The Covid pandemic had forced businesses to hastily adopt remote work to keep their employees safe and avoid a complete standstill situation. As the work from home has become the new normal, several organizations are now struggling to cope up with security challenges and endpoint management concerns associated with remote work.
In the pre-Covid era, businesses were typically averting the concept of ‘Bring-your-own-Device’ (BYOD) or ‘Bring-your-own-PC’ (BYOPC) i.e., letting employees use their unmanaged, personally-owned devices for work. The prime reason for this was the increased risk of security breaches and data losses. In the current situation, several organizations have adopted BYOD to quickly enable work from home, onboard remote users, ensure uninterrupted productivity and save costs. But organizations looking to sustain with BYOPC for long, must first find ways to mitigate the security threats and endpoint management concerns that come along.
BYOPC strategy can differ from one industry to another, from one user group to another. Industries like BFSI, Pharma, Healthcare & Government, which work under strict data protection regulatory norms, need more control and thus, cannot to afford to take any kind of risks with their BYOPC strategy. Industries like transportation, hospitality or school education which are typically not controlled by strong data protection-related regulations may consider usage of BYOPC more liberally without having a great deal of control.
Thus, organizations can adopt different approaches to BYOPC, based on the extent of control they would need to exercise and the risk they are willing to take, both of which are invariably dependent on the criticality of the data they work with.
(Source: Gartner)
The above figure illustrates different approaches to BYOPC with the respective levels of control and risk associated. As it can be seen from the graph, control and risk are inversely correlated, where a decrease in control will result in an increase in risk, while increasing control leads to reduced risk.
As it is noted from the figure, no approach to BYOPC provides organizations with as much control as enterprise-owned devices. Although virtualization-based infrastructure provides organizations with much more control than when local applications are used, both the scenarios make organizations inherently more secure when compared to any of the BYOPC approaches. But BYOPC is certainly an option which, if well leveraged by enterprises can be a sustainable and beneficial long-term strategy. Here we evaluate the various ways in which organizations can enable BYOPC.
BYOPC With ZTNA
In this approach, BYOPC users are given a zero trust-based access to business applications. The ZTNA assures that the organization can monitor all users’ activities for risks. This approach is the riskiest of all options, as the data resides in the endpoint making it vulnerable to intentional and unintentional leakage. Also, organizations will have limited control over the applications and data as the endpoint will serve as the place of execution, and not just as an access platform. While this approach is not suitable for long-term BYOPC for organizations working with critical data, it is certainly an option for those organizations and roles who do not have to deal with sensitive data.
BYOPC with in-office PC connections
Biometrics-based authentication, like usage of facial verification or fingerprint verification, overcomes the limitations of typical OTP or push notifications-based authentication by essentially providing authentication based on “who you are”. It ensures absolute certainty before granting or denying access as hardly any tampering can be done to ‘Who you are’. Also, it results in significantly improved user experience by overcoming the limitations of OTP or push notifications -based authentication as it does not need users to type in OTPs, nor do they need to have any other device handy.
BYOPC with VDI or DaaS
Compared to the two approaches explained above, this offers adequate security and risk mitigation. The threat landscape is minimized by consolidating and securing the application execution environment. This approach converts the endpoint device into just an access terminal, which prevents all data leakage related issues associated with the other two approaches. With proper authentication and identity protection mechanisms, this approach serves as the best long-term approach for BYOPC.
Irrespective of what approach is being used by an organization, BYOPC will have to be backed up by some important modern security features. Some of them are stated below.
1. Multifactor Factor Authentication: Strong multi-factor authentication, of which at least one factor is independent of the device should be in place. Biometrics-based authentication using fingerprint or facial recognition, and continuous virtual monitoring would be an added advantage. This would ensure that user identities are safeguarded and identity theft, shoulder surfing, credential sharing are all mitigated.
2. Contextual access and adaptive control: Evaluation of factors like the device used, security posture of the device, geolocation, data sensitivity levels etc., must be done based on which access shall be granted with appropriate rights and privileges. Policy-based restrictions on users’ activities and data exchange have to be put in place.
3. Secured and controlled file exchange: File uploads must be allowed when absolutely necessary. Downloads, copy-paste, screen-printing, screen-recording must all be controlled. All uploads and downloads need to be logged with details on who, where, when and how.