Supporting BYOD with Zero Trust Security

by Erin Risk

Supporting BYOD with Zero Trust Security

Recent years have put the security risks of BYOD policies in the spotlight. Letting users access company resources through their personal devices offers many benefits. But the relative lack of control makes them vectors for cyberattacks. While many solutions exist for managing BYOD environments, they still depend on outdated remote access security technologies.

This article explains how the BYOD trend began and what drove its widespread adoption by companies of all sizes. The security risks that BYOD presents are also addressed along with an introduction to a new approach to BYOD security called Zero Trust.

What is BYOD?

Bring Your Own Device (BYOD) refers to policies that let employees and other users access company resources from their personal devices. Consumers’ rapid adoption of smartphones in the 2010s drove this trend. Executives, salespeople, and other traveling employees wanted to use their personal phones for their work rather than using their companies’ more out-of-date devices.

By 2013, more than 40% of organizations had BYOD policies in place. The COVID pandemic made work-from-home and BYOD essential. A recent study found that 82% of companies now rely on BYOD. Even as some employees return to the office, many companies will continue BYOD-enabled remote working. Letting your employees do company work on personal devices creates several benefits:

  • Productivity improves as people use the devices they are familiar with.
  • Employees enjoy a better user experience on their own devices.
  • Morale improves as employees feel trusted and empowered.
  • Companies get faster technology refreshes as users upgrade their devices.
  • Companies spend less on end-user technology.

Of course, BYOD policies also introduce risks:

  • Lost or stolen devices could fall into the wrong hands.
  • Employees may leave the company but still have access or data.
  • Personal devices may not have the latest security in place.
  • Managing BYOD is more complicated than managing company-owned devices.
  • Employees may not trust the company’s monitoring of their activity.

Why are companies adopting BYOD?

The smartphone-driven trends of the 2010s drove the first wave of BYOD adoption. What could IT departments do when CEOs asked whether they really had to use two phones? Changes to tax policies also made BYOD an easier choice. But convenience is only one reason for BYOD adoption.

Boosting productivity

Several studies have found evidence that BYOD policies can increase employee productivity. One survey found that BYOD lets users save up to 81 minutes every week. Another report found that workplace productivity increased 16% when BYOD policies were implemented.

Reducing costs

BYOD policies can lower IT costs. Employees already know how to use their personal devices. This reduces training costs as well as the number of help desk calls. A larger saving comes from not having to purchase end-user devices for every employee. These cost savings are not limited to large enterprises. A study found that BYOD could save $1.5 million a year for companies with as few as 500 employees.

How does BYOD work?

Even if a company does not have a formal BYOD policy, its employees are already using their personal devices to get things done. Bringing this shadow IT infrastructure under control is an important step towards securing company resources.

Mobile device management (MDM) solutions let IT and security teams control which personal devices may access the company network. Although first created to manage users’ smartphones, MDM solutions now encompass a broad range of devices. MDM apps installed on the device create an encrypted sandbox that keeps work-related data and access separate from the user’s personal activities.

Management consoles let administrators monitor usage and enforce security policies. Most importantly, they can protect company resources should a device get stolen or an employee leave the company. The MDM system lets them terminate access and remotely wipe all company data from the user’s device.

Depending on the degree of control companies impose, MDM systems may let users self-provision. Approaches to provisioning user devices vary but often follows this general process:

  • Employee training - Employees must acknowledge that they understand the company’s security policies and how they are expected to use BYOD privileges responsibly.
  • Device preparation - Users with certain devices may need to configure settings in the operating system or security software.
  • Download and installation - Users download and install the client application from a company website or their device’s app store.
  • Registration - During the installation process, users will enter their credentials for the company’s authentication system.

Once this process is complete, the device will have separate areas for the employee’s work and personal activities. The company’s business, security, and other applications will be installed in the work area as well.

What are the security concerns for BYOD?

Despite its benefits, BYOD can expand a company’s attack surface. A T-Mobile study of cybercrime found that lost mobile devices led to 41% of successful security breaches over the past decade.

The biggest challenge of BYOD workforces is the incredible variety that administrators must deal with:

  • Different form factors.
  • Different makes and models.
  • Different operating systems and versions.
  • Different security applications.
  • Different ages.

Managing such a diverse ecosystem consumes time and resources. Should something get missed, cybercriminals may have an opening into a company’s network.

Other security rules that must be considered include:

  • Employees are not always in control of their devices. Loss and theft aside, employees may leave devices unattended in hotel rooms, coffee shops, or airport lounges. At home, other family members may have access to the device.
  • Employees take their personal devices when they leave the company. The devices may still store company data or have access to company resources.
  • People do not apply security updates right away. Unpatched vulnerabilities could create an opening for attackers.

In addition to these issues, employees may try to circumvent BYOD security. When strict policies create friction that interferes with worker productivity, individuals and teams will find easier ways to get things done. If employees suspect their company has too much control — or is using their devices to spy on their activity — they may also find ways to bypass BYOD policies.

How Zero Trust technology can improve security of BYOD

Zero Trust is a modern approach to remote access that makes BYOD easier to deploy and manage while improving network security. Traditional methods rely on outdated security technologies, such as VPN, that make flawed assumptions:

  • Company-owned devices are more secure than employee-owned devices.
  • Resource access from the office is more secure than remote access.
  • Once authenticated, a user’s connection is always secure.

One of the core principles of Zero Trust — assume breach — recognizes the modern reality that security breaches can happen at any time to any user regardless of the device or network they are on.

Zero Trust solutions protect each resource by hiding it behind a software-defined perimeter. Every attempt to connect, regardless of the source, gets challenged as if it is a potential attack. Once authenticated, least privileged access rules let employees access only the resources their roles justify. And when authenticated sessions end, so does the employee’s authorization. New connection attempts get challenged as if the previous session never happened.

Twingate’s Zero Trust solution integrates with a company’s existing security stack to protect on-premises and cloud-based resources while letting employees work productively. Working with the existing Identity Provider (IdP), Twingate verifies a user’s identity when they try to access a resource. Going further, Twingate evaluates the context of that connection:

By enforcing context-sensitive authentication rules, Twingate lets companies create more granular authorization policies across a wider range of use cases. The scope of a user’s access to a particular resource can change depending on which device they use and whether they connect from home, the office, a hotel, or a customer site. When the user accesses a less sensitive resource, they can get more permissive authorizations.

Twingate also makes the Zero Trust experience simple for both the end-user and the administrator. The end-user can install the Twingate client application without making any changes to operating system settings. The app runs seamlessly in the background. Work traffic is securely routed directly to either cloud or on-premises resources while personal activity stays on the public internet.

Administrators do not need to configure user devices or alter resource settings. Simple consoles let them quickly on-board and off-board users or change authorizations. Since Twingate operates on the transport layer, access control is decoupled from the network’s architecture. Implementing Zero Trust will not require infrastructure changes.

Make BYOD more productive and secure with Twingate

Personal devices are a permanent part of every company’s IT infrastructure, whether they acknowledge it or not. Establishing and enforcing BYOD policies is the only way to minimize the resulting security risks. Administrators do not have as much control over BYOD as they do company-owned assets. But they still must find ways to keep company data secure and control access to company resources.

Twingate’s Zero Trust remote access and security solution provides a simple, scalable path to making the BYOD workforce more productive. Contact Twingate to find out how Zero Trust can improve your BYOD security.