EBOOK

915-6886-01 Rev. A, January 2014www.ixiacom.com

Navigating the Flood of BYOD

2

3

Table of ContentsChallenges to a Secure Network Architecture ............................................ 4

Always On, Always Around. ..................................................................... 4

The Way We Were ....................................................................................... 4

Employees Speak Out—and Sometimes Act Out ....................................... 5

BYOD: Inevitability and Reality ................................................................... 5

Taking the Reins of Network Access Control ............................................ 6

The BYOD Security Architecture: Necessity Replaces “Nice-to-Have” ............................................................................................ 7

Making the Network Both More Accessible and More Secure .................. 8

BYOD Brings New Compliance and Growth Challenges ........................... 9

Gaining a Progressive BYOD Program While Preserving Current Investment ................................................................. 9

Best Practices for Maintaining a Safe and Efficient BYOD Environment .................................................................................... 9

Visibility and Security Monitoring Are Vital to Avoid the BYOD “Danger Zone” ..........................................................................10

Network Packet Brokers (NPBs) and BYOD: Key Security Resources ........................................................................... 11

Holding Back the BYOD Tide Is Neither Cost-Effective nor Possible ........................................................................13

BYOD Essentials: Where to Start ...............................................................13

4

Challenges to a Secure Network ArchitectureToday’s ever-growing Bring Your Own Device (BYOD) adoption rates are inundating the network with security and performance issues. When employees use their own devices at work, the risk of security breach or data loss explodes. Unmanaged smart mobile devices and tablets invite mischief with their “anywhere, anytime, any-device” access to corporate data and infrastructure. With networks becoming more of a challenge to manage every day, IT departments must know which devices are connecting to their corporate networks. At the same time, authorized employees using personal iPads and smartphones need convenient, secure access.

The arguments for enabling employees to use their own devices are undoubtedly compelling. Improving employee satisfaction, attracting and retaining staff, expanding the number of mobile users in the workforce and cutting costs while allowing low-cost resources to be applied everywhere are some of the benefits associated with applying BYOD programs.

Deploying an effective BYOD program means supporting a variety of devices and their operating systems while maintaining expected levels of service, securely onboarding new devices while keeping costs low, and quickly identifying and resolving problems. In this eBook, we discuss the benefits and considerations associated with BYOD, and how organizations can effectively deploy BYOD programs using Net Optics solutions. We will address some of the challenges posed by BYOD, including:

• Maintaining security and compliance in the workplace (p. 8)

• How Application-aware NPM can help you avoid BYOD dangers (p. 9),

• Tackling visibility and security monitoring with Net Optics Network Packet Brokers (NPB) (p.11)

• Optimizing tool performance using Net Optics xBalancer (p. 12)

Always On, Always Around. The ability to run any corporate workload from anywhere, at any time, and from a device of one’s choice is now the gold standard for computing. This capability makes workers of all kinds more productive, whatever social issues it raises about blurring the line between work and home life. Wireless now reigns decisively over wired, making employees increasingly responsive and productive on their devices running countless services and applications but raising new availability, granularity and security challenges to grapple with.

An InformationWeek 2012 Consumerization of IT survey 2 of 400 business technology professionals reveals that we are still in the early stages of looming hard work in regards to BYOD. Right now, businesses are trying to envision the ideal combination of hardware, network infrastructure and software in order to virtualize devices and applications, connect optimally and flexibly, and govern security and policy. It’s clear that each company will have to navigate its own unique route to a resilient and scalable enterprise BYOD architecture.

With networks becoming more

of a challenge to manage every day,

IT departments must know which devices

are connecting to their corporate

networks.

5

The day will soon arrive when the majority of devices used to access business applications will be consumer-owned.

The Way We Were Four major factors had to come together to make BYOD a viable resource: technology, business readiness, employee demand—and now security. Back in the 1980s, workers faced a fairly narrow range of options for performing their jobs: Employees still worked overwhelmingly on employer premises, and so most work product remained confined to those premises. The majority of work was performed by full-time employees. Costlier though they were, most companies preferred this type of workforce rather than deal with the drawbacks of contractors and part-time workers, including tax complexities, confidentiality, longevity, and loyalty.

Nevertheless, the winds of change—more accurately the global typhoons—were already in motion, with the entire concept of work and employment set to evolve radically. The emergence of LAN technology in the 1980s began lengthening the cord that bound the worker to the workplace. Soon, employees could transport information digitally and, although that made it vulnerable to intrusion and corruption, this vulnerability itself spawned a whole industry engaged in protecting that data, wherever it went. With the needs for mobility and security recognized, if not solved, only one factor remained in order for BYOD to take off.

