BYOD is quickly becoming a valid and even preferred option in the workplace, with 85% of organisations implementing some form of BYOD. The efficiency that can be achieved with this trend is well documented and largely agreed upon. It's found that employees work well on familiar devices, this stretches further than just the initial learning curve that is avoided when using unfamiliar hardware; 61% of "millennial" and 50% of “techsavvy” workers aged 30+ believe their own devices are more efficient and as a result, are much more productive, further “techsavvy” workers of all ages noted a definite disconnect between their work and personal devices that was, of course, avoided with BYOD.
When given the option, employees largely embrace BYOD, as device familiarity, increased efficiency and general mobility are all positives for most.
However, from an employer’s point of view, BYOD represents both pros and cons. There are clear cost savings: The company themselves do not have to purchase and distribute corporate devices for their end-users. There is also a fiscal value on efficiency that is not lost on employers as companies report to savings from $350 - $1,300 per employee, per year when implementing a BYOD strategy. That said, issues comes into play with BYOD around security. Data leakage, device theft, and even basic cyber hygiene are problems that arise with BYOD implementations, then throw in other common threats for any corporate environment, such as potential malware attacks and physical security of the devices themselves, it's easy to see how implementing a BYOD plan can keep security teams up at night.
"Their login password... was password"
Mobile Device Management to the rescue?
One solution to this is Mobile Device Management (MDM). MDM is a strategy, which is usually implemented in the form of a software application or by interacting directly with the OS of the device (eg. Intune). Commands are pushed from the main MDM console that will interact with the user's device APIs. MDM can be used to manage types of multiple mobile endpoints, ie. laptops, smartphones, and tablets. Generally, most MDM schemes will store information on the devices that it is managing, authorizing what applications can be shown on the devices, and securing devices should they go missing or are stolen. This allows for easier deployment, quick integrations for both users & their equipment, and allows the IT team to manage multiple device types centrally.
MDM’s main selling points are its flexibility and administrative control. Most MDM's can push rules and control any device or operating system. It gives the company the ability to push any apps, new configuration settings, push device encryption and more. MDM essentially gives employers the ability to have complete control over the end user’s devices and data.
This factor of control would very much be of interest to employers, as they can control devices that their employees utilize. They can completely secure their employees' devices with multi-factor authentication, full device encryption and in an emergency, the employer can wipe any device with the MDM remotely to prevent information leakage.
It's worth noting that MDM is not a panacea, among some shortcomings in endpoint security which we will get into in the next section, some employees do take issue with its implementation on their devices. It's reported that many businesses are experiencing push-back against BYOD plans because employees do not feel comfortable with the level of control that they are giving employers over their devices.
To see more about the hidden issues that one should consider when looking into MDM, have a read of Rory Monaghan's article on the subject here.
Limitations: Laptop Security
Outside of the aforementioned issues, an MDM system is useful and can have definite benefits if deployed as part of a well thought out BYOD scheme. That being said, there is one area that MDM does have trouble with and that is with your standard x64/86 devices, like laptops, where the dreaded Human Factor clashes with IT policy frequently.
You selfish humans, breaking Policy-bot's heartware
The truth of it is that MDM on its own will not do much to stop users hurting themselves on an unsecured endpoint, and certainly would not be enough alone to meet compliance standards, such as PCI DSS.
When it comes to endpoints, like the laptops that your users are bringing into an environment, security becomes a much larger concern. MDM may be a good start but a lot of its main security features are dedicated to device theft and login security, like MFA and encryption, or are simply more fail-safes than preventatives. While machine tracking, remote wiping, and blocking are great to have in a loss/theft situation, it doesn't solve the user issue.
Without a locked-down environment, users can and will still get around preset policies, download files, access unsafe sites or even save data to removable drives. So what is the solution, outside of restricting users to the point where their devices are no longer theirs (Which defeats one of the purposes of BYOD in the first place)?
Secure Remote Worker: Fully managed, secure sessions for personal laptops
Secure Remote Worker is a secure digital workspace specifically for personal laptops, desktops, and thin clients. The solution can be used to provide both BYOD and remote working environments.
