bloomua - Fotolia


BYON brings its own security challenges

Bring your own device is a common practice, and now bring your own network is on the scene -- whether IT likes it or not.

When users create their own networks to access corporate data on their mobile devices, they also create security problems for IT.

An offshoot of the bring your own device trend, bring your own network refers to when users provision their own network services for Internet access, workgroup communications and information sharing, printer sharing and other functions.

Bring your own network (BYON) implementations are generally built around a residential-class Wi-Fi router, with backhaul implemented via an authorized connection to an existing wired network or a wide area wireless connection. Many wireless routers support USB cellular modems, making BYON simple and cost-effective.

BYON eliminates the need for IT to provision access for certain authorized workgroups seeking isolation -- typically contractors, field auditors and special projects that management has determined will benefit from being separated from mainstream network activity.

Sanctioned BYON activity must comply with organizational security policies.

Many view BYON as just another example of IT consumerization. Given the performance and power of consumer-grade devices today, with little to no compromise in function, performance or mission, BYON can indeed provision network services equal to those otherwise available on the big network.

At first glance, there's really nothing unusual going on. BYOD is now firmly established as a valid, if not the preferred, mobile device provisioning methodology. Many professionals, such as plumbers, carpenters, network analysts and consultants, always bring their own tools to the job site. Isn't the network just like any other tool?

But it's not unreasonable to view the network differently, primarily due to one insoluble challenge facing all IT shops everywhere: security.

Sanctioned BYON activity must comply with organizational security policies on authentication, authorization, encryption and identity management. Given the isolation inherent in BYON, however, the potential for unauthorized exposure of sensitive information is usually reduced -- one of the primary justifications for authorized BYON.

IT must treat unsanctioned BYON like any other potential compromise to Wi-Fi network security and address it as soon as possible.

A number of organizations have grappled with stealth BYON activities over the years, with users cleverly bypassing IT, only to be caught when IT used a Wi-Fi discovery tool, spectrum analyzer or similar capability to stumble upon the self-provisioned network -- often on an unrelated mission. This type of activity is probably more common today than most IT managers assume; after all, with Wi-Fi so readily available, why would anyone use BYON for normal, day-to-day activities?

But BYON users can conduct activities that compromise sensitive information, so wireless network monitoring and assurance activities must remain a component of network operations. BYON users can be innocent employees simply seeking higher performance, greater control or overall portability without needing to reconfigure their personal network access based on location. But such activity can also be misguided. Therefore, IT organizations must always be on the lookout for any activity that might compromise Wi-Fi network security.

How IT should handle BYON

The following steps are essential:

Enacting security policies: All staff should be required to sign an agreement that they will not bypass provisioned IT services without express permission. There must also be regular reinforcement of the terms and value of the organizational security policy.

Monitoring: It can be very difficult to detect BYON based entirely on wired technologies, so regular network traffic analysis is essential. IT can use wireless network security tools and systems to catch wireless activity -- radio interference can be a major clue that unauthorized BYON is active -- and inexpensive spectrum analyzers for cellular traffic are also available. Regular physical inspections are essential regardless, because information thieves have little regard for policy.

Authorizing access: Once IT has authorized BYON, it should only provision its own implementations; this ensures they meet IT and organizational standards and policies and provides end users help and support. And, of course, IT should treat anyone seeking to avoid that help and support with just a little bit of suspicion.

Next Steps

Bring your own device guide for CIOs

Six BYOD policy questions

How to strengthen BYOD security

Dig Deeper on Mobile networking