Search the Community
- Tech Cafe
- The New Network
- Security Now
- Industry Solutions and Trends
- Partner Watch
- Community Talk
- Automation & Programmability
- SDN and NFV Era
- Packet-Optical Technologies
- Silicon and Systems
- Data Center Technologists
- Business and Finance
- Basic Cable
- Juniper German Blog
- Juniper France Tech Blog
- Government Trends and Insights
- Information Experience (iX)
- Your Business Edge
- All Things APAC
- AR Voices
- Corporate Social Responsibility
- Customer Stories and Successes
- Security Incident Response
- Application Acceleration
- Community Feedback
- Configuration Library
- Contrail Platform Developers
- Day One Tips
- Ethernet Switching
- Identity & Policy Control - SBR Carrier & SRC
- Intrusion Prevention
- Junos Automation (Scripting)
- Junos Space Developer
- ScreenOS Firewalls (NOT SRX)
- SRX Services Gateway
- Training, Certification, and Career Topics
- Wireless LAN
- Ambassador Program
- Ambassador Program
Last week’s WSJ CIO Journal "How BYOD Become the Law of the Land" brought me down memory lane.
It was the year 2000, I was at Honeywell and the newly arrived CEO requested a BlackBerry. Soon after, the budget was created, plans were executed flawlessly and IT had a standard company-issued device to all key executives. So quite by accident, we rolled out what was arguably the best user productivity tool of its time.
In mid 2007, with the introduction of the iPhone, IT started seeing a shift from company-issued devices to BYOD.
And in the beginning of 2010, with the iPad introduction, the BYOD trend was truly underway. With an iPad showing up in every meeting, this only meant one thing for IT: a soaring demand from employees to access email, calendars and other enterprise apps on their personal devices. Once the door was open, employees were not only requesting Apple devices, but their interest was stoked in a wider range of services and it began a wave of devices and applications entering enterprise---ultimately creating a richer, more diverse technology infrastructure.
With the BYOD genie out of the bottle, the transition to this new heterogeneous environment certainly made things challenging for IT, including fear of higher costs, more complexity and ultimately the unknown, particularly regarding security and compliance. From the employee’s perspective, security has not been a primary concern: “Can’t I use my personal device in order to access company apps? It’s so convenient for me and I don’t care about IT security concerns.”
But security is serious business, especially for IT.
Most CIOs are now required to hold security and cyber threat reviews with their company board of directors and audit committees. The audit committee isn’t sympathetic to the conveniences of BYOD; they are worried about security breaches like the ones that recently occurred at Twitter, the New York Times, the Washington Post, and the Wall Street Journal.
For IT, there are three BYOD-related issues we must solve: user convenience, cost and security.
In my experience, the leading companies that have pragmatically balanced these three vectors, and have configured their internal network to securely support multiple devices, have been able to get out in front of the BYOD phenomena.
BYOD is all about pragmatic balance:
- Agree on an acceptable compromise between security and user experience
- Don’t get hung up on a specific device---there are all sorts of brands and operating systems
- Give users what they need to be productive, but explain it’s not a free for all---BYOD is not bring anything you want and do anything you want on the company network
In doing so, you can save time and money for your enterprise and create a generation of more empowered employees.
When it comes to employee-owned devices entering the network, finding a balance between company security and end-user productivity is a major challenge. That delicate balance is really the major challenge when it comes to “Bring Your Own Devices” (BYOD). The activities of provisioning BYOD devices to ensure secure access to the network as well as enforcing policy and protecting the enterprise is typically a complex multi-vendor pain. Many times these solutions, while working towards the same goals, don’t necessarily play nicely together. Try telling that to your CEO, who wants to just work from any device, any time and from anywhere.
Moreover, what’s good for the user isn’t necessarily fun for IT. The benefits of liberating the workforce and allowing employees and guests to use any device also bring significant security risks. There is no single panacea for addressing these risks. However when Network/Unified Access Control (NAC) user policies leverage Mobile Device Management (MDM) device-based policies, the result is more intelligent security, simplified management, and increased mobile worker productivity.
The Juniper Junos Pulse team has integrated the industry’s leading MDM solutions with Juniper’s Junos Pulse Secure Access Service (SSL VPN) and Junos Access Control Service (NAC), products. This integration:
- Enables IT departments to ensure a secure connection between corporate and the mobile device. Connections are regulated by more granular mobile-aware access control policies, leveraging MDM solutions (including AirWatch and MobileIron) into the Pulse SSL and NAC platforms. For example, a bank can enforce geographical compliance rules based on mobile device attributes and enforce those rules on the network by the Junos Access Control Service. Or it could stop a mobile device from accessing the network because it is jailbroken, rooted, or has “bad” apps running, again leveraging attributes collected by an MDM to create mobile-aware access policies through Junos Access Control Service.
