No Device Left Behind: How to Ensure Protection of BYODs

The “modern” environment includes not just traditional endpoints such as desktops and laptops, but also mobile platforms which are increasingly becoming the preferred way employees engage with their organization. A joint Samsung-Oxford Economics 2018 report on enterprise mobility points out that “modern work is mobile work” with nearly 80% of interviewed IT and business leaders saying employees cannot do their jobs effectively without a mobile phone. Almost the same amount (75%) of respondents say mobile devices are essential to business workflows.

It’s no surprise then that mobile has become a highly-appealing target for cyber attackers. According to Verizon’s 2019 Mobile Security Index, 1 in every 3 organizations said they suffered a data breach involving a mobile device – up from 27% in 2018. And organizations are increasingly being hit harder: 62% of affected companies said their mobile breaches were “major” and 41% said they were “major with lasting repercussions” requiring costly remediation and cleanup. Additionally, on top of being vulnerable to many of the same threats affecting other devices, like phishing, mobile devices are prone to attack vectors like malicious apps, network threats such as man-in-the-middle attacks, and various OS exploits.

Unmanaged device, unmanaged risk

The risk is augmented by the growing adoption of Bring Your Own Device (BYOD) practices in the workplace. More than half of organizations have BYOD policies in place or plan to adopt them, and some sources say it’s as high as 85%. For all the benefits BYOD programs bring to productivity and mobility, allowing employees to access corporate resources from their personal devices – over which IT teams have no visibility, much less control – has its obvious risks. Mobile users connect freely to more networks, download risky apps, and access websites that may spread malicious code. And employees are accessing corporate resources on these very same devices, using an average of 5 mobile business apps daily.

While solutions have been introduced for securing mobile devices, applying these to BYODs continues to be a challenge due to lack of an enforcement mechanism. On personal devices, as opposed to managed endpoints, the employee is the “admin” and essentially decides what goes onto their device. This has made it difficult to achieve widespread adoption of Mobile Threat Defense (MTD) apps on employee BYODs.

Symantec Endpoint Security is the solution that delivers complete protection across all devices in your environment, including full Mobile Threat Defense for both managed and unmanaged devices. With Mobile Access Control, a new feature unique to Endpoint Security, organizations can, for the first time, ensure MTD adoption even on unmanaged devices. Mobile Access control bases access to corporate resources on the health and security posture of the mobile endpoint, regardless if it is a managed or BYO device.

Solving the challenge of BYOD protection

Endpoint Security offers on-device mobile protection and enforcement capabilities that are automatically activated according to an organization’s policies. This requires that the Endpoint Security app (SEP Mobile) be installed and activated on mobile devices. For managed devices, organizations can leverage the integration with an MDM/EMM/UEM solution to push the app to devices and apply policies based on the health of the MTD agent on the device.

For unmanaged devices, deploying the MTD agent has traditionally been more difficult due to the lack of an enforcement mechanism (provided by an MDM/EMM/UEM). Mobile Access Control solves this challenge by integrating Endpoint Security’s MTD app in the SAML flow that is used when authenticating a user to a service or app in the organization.

By connecting to the sign on flow, we offer a more generic and universal mechanism for enforcement. When an end user tries to access a corporate resource on their device, the ‘integrated’ authentication process triggers a background evaluation of the device’s security posture, checking: 1. Whether the device has SEP Mobile app up and running, and 2. If the device is compliant with the organization’s security policy.

If the device has the SEP Mobile app deployed and is compliant, the end user can continue with the sign on process to gain access. If the evaluation finds that any of the above conditions are not met on the device (no MTD app or device is non-compliant), the end user will be blocked from accessing corporate resources and will be prompted to download the app or resolve the compliance violation.

Here’s a video of how this works.

Mobile Access Control therefore ensures that devices, both managed and unmanaged, are protected and compliant with security policies. Only when these two conditions are met, does an end user get access to resources.

Sign-on timing is ideal

The Access Control approach is also effective because of where it meets the end user. An optimal time to persuade users to download the MTD agent is during the sign-on process when they most want access to resources. Just like with app permissions where users are more likely to accept a permission when they want to use a feature it enables, users will more likely download the MTD app when they want immediate access. This is ideal compared to sending end users an often “out-of-context” email prompting them to install and activate the MTD agent.

Non-disruptive access

Mobile Access Control’s generic implementation enables admins to integrate the mechanism into whatever SSO/SAML flow used in their organization. Integration should be straightforward if HTTP requests can be redirected to a Symantec page.

What does this mean for end users? Upon implementation, users who try to access a corporate app or resource, like Office 365, will be redirected to a specific Symantec page which triggers the Access Control mechanism to check the compliance status of their mobile device. As mentioned previously, if the device is found to be compliant, end users are seamlessly redirected back to the Office 365 login, which continues as it had before. Non-compliant users will be blocked. End-users will go through this process only for app logins that are configured to pass through Mobile Access Control and only when a login is required, for example if the password changes and the session has expired. If the session remains active, there is no need to go through the MAC process again.

Increased adoption for a stronger security posture

As we discussed in a previous blog post on MTD deployment best practices, even the most powerful MTD solutions are ineffective if your organization has incomplete deployment or low adoption rates. These factors can leave organizations vulnerable to attacks. BYODs – where end users are root users – may be introducing a great deal of risk to your organization, increasing the attack surface for corporate breach. Symantec Mobile Access Control not only ensures both your managed and unmanaged mobile devices are protected, in addition to all devices and OSs in your environment, it does so without interrupting end-user access, for continued productivity and security.