually any scenario.

1G

1G

1G

10G

10G

10

peak performance and security in their 10G networks. Even better, this can be done without requiring heavy investment in additional 10G tools or risking oversubscription. xBalancer distributes the traffic load to multiple monitoring tools; its 24 SFP+ ports and integrated data rate conversion make it ideal for load balancing traffic from 10G links to multiple 1G tools, leveraging legacy investment. This versatile solution also enables two or more appliances to be deployed in parallel, either in-line or out-of-band.

The stresses on network tools caused by multiple threats and exploding data volume from countless devices used by BYOD employees make xBalancer a smart component of BYOD strategy. xBalancer preserves the vital role played by security tools even as the BYOD phenomenon grows, ensuring business continuity. xBalancer also offers high availability (HA) modes that include heartbeat packets, redundancy and link-state awareness.

Scalability that supports nearly any scenario, plus ultra low latency thanks to its cut-through architecture further make xBalancer an economical and high-value investmentforaBYODsecurityinfrastructure.ItsTapFlow™filteringandpacketslicing mean that only relevant traffic is forwarded to tools. With its network intelligence supporting many statistics including volume, over-subscription and protocoldistribution,andthelatestloadbalancingcapabilitiesbasedonMPLSlabels, xBalancer adds the state-of-the-art network security protection that BYOD demands.

Holding Back the BYOD Tide Is Neither Cost-Effective nor Possible

The sooner the better is the ideal timeframe for a company to focus its resources on helping more employees make BYOD part of their jobs. An integrated BYOD architecture ensures that IT operations, application support teams and network engineers can always detect and fix network problems before service delivery isdegradedorsecuritycompromised.WhetheranSMB,adistributedofficeoran enterprise data center, this architecture enables the network intelligence, visibility, security, availability and quick troubleshooting capabilities that make for BYOD success. Properly implemented, BYOD helps employees to stay in touch with their personal lives while keeping their business lives separate, preserving the confidentiality and integrity of each—all on the same device. This adds up to productivity, security and morale.

Footnotes: v2. Information Week Reports, February 2012 http://reports.informationweek.com/abstract/83/8838/it-business-strategy/research-2012-consumerization-of-it-survey.html

3. Knowledge@Wharton on Forbes http://www.forbes.com/sites/knowledgewharton/2012/05/10/182012/

4. “Bring Your Own Device (BYOD) Unleashed in the Age of IT Consumerization”http://resources.idgenterprise.com/original/AST-0055442_BradfordWP0103_2_.pdf

5. Hamilton, Robert, “RSAC Panel Insights: Can Data Breaches Be Stopped, Really?” March 29, 2012, In Defense of Data http://www.indefenseofdata.com/page/2/

6.McLaughlin,Kevin,“CiscoSecurityGM:EmbracingConsumerizationIsSmarterthanFightingIt.”September 28, 2011, CRN http://www.crn.com/news/security/231602340/cisco-security-gm-embracing-consumerization-is-smarter-than-fighting-it.htm

7. Bring Your Own Device: New Opportunities, New Challenges http://www.gartner.com/id=2125515

Navigating the Flood of BYOD 11

BYOD Essentials: Where to Start Here are a few simple steps that an organization can take to ready itself for a BYOD program.

Choose consistent basic features and security measures Makesurethatyouandyouremployeeshaveconsistencyacrossthe company in terms of threat protection, such as security settings, and policies.

Obtain appropriate legal guidance and advice You should know where you stand with regards to yours and employees’ rights. Ensure that your company policies are valid and enforceable.

Inform and socialize BYOD fundamentals throughout the company Simplify and explain BYOD concepts to the workforce; set up meetings so that everyone is on the same page, including which expenses you will defray and which are the employees’ responsibility, and reimbursement policy.

Create an internal advisory group An internal advisory group can do the legwork to identify and compare providers for mobile device management, security risks and privacy concerns, Rules of Behavior, and creation of an internal web site.

Establish a pilot program You can explore such issues as rate-plan optimization, software, device access to email, contacts and tasks, costs and budgeting.

12

Net Optics, Inc.

5303 Betsy Ross Drive Santa Clara, CA 95054

(408) 737-7777

twitter.com/netoptics

www.netoptics.com