- Makes for easier and virtually transparent deployment of Junos Pulse clients to end-user devices. The new integration will enable Pulse clients and configuration information to be pushed to devices via the existing MDM app with little or no user interaction. That means fewer panicked calls, greater automation, and lower administrative overhead for IT.
- Consolidates mobile and network policy information into a single dashboard. This just makes sense since mobile devices, whether owned by the company or an individual, should be managed by user identity within a single view rather that multiple complex screens.
Upgrade now! We want to see you and your users have a better BYOD experience.
And there are more innovations and partnerships around the corner! Stay tuned!
In Juniper’s Consumerisation Study 2013, three out of four companies consider that when users pull data into consumer apps, it’s a security threat. The same proportion was concerned about data control.
It’s understandable to be concerned, even wise. But there’s a difference between taking the appropriate action and locking security down. My concern when I saw the survey results is that to be competitive, organisations considered that they should be more data risk averse (73 percent skewed to “data control,” rather than “data agile”) and an even bigger proportion (80 percent) skewed to “control” as the way to exploit the benefits of Consumerisation of IT (CoIT).
I can’t tell you that’s wrong for your organisation, as every company needs to think carefully about its appetite for risk. But if CoIT results in data lockdown, it will be a failure: the gains in cost or task productivity will be outweighed by the problems of getting access to the data we need. The empowerment of the workforce evaporates in red tape, the cost savings are wasted on the time and expense of administering policy.
Meanwhile users cast envious glances at other organisations that allow them to use their own hardware and software. Why, they ask, are we “punished” for using their chosen applications and devices?
So, how to balance risk and reward? The key is the granularity of your risk management, which can then be mapped to equivalent granularity of data access.
Not all data is created equal. Some data needs few restrictions, but valuable or confidential data needs appropriate protection. That’s not the same as saying that it can’t be accessed on any consumer device. It might be that your policy states that it can only be accessed on devices with encryption, if it is prevented from being mingled with user data, or accessed only in a VPN during certain times.
Many organisations carry out the process of assigning levels of security to data, but they struggle to translate this to data access rules.
The first problem is that business security rules – for example, access to secure areas out of hours - are often more granular than data access policy, and better understood.
The second is that we struggle to create IT security policy that is consistent between fixed and mobile networks, from desktop to laptop to phone, and from premises to cloud. A typical – and responsible – reaction is to create restrictions that reflect a blanket risk aversion, but reduce productivity by imposing a “lowest common denominator.” This may be what we see in the survey.
A more productive response is for the business and IT to agree on principles: types of device, types of user and types of network. If they can be implemented by using granular and portable network security, then data will be available when it is appropriate. Ideally, the security policy management should allow you to create rules, based on permissions and attributes of devices and apps, for groups of users - which you then “publish” to the devices they use and at the same time making the end user experience ridiculously easy.
This must, by definition, be more efficient for the business, yet without compromising security. The result is that consumerisation finds the balance between access and control not by device management, but by building network security based on business rules.
To find out more on Juniper Networks' vision for an Empowered Enterprise and the solutions available to an organisation, then please visit this site.
Some people love kit cars. They get a real thrill from buying the bodywork and chassis in the colour they want. They seek out the right engine and transmission and spend hours cleaning and rebuilding them.
They carefully research and select all the other components they need – the brakes, wheels, lights, seats and other interior items. Hours and hours are spent lovingly integrating and assembling them. When the project is finished they have the perfect car for them. And they get a great sense of achievement from doing it.
Built for fun
But how many kit cars do you see being driven on the road day in, day out? Not many. Because they’re not necessarily practical for day-to-day use. They’re typically less reliable, less safe, less comfortable and less secure. They’re built for fun, not usability.
In many ways this is exactly how many organisations approach securing their network. They look at the various aspects of their network - wired, wireless, mobile, data centre, campus and branch – they select security solutions for each and then bolt them on to the existing network.
The trouble is, when you start bolting different things together, like the kit car you get integration problems. You have to adapt things to fit, which inevitably means making compromises or even creating weaknesses that impact reliability.
You also create manageability problems. Production cars have sophisticated engine management and sensing systems that provide early warning of all sorts of problems. Putting such a system in a kit car would be nearly impossible.
And security in a kit car will never be as good as in a production car. Sure, kit cars can have alarms and immobilisers fitted, but they’re added after the fact. In production cars security is designed in, from the engine management system to the door lock to the type of key that is used. There’s another point too. Manufacturers are building ever more sophisticated security into their cars that would be difficult to retrofit to an earlier model.
