How to Secure BYOD Devices: Avoiding BYOD Security Problems with VPNs

By | | Categories: byod, remote work

With so many organizations suddenly forced to send their employees to work from home, securing remote work in today’s environment has become increasingly important.

Unfortunately, for most organizations the size of the remote workforce has increased far beyond the number of employer-provided devices that are available, making it critical that organizations put in place clear Bring Your Own Device (BYOD) policies.

Typically, BYOD has been avoided by organizations that take security very seriously, ranging from large enterprises to government agencies and everything in between, because of their inability to manage and control operating systems, software patches and updates, and device usage.

The COVID-19 crisis has forced many of these organizations, including government agencies, to take a fresh look at BYOD, and the options available to bolster the security of data when it is shared with employees using personal devices.

The most common way to secure communications from a remote location back to a central network is through a VPN. While there are a few challenges to be concerned with when using VPNs, there are plenty of things you can do to overcome those challenges.

And, with the right set-up, BYOD does not have to be a security nightmare.

Click here to read the secure remote work guide

Challenges with BYOD and VPNs

There are quite a few concerns with setting up and using a VPN on a personal device.

1. Malware on the device

Allowing a BYOD policy means trusting personal devices.

To install a software-based VPN on an employee's personal device (laptop, desktop, smartphone, tablet, etc.) and allow connectivity through that VPN back to the corporate network, you must first be satisfied that each personal device you are allowing has no existing malware on it.

If a software-based VPN is used to connect a device to the network, and that device has malware on it, there are a couple of risks to be aware of:

  • Malware may be able to jump through the VPN into the corporate network itself, which could wreak havoc.
  • That malware could gather VPN keys through eavesdropping or saved credentials, and save them for a later date. This could allow threat actors to gain access to the corporate network at a later date, using the same VPN credentials.

2. Installation, set-up and configuration

The unique circumstances of the COVID-19 pandemic prevent most in-person contact, meaning that users will be responsible for installing, setting up and configuring VPN software on their own devices.

This comes with a host of potential risks:

  • The device may not have an operating system or applications that are up-to-date. Any missing security patches or updates that have not been completed are additional risk vectors.
  • The operating system on an end user device may not be compatible with the chosen software VPN.
  • The user may misconfigure or misuse the VPN, which could result in potential attacks on the corporate network or allow data being transmitted to be compromised.
  • Training or support must be provided to users on how to properly set up their VPN and ensure that they do it correctly, which can become a drain on IT support resources.

3. Split tunneling

One of the primary concerns with VPN usage is the ability to enable split tunneling, which allows a remote VPN user to access the internet through a public or unsecured network at the same time that they are allowed to access the corporate network through the VPN.

If that user's device is compromised via the unsecured network while it is connected to the VPN, it is possible for that infection to travel via the VPN into the corporate network. 

Many VPNs have configuration settings to mitigate these risks by disallowing split tunneling, but again, the reliance in this case is on the user to configure these settings properly.

4. Personal information sent across the VPN connection

Another concern is that users may check personal accounts like bank accounts or health-related data over the VPN connection.

This surfaces personally identifiable information (PII) to the corporate network, which will be monitored and logged. This information is not typically something the user would want to be recorded by their employer, and thus presents a liability for employers that unwittingly have access to it.

It is important to provide users with training on what they should and should not do over the VPN connection, or when to use it.

5. Interoperability

Regardless of the policies you put in place or the training you provide, the reality is that you, as the employer, have little to no control over what applications or devices individual employees use for BYOD. This creates all kinds of interoperability concerns, the scale of which are significant, as there are any number of different devices, operating systems, security patches and other configurations which users can have on their devices.

There is no real way to truly know everything you’ll need your VPN to be compatible with, and very little way for you to control or require users to have specific devices or operating systems to ensure it will work with the VPN you choose.

Using a hardware-based VPN with BYOD

By using a hardware-based VPN along with a few simple configurations or settings on the device itself, you can quickly and easily secure personal devices for use with remote work.

There are many different solutions on the market for hardware-based VPNs, each with different features and functionality, so for the purposes of this discussion I’ll limit myself to Attila’s hardware-based VPN solution in order to speak about specific features rather than in general terms.

Using this example, here's how a hardware-based VPN can address the specific risks I described above:

  • Malware on the Device: The end user devices connected through our GoSilent Cube never actually touch the networks they connect to. The GoSilent device acts as a firewall between the device it is connected to and the outside world. This means that no malware can cross from the device to the network. It also alleviates the risk of having VPN keys stolen, as the user must have the physical device as well as VPN keys in order for the VPN connection to work.
  • Installation, Set-up and Configuration: Most hardware-based solutions are much easier for users to set up and use on a day to day basis. On a GoSilent specifically, there is nothing to configure at all. And when there's nothing to configure, there's nothing to misconfigure. It is as simple as plugging the GoSilent Cube into the end user device (or connecting the two over the GoSilent Cube's LAN). That’s it.
  • Split Tunneling: Our hardware-based VPN by default only allows traffic to flow to a single endpoint. Meaning, once connected to an end user device, it ensures that any and all traffic can only go to the central network.
  • Interoperability: Because no software is required on the end user devices when using a hardware VPN, there is no concern about compatibility with the applications or operating systems that are running on those devices. A hardware-based VPN is completely software agnostic, so you can use it to secure any IP-enabled personal device. This alleviates the need for a very complex and rigid policy for the devices themselves.
  • Personal Information sent across the VPN Connection: You will still need to train users not to send personal information over the VPN connection, however with a hardware-based VPN, it is much easier for a user to know when the VPN is in use and when it is not. It is as simple as plugging or unplugging the device.

Consider adding a VDI solution

If you want to take additional steps to ensure that BYOD is as secure as possible, you may want to consider combining a hardware-based VPN and virtual desktop interface (VDI) solution.

A VDI allows end users to work remotely through a virtualized environment that lives on your central server. End user devices connect via the VDI to virtual machines that you have set up on your server, allowing users to execute work as if they are on your internal network. 

With VDI, no data is stored on the end user device. Instead, the user simply sees what is on the screen of the virtual machine and interacts with it, but is not able to store data from it.

VDI supports a range of end user devices, from laptops and desktops to tablets and mobile devices.

Combining this environment with a secure hardware VPN protects all traffic and information flowing across the connection between the end user device and the central network.

Final thoughts

If you're looking for a way to make BYOD work for your organization, it doesn’t have to be difficult process, and you don't have to compromise security in the process.

You can make it easy on your users, effective to scale up and down quickly, and incredibly secure by choosing the right hardware-based VPN solution.

Learn more about Attila's emergency remote work kits

subscribe_to_blog

Subscribe me to: