The key to securing BYOD access to applications and providing visibility

Bring Your Own Device (BYOD) initiatives have been around for decades, and have become increasingly popular over the past several years. In fact, 82% of organizations have a BYOD program. Allowing employees to use their own laptop, tablet, or mobile device to access applications and data enables the level of business agility that organizations need in today’s always-on, hyper-competitive business environment.? Users can log on and conduct business from anywhere with an Internet connection and the IT department doesn’t have to worry about procuring, managing, and keeping track of distributed devices – ultimately saving money, eliminating IT overhead, and improving productivity.

However, BYOD has its downsides as well, and chief among them, not surprisingly, is data loss . Unmanaged, BYOD devices that connect to corporate assets can pose a major risk to the organization, creating a security gap that threat actors can use to gain initial access to an end device. Once infected, these devices provide an avenue for attackers to spread laterally across the network and applications where they can steal sensitive data or lay in wait, ready to deliver their payload when the time is right. For example, in 2016 a modified version of Pokemon Go, the augmented reality mobile game, packed a malicious remote access trojan (RAT) which could virtually give an attacker full control over a victim’s phone. This same phone could be used for work-related activities.?

In order to keep taking advantage of BYOD policies, organizations need to find a way to provide application access without putting the organization at greater risk.

The security risks of BYOD

Digital transformation, with most apps becoming browser-enabled and moved to the cloud, delivers obvious benefits regarding user productivity, business agility, and employee morale. Most work today is actually conducted in the browser through private applications and third-party Software as a Service (SaaS) platforms; as recently reported, 50% of workers can perform their entire job using a web browser, and 80% can do 80% of their work through a browser. Critical business applications such as email, messaging, productivity tools, customer relationship management (CRM), enterprise resource planning (ERP), real-time inventory, logistics and others are now typically run in the cloud, allowing many users to work almost entirely outside the hardened data center. This seems to set the stage for BYOD as well, but there are important hurdles to clear.

A lack of visibility into and control over unmanaged BYOD devices makes it virtually impossible to detect suspicious browser behavior or take preventative counter measures to prevent a breach. This is especially concerning when you consider what users do with their personal devices when they are not working. They might visit risky websites, share information on social networks, download suspicious content, or access sketchy web-based applications.

Complicating matters further is the fact that there is no way to know what browsers are being used on the BYOD endpoint, the update status of the app, or whether the device itself is shared by others. Getting visibility into browsing sessions has been virtually impossible and threat actors know this, as they are increasingly targeting browser vulnerabilities to gain access to enterprise networks. Coupling the growing threats to browsers overall with the fact that the BYOD endpoints may be shared and are essentially non-manageable seems like a recipe for disaster.

Should companies give up on BYOD?

The Menlo answer is a resounding “NO!” The correct implementation will not only secure access for the occasional BYOD use case, but it will also dramatically strengthen browser-based application access and visibility on any device.

Here are three things to consider when enabling a secure BYOD strategy:

1. Zero-touch deployment

The key to BYOD security is making it as easy as possible on users. Security teams need to make the deployment process as seamless as possible, or, better yet, don’t give users an option by taking them out of the equation completely. Agentless deployment automatically extends coverage to any device that attempts to connect to an enterprise asset – whether it is a private cloud application or third-party SaaS platform. Such a deployment method greatly reduces the resources needed from security and IT teams because no DNS records are needed, there’s no need to import certificates, and no agent is required.

2. Network separation

The secure cloud browser provides separation between device and application as well as enterprise application and Internet. By accessing a rendered representation of the application, instead of the original application itself, you can provide access, while shielding the user from content-based attacks and shielding the application from malicious requests that might involve parameter tampering, web scraping, API abuse, and a host of other problems. This network separation ensures that threats do not have any direct access to the application whatsoever. So, even if a user clicks on a malicious link, downloads a malicious file or tries to access a malicious application – the harmful entity never has a chance to interact directly with your application that hosts sensitive and proprietary data.

3. Visibility

Visibility of how the user is accessing the application is essential to ensure that controls are working properly. The security team needs to be able see what the user did during their browsing session, and this has historically been an issue with other solutions that provide access to enterprise applications, e.g. VPN, VDI etc. Because browser traffic has been a "black box," the SOC is unable to tell if there is an issue until it is too late. Nowhere is this more true than in the case of application access via BYOD endpoints.? Through the secure cloud browser and browsing forensics the SOC now has visibility.??

Non-disruptive security for BYOD (and any other) endpoints

Menlo has the answers that you need, with Secure Application Access and Browsing Forensics.

Secure Application Access, combined with the Secure Cloud Browser, delivers an ideal solution that protects applications from whatever might be on the endpoint as it protects endpoints from any malware that might be on the server. The user is presented with an application portal directly, or via a lightweight browser extension as the only method to access applications from the BYOD endpoint. This removes the possibility of lateral network movement, while it narrows available applications to only those appropriate for the user.

Browsing Forensics completes the solution, delivering visibility into browsing sessions for the first time, on any endpoint. Enterprises can select the content that should be captured in the session, including screen grabs, user input, if any, and the page resources themselves. These captures are immediately ported to the customer’s choice of cloud storage; Menlo does not retain the packages or even view them.

BYOD doesn't have to mean increased risk. Menlo Secure Application Access and Browsing Forensics protects your data while empowering your workforce with the flexibility they need.

• Explore Menlo Secure Application Access and how it enables safe BYOD here .
• Want to ensure BYOD users stay compliant? Menlo Browsing Forensics offers visibility into browser activities. Learn how it works here .