Take a holistic view
So what does this mean for network managers? Today’s networks are becoming more sophisticated. Developments like Bring Your Own Device (BYOD), mobile apps, public and private clouds, and a growing dependence on wireless networks are increasing complexity and will continue to do so as the consumerization of IT gathers pace.
At Juniper Networks, we believe that organisations can’t afford to bolt security solutions onto the network. They must take a holistic view and develop a strategy that embeds security into the network. And the starting point must be the device and how to give customers, employees and guests secure access to the data and applications they need, wherever they are, whenever they want it.
We also believe that, to provide end-to-end protection, security solutions need to be integrated. From the device to the data centre, through firewalls, access points, switches and routers, security needs to be pervasive and applied consistently.
This doesn’t mean companies have to buy from a single supplier. Far from it. But it does mean they have to consider carefully how products and solutions from different suppliers will work together. Products based on open standards rather than proprietary architectures would be the prudent choice.
Finally, we believe that networks must be agile and flexible, able to adapt to new threats and embrace new opportunities as they appear, which should be another key consideration when selecting products and solutions.
Kit cars may be great fun, but there is nothing like a good production car for travelling safely and securely.
It’s always interesting to connect with enterprise security experts and IT peers alike. Last week was no exception at RSA 2014 when I was invited to join a panel discussion hosted by Trusted Computing Group. Moderated by security expert Victor Wheatman, the “Mobile Device Security: Fact or Fiction” panel [47min 43 sec] captured several view points on mobile security.
“Keeping the wheels on” was a term Victor use to kick off the panel. He went on to describe MDM as “keeping the bad guys out, letting the good guys in, the dealing with all the necessary operational aspects to keep the enterprise and the devices secure” via a commercially reasonable security solution.
It goes without saying, security is critical for an enterprise to protect its IP as well as maintain obligations with partners and customers. BYO- is all about the end user experience, and yet, there tends to be a significant gap between what an employee wants to do, an organization’s risk appetite, and what is feasibly and commercially reasonable.
As VP of Information Technology at Juniper Networks, my team oversees IT infrastructure and end user services for approximately 9,500 colleagues globally. My participation on the panel provided a case study of enterprise best practices. When we started down the BYO-x journey at Juniper, there were many questions we had to answer, so we started with the user experience first, and then moved onto policies and a framework. As Juniper’s CIO Bask Iyer has shared via his CIO Perspectives blog, “For IT, there are three BYOD-related issues we must solve: user convenience, cost and security.”
From the start of this BYO-x journey for Juniper IT, we have had to answer a number of questions---below is a sampling of those questions I covered during the panel:
- How to enable secure productivity with employee-owned technologies?
- How to aid colleagues to take calculated and informed risks?
- How to evaluate a user’s tolerance of security measures?
- How to make those vocal, technically savvy colleagues part of the discussion and solution
- How to raise security awareness on a daily basis via a variety of vehicles?
- How to make security policies straightforward and related to a user’s role?
- How to develop a security policy and then deliver a secure mobile solution for colleagues?
- How to develop a framework that meets your stakeholders’ needs?
- Which stakeholders need to be included (colleagues, HR, legal, execs)?
- How to ensure our security policy will actually map to our reality, not what we think it should be?
I invite you to watch the panel and participate in the discussion on line.
I think that Apple is taking a big bite out of the Enterprise, and this is a good thing. I wonder if we (in IT) created this BYOD problem ourselves by ignoring an obvious phenomenon: the staggering rise/reemergence of Apple!
Where do I start my BYOD tale? Flashback to 2000: I was at Honeywell and the newly arrived CEO requested that IT provide him a Blackberry (since he was used to using one in his previous company). Magically, the budget was created, plans were executed flawlessly and we suddenly had a standard company issued device to all key executives. So quite by accident, we rolled out what was arguably the best user productivity tool of its time.
What’s ironic here is that a deployment of Blackberries had not been included in our strategic IT investment plan. Who would have thought that our end users would want to carry a device that granted constant access to email/calendar? The IT mindset was to reduce costs; and these Blackberry devices were an additional cost, on top of the corporate laptops already provided to mobile users. Employees (like our CEO) wanted to squint to read and reply to an email with tiny screen and even tinier keyboard. Blackberries were here to stay---and IT had to quickly figure out a way to deploy this new productivity tool…. screaming and kicking all the way.
Soon after the introduction of the iPhone in 2007, I started hearing some rumblings from my internal customers; they wanted iPhones too. But back then, I was content with what had become the enterprise standard: a Blackberry. I didn’t want to think about introducing more complexity to the mix with more devices. Then in early 2010, the introduction of Apple’s iPad opened the door a little wider. Why couldn’t we get email and calendar to work on this shiny new device? If it works on the iPad, why not on the iPhone?
Fast forward to today. IT departments who have started supporting multiple mobile devices/tablets now realize that this BYOD phenomena wasn’t as big a deal as they once thought and can actually save them time, money, and gains some brownie points with the end users.
And since we are talking about Apple, what about the iMac in the work place? What are we afraid of in IT? Is it higher costs? More complexity? The unknown? My experience has been that most iMac users are actually really good at helping themselves and only call IT for support as the last resort. And you know what? That’s not a difficult end user group to support! Even the guys at JPL and NASA used Macs to put Curiosity on Mars. "The scientists and engineers can request whatever platform they desire, and they mostly pick Macs” said Jerry Blackmon at JPL.
Today’s workforce have many devices at home, so it’s only natural to assume that whatever cool device is used at home, the same experience is expected at work. Same goes with software and productivity tools. Our users are asking why one could not use “Skype”-like tools or Skype itself to collaborate globally. Why does Facetime work so easily on the iPhone, while we still have to press ten buttons to do a video conference at work? Why can’t we share big documents with customers like Gdrive? Why can’t we save money on telephones calls by using Google voice? And the list goes on.
In some cases there may be perfectly good cost, security and support considerations for not rolling out everything. But just ask yourself, as an IT professional, if this really true? Or is it that you think that you don’t like green eggs and ham?
I DO SO LIKE GREEN EGGS AND HAM! THANK YOU! THANK YOU, SAM I AM.
At the end of August I participated in a CIO panel discussion with peers from Cisco, Clorox, HP, and Qualcomm. We covered the trendy topic: “Developing Multi-platform Mobile Strategies to Support BYOD”.
When Tony Leng, our panel moderator, asked “Why not let your users bring in their own applications (BYOA) instead of using SAP and other tedious applications?”, I sat up a little higher in my seat and started thinking that this discussion had gone a bit too far! When did the CIO role become one of Santa Claus to shower whatever IT gifts that end users want to use across the enterprise?
In a previous blog post, I pointed out that the mainstream CIO’s refusal to acknowledge the rise of Apple within the enterprise has created this BYOD tidal wave, aka “Consumerization of IT”. As a result, many IT departments are dealing with this BYOD deluge every day.
Personally, I don’t think the IT industry has truly resolved bread and butter issues such as enterprise applications rationalization, data center consolidations, network redesign, or ERP implementations. IT plays a critical role in the transformation of a company. Collectively, CIOs need to enable the greatest amount of shareholder value while protecting and minimizing the risk to their corporations. But this is often difficult and not sexy or trendy. But maybe it is easier for CIOs to give up on those “tedious” IT things and talk about something else…like BYOD and BYOA? But, on the flip side, how can you expect to play a transformational role in a company if you are consumed by device management and the delivery of the next shiny object?
At Juniper, we are embarking on a challenging transformational IT project: collect 160 enterprise applications/processes that have mushroomed over the last 15 years and consolidate all into one streamlined process that impacts the bottom line. Once completed, we will be able to scale and double the size without adding unnecessary costs, and operate globally, executing tasks at the appropriate locations. However this is a very painful IT project in that it requires a lot of user and executive commitment over extended periods of time.
Should I get wrapped up in issuing devices to employees and applications that can be downloaded from an app store?
Or is my time better spent on transforming Juniper?
- Stop debating BYOD
- Give your employees the right devices to do their jobs
- Get out of the device management business
- Spend your time on delivering true business transformation via IT
What do you think?
This week we relaunched Juniper Networks into the Middle East at Gitex Techology Week in Dubai. After spending four days with our MEA team, meeting several partners and customers I feel truly pumped up about the opportunity in the Middle East as well as the endorsement of Juniper’s security strategy.
What I found interesting is the awareness and concern from customers around security. No matter which vertical sector they operate within, they face very much the same challenges, albeit to various levels of concern.
Questions such as “How do I enable BYOD?”, “How do I protect my applications in the data center from attacks?”, “How do I mitigate DDoS and AppDos attacks?”, “How can I prove the business value of our security strategy to my business leaders?” or “How do I secure my virtualized environment without having to increase traffic load to my firewall (either virtual or physical)” – are all great examples of challenges our Middle East customers are facing.