Employees Speak Out—and Sometimes Act Out Technological progress was not the only pressure besieging the traditional workplace. Increasing employee pressure for family time was building, and the nature of the workforce itself was changing in the face of increased downsizing and outsourcing. The contract and parttime workforces continued to grow steadily. The contract and part-time workforces continued to grow steadily. A May 9, 2012 article in Knowledge@Wharton3 asserts a growing reality: that employees are becoming “short-term resources.” The article might have added the other half of the equation, namely that the employer itself may be a short term resource as well.

With lifetime employment increasingly a nostalgic memory, job security has become a more fluid concept. But on the other hand, employees themselves now feel less ironclad loyalty and more freedom to move around; a job is seen more as the building block of a larger career strategy. The Internet, of course, feeds into and intensifies these trends, creating a river of jobs flowing across industries and regions, at which both employees and employers now drink.

BYOD: Inevitability and Reality With change driving both workplace and workforce into cyberspace, and with connectivity soaring, the BYOD juggernaut was set in motion and was soon threatening to overwhelm corporate IT departments. According to a recent survey by IDC4, IT groups typically underestimate by 50 percent the proportion of employees using their own devices for company business. The day will soon arrive when the majority of devices used to access business applications will be consumer-owned.

By 2014, according to Gartner, 80 percent of professionals will use at least two personal devices to access corporate systems and data.5 So “…saying ‘no’ to business use of smartphones, tablets and similar devices in the enterprise is no longer an option,” according to John Pescatore, vice president at Gartner Research.

6

On the positive side, BYOD has the potential to raise employee productivity significantly, streamline and increase collaboration, broaden information flow and enable faster, more agile response to market opportunities. Organizations allowing employees to choose their devices experienced a 200 percent increase in user satisfaction and a 25 decrease in associated costs.6 The key is to give employees what they need, according to device type, and to implement security at the same time to safeguard the value of all this progress.

50% 80%

50% of employees use their own devices for

company business.

80% of professionals will use at least two personal devices to

access corporate systems and data.

Not surprisingly, companies want BYOD programs that provision, secure and manage any device an employee wants to use. Many people think that BYOD security refers only to devices such as smartphones, iPads and Android-based tablets and laptop computers. However, the concept of BYOD security must also apply to personal online service accounts such as cloud storage used by employees in the workplace.

Taking the Reins of Network Access Control Nowadays, employees are demanding—or simply seizing—the freedom to use mobile devices of any type, anywhere, whether company- or employee-owned. Control of network access is critical to supporting business demands and managing BYOD risk over this growing range of devices and applications. BYOD has the potential to disrupt IT significantly, so comprehensive security and governance of a company’s BYOD program are critical.

New devices inundating the workplace bring a variety of new operating systems, such as iOS and Android, along with multiple applications. This ubiquity challenges IT to create a secure and effective BYOD strategy, not only to safeguard company confidentiality and integrity, but to support employee morale, trust and productivity.

In light of this urgency, it is alarming to learn that many IT departments remain unaware that employees are even using their personal devices on the corporate network. An important first step of any security program is to conduct an inventory to find and classify all devices on the network and then establish network access policies based on the risk potential of each device. Secure, convenient access for authorized devices is a first priority, while unauthorized devices will need their own controlled and limited access program.

All BYOD users want the speed and performance they are accustomed to on their local desktops. For this to happen, proper planning for sufficient capacity is key. Service-level agreements must be defined for the BYOD infrastructure. Encryption and login procedures for all endpoint devices (wired, wireless, physical and virtual) must be clearly documented.

It is alarming to learn that many IT departments

remain unaware that employees are even using their personal

devices on the corporate network.

7

If an employee brings in a tablet, for example. then IT should be able to detect and classify it as an “intruder” and limit its access to a guest network.

Related audit procedures must be set forth. Also, centralized management of the BYOD infrastructure, including device, state/session and profile management, must be in place.

The BYOD Security Architecture: Necessity Replaces “Nice-to-Have”According to a new Gartner study, 90 percent of enterprises have deployed mobile devices; 86 percent of enterprises surveyed plan to deploy media tablets this year. This momentum also creates new security concerns—namely, “use of privately owned devices” and “deployment of new enterprise mobile platforms.” To ensure BYOD security and support, Gartner suggests that enterprises leveraging increased mobility should develop a strategy that incorporates mobile data protection (MDP), network access control (NAC), and mobile device management (MDM) tools.

90% 86%90% of enterprises have deployed mobile devices.

86% of enterprises surveyed plan to deploy media tablets this year.

BYOD has opened up a rich field for mischief of all types. Threats are evolving so quickly that networks need far more than an incident-by-incident, product-based response. Rather, they need a transparent, nondisruptive, integrated management and security architecture. The focus of security should no longer be solely on the perimeter, because threats are well-distributed within the perimeter as well. Lack of an integrated approach means security holes—tunnels, really, in light of the sophistication of these threats.