See a quick demonstration of Secure Remote Worker changing from an open session on a personal device to it's secure session.
It presents itself as an application on the end user's laptop. Once Secure Remote Worker is launched, the user is logged out of their local session and launched into a new secure session with no access to their OS. The user can only work within their provided workspace (of which the administrator has complete control of), and once finished with their work, they can simply log out of their secure session and are returned to their device, with complete freedom to do as they like.
Secure Remote Worker works specifically with personal x64/86 Windows devices and allows for employees to be centrally managed from any location through the ThinScale Management Platform.
So what exactly makes Secure Remote Worker so secure? Outside of the locked-down UI itself, the solution has several features that secure the endpoint during the Secure Remote Worker session:
Application & Service Execution Prevention
These features will allow you to set rules that allow and deny specific applications and services from running during an active session. Working essentially as a completely configurable white/blacklist for applications and services, you can ensure there will be nothing running on the endpoint during the user’s working session that your security team has not authorized
This allows you to block USB mass storage devices completely during an active session, while still allowing USB equipment, such as headsets or microphones, to be utilized. Users can still work comfortably whilst ensuring there can be no unauthorized removal of data.
Virtual Desktop Agent
The Virtual Desktop Agent is a packaged auxiliary download designed to ensure the user is only accessing virtual and remote resources from a device secured with Secure Remote Worker. With custom actions and rules that can be applied, the agent can see if, for example, a virtual machine is being accessed via a browser on an unsecured machine and can prevent access.
The Validation tool is another packaged auxiliary download that will perform checks configured by administration. Before the installation of Secure Remote Worker, the validation tool will run these predefined checks on the user’s device and based on the results of these checks, the administrator can choose if Secure Remote Worker is installed. These results are also sent directly to Secure Remote Worker’s central management component, the ThinScale Management Platform.
Secure your laptops and control mobile devices using Secure Remote Worker alongside MDM
So with this information what is the better solution? The answer is, as always when it comes to any deployment of new technologies or schemes into an environment, it depends.
Secure Remote Worker is a self-contained, secure and easily managed BYOD solution. It eases the burden of support on administration by providing the IT team a powerful and easy to use central management system, as well as, giving users the ability to utilize their familiar hardware settings within a secured session. All this while providing a secure workspace environment that allows the employer complete control when active (while also preserving employee privacy and freedom when outside of their workplace session).
All that being said, as mentioned earlier, Secure Remote Worker only functions on Windows endpoints, meaning laptops, desktops and thin clients.
An MDM's major benefit is compatibility and lets you control most of your employees' devices regardless of hardware or operating system. However, as mentioned, control does not equate to secure, and laptops running an MDM alone will not be enough to protect against data leakage.
Luckily, Secure Remote Worker is compatible with most MDM solutions! It will allow the MDM to work on a laptop as normal, pushing it's applications and settings while also maintaining those poison pill fail-safes mentioned earlier. You also maintain that unified visibility of phones, tablets, laptops, etc.
Secure Remote Worker, in turn, will protect your user's laptops by providing a locked-down, secure workplace for end-users to work within safely, preventing data leakage and any unwanted user actions. Through the ThinScale Management Platform, you also have direct control and the ability to deploy profile, policy and application updates to your laptop environment.
To review, let's look at it like this:
|Secure Remote Worker||Result||Mobile Device Management||Result|
* - dependent on MDM provider
Visit our main Security and Compliance page and get key information on endpoint security and how our solutions enhance security & compliance on the endpoint.
As you can see from our comparison, the two solutions are rather complementary. Secure Remote Worker is designed to be utilized as a BYOD solution in and of itself and provides much of the functionality of an MDM already, and in doing so you can avoid some of the user issues associated with MDM.
However, if MDM is already in your environment and you are looking for a way to provide much needed extra security to end-user's laptops, then Secure Remote Worker is the ideal solution for helping you reach those stringent security compliances and ensure your end-users are completely protected.