Juniper’s Security vision fits perfectly into the needs of the customers, with our secure the data center offering solving both need of visualizing attacks on customers web applications, mitigating DDoS and AppDos attacks as well as securing traffic between VM's in a virtualized environment or our secure access & mobility story that resolves enabling BYOD or consumerization of IT.
You might realize that we at Juniper were kept very busy with answering these questions from customers and showing them our strategy.
To meet all our partners and continue to build out on these relationships was extremely valuable for us. I feel comfortable in that we have a solid partner base and even more partners whom want to work with us in the Middle East. There is so much demand in the market that strong partnerships are vital for success and meeting the demand.
I look forward following and participating in our continued success in the Middle East.
For many enterprises, their mobile security strategy starts and ends with MDM (Mobile Device Management). Realizing the shortcomings of MDM in a BYOD environment, some organizations are dabbling with MAMs (Mobile Application Management solutions). For those of you who are not familiar, MAMs are solutions that use containerization techniques such as app-wrapping, file virtualization, etc., to isolate and protect corporate applications from personal ones. MAMs take a more BYOD-friendly approach by focusing on the data/applications versus the device. MAMs have their own set of challenges, but that’s probably a topic for another blog post.
My point here is that many organizations believe (or are led to believe) that implementing an MDM/MAM solution is the end game to mobile security and BYOD strategy. If only this were true. Don’t get me wrong, these solutions do play a significant role towards enabling security, but there is one important aspect that people are missing. Despite these measures, a device can get compromised while it’s on the enterprise network outside the span of control of these MDM/MAM solutions, leading to a security breach.
“How?” you may ask.
Think of a scenario where a user is connected to the corporate network from a MAM-enabled BYOD device. Let’s assume the user intentionally or unintentionally ends up downloading malicious software (e.g., a malware app) to the device. The security controls of the MAM solution would not extend to the malicious application. The malicious application could spread malware on the network or potentially attack other nodes on the network.
This may sound a bit exaggerated, but it’s not impossible. And just because something hasn’t happened yet doesn’t mean it won’t. Don’t you agree? If you do, then put on your thinking cap and ask, “What could be a solution for this?” And feel free to chime in with your thoughts.
The wave that is IoT (internet of Things) is coming, but who will ride the wave? Enterprises, more specifically those in the B2B space stand to benefit the most from software, hardware or services. So, how can enterprises start looking at leveraging IoT to their best advantage? Let us explore this topic in parts.
First, we start with the infrastructure piece. What do enterprise IT organizations need to start planning for? Here are some thoughts:
Orchestration and Automation – IoT is a lot about automating our daily lives and the world that we live in. But for this, orchestration of various IoT components such as devices, services and applications themselves needs to happen. Why – because the sheer scale and pervasiveness of IoT sensors, objects, software and applications can result in management, configuration administration and operations being uphill and repetitive tasks. Hence, there is a need for automation and ability to integrate the IoT components together. With orchestration, all these automated tasks can then be combined into workflows. Planning for an automation and orchestration strategy to manage, maintain and operate IoT infrastructure, devices and applications is as critical as protecting against security attacks.(More on security to follow).
BYIoT - While the enterprise IT organizations are still ironing out BYOD (Bring Your Own Device) policies and management for employees, BYIoT (Bring Your IoT) is about to storm the gates. So, what is BYIoT? It could be a simple sensor brought in to work by an employee who controls it with a Smartphone or even maybe a connected car in the parking lot. What could be the repercussions of business assets - human or machine, bringing in applications, data, devices, sensors or cars? Where does IT control begin and end? For those assets that IT actually controls, can the infrastructure scale and be intelligent enough to deal with all the additional layers associated with IoT? How about optimal performance at infrastructure and application levels? IT needs to consider this and more, all while supporting day to day business operations.
Security – the advent of BYIoT brings us to a biggie – security. Be it of data, applications, infrastructure or devices. If the hacked baby monitor incident is anything to go by, get used to thinking of risks, attacks and threats being the norm rather than exception. However, controlling privacy and trust or implementing security should not affect usability. With growing IoT adoption, security is not a preserve limited to the IT organization or the enterprise infrastructure. It needs to be all encompassing and transparent, Security strategy(ies) should be a part of each and every cog of the IoT machine; be it product development, services, data collection or analysis. Every stakeholder has to be schooled to include security as part of their role and activities.
For sure, IoT will generate new business models, growth and value propositions to enterprises. To be able to capitalize on these opportunities, different organizations of the enterprise such as IT, Marketing, Sales, Finance or Support need to consider including IoT in their strategic planning and start collaborating together.
Coming soon Part2- What should enterprises be thinking of when it comes to IoT security, business processes, data and analytics.