Ideally, a BYOD architecture should enable access to such functions as email and Internet for the privately owned devices, but deny these applications access to the corporate network anywhere sensitive business-critical information resides. If an employee brings in a tablet, for example. then IT should be able to detect and classify it as an “intruder” and limit its access to a guest network.

But identifying devices on the network is only the beginning. The real challenges are ongoing management and integrated security. As network technology evolves and security needs climb, IT must seek out best-of-breed technologies, find the right vendor, and deploy solutions that fit its business needs.

Network equipment such as switches, routers, wireless controllers, and firewalls are the first line of defense and should enable the most unequivocal security. Intrusion detection and prevention, deep packet inspection (DPI) and monitoring tools and analysis systems are absolutely vital to providing that high security. While the traditional security approach of blocking the villains and locking everything down to stay in control of outside threats will always be relevant, this approach can be overwhelmed and inundated by the number and diversity of personal and corporate mobile devices. It is not a panacea.

Security must be continuously analyzed and upgraded. A coherent and effective security policy must break down silos to leverage and integrate security across every device,

8

geography and solution. Furthermore, this architecture should not demand a forklift upgrade, major redesign or massive investment in new capital. It should take advantage of current infrastructure wherever possible and optimize network security investment.

Making the Network Both More Accessible and More Secure After performing a baseline inventory of employee devices, a BYOD program should be ready to provision access to both corporate-owned and personal devices. Flexible provisioning can accommodate personal mobile devices. Once a company has an infrastructure in place, no new devices should be able to connect undetected. Instead, the appropriate policies should be automatically applied and launched whenever a device connects to the network, whether a corporate or personal device, an iPhone or an Android tablet. This both ensures consistent security and saves the time that would be spent battling each new security incident manually. Understanding which devices are on the network also saves costly rip-and-replace upgrades. Keeping a hawk’s eye on network trends and behaviors will also help a company understand the various devices to watch for and enable improved decision-making.

BBYOD and the EEOC

The U.S. government is implementing pilot BYOD programs in key agencies, including the U.S. Equal Opportunity Commission (EEOC) where the pilot program has been very successful. Employees are now able to use their smartphones with third-party software installed. The agency gains the ability to manage device security settings and also to remotely wipe the device clean of confidential information if it is lost or stolen. The agency has realized a cost reduction of 15 percent while reducing software maintenance costs.

The two most important elements in its success were that the agency leveraged its size and prominence to obtain the most advantageous rates (a tactic that a business should also employ); and establishment of a pilot program before rollout. The pilot program gave the agency a chance to work out eligible devices, cloud provider, configuration and technical support.

Read about how the EEOC and other government agencies are implementing BYOD here.

Keeping a hawk’s eye on network

trends and behaviors will also help a

company understand the various devices

to watch for and enable improved decision-making.

9

Now is the time to implement a long-term, scalable BYOD architecture for security and manageability, timeliness, productivity and business advantage.

BYOD Brings New Compliance and Growth Challenges An effective BYOD architecture must also take compliance into consideration. The ability to automate discovery and profiling of devices on the network and to securely provision network access is essential to sustainable compliance as well as to security. With automated reporting procedures, IT staff will be able to smoothly incorporate a new BYOD program into current compliance procedures and respond promptly to audit requests.

As consumer devices grow more sophisticated and portable, corporate IT departments that look the other way or cling to their pre-BYOD architecture put their companies at a disadvantage—and all to achieve some fairly short-term benefits. Now is the time to implement a long-term, scalable BYOD architecture for security and manageability, timeliness, productivity and business advantage.

Gaining a Progressive BYOD Program While Preserving Current Investment There is no question that BYOD is winning the workplace race. Acknowledging this reality, many companies are adopting a hybrid model in which the corporate workforce combines company-owned and employee-owned devices. Either way, security must be unequivocal.

In the enterprise environment, thousands of devices and applications must be able to seamlessly access network resources simultaneously while supporting the highest availability, SLAs, and QoS; enabling companies to gain the full benefit of their monitoring tool investments and protect the business capabilities that make BYOD so popular and successful.

Best Practices for Maintaining a Safe and Efficient BYOD Environment With BYOD, as with any new technology, a company wants to streamline management, optimize cost-effectiveness, minimize IT overhead and maintain unbreachable security—all while ensuring that BYOD services and applications perform reliably whether on or off premises. Applications such as social media, blogs, and P2P networking, as well as core business applications need constant vigilance. The ability to monitor web-based applications demands total, end-to-end visibility, including the ability to search traffic using Deep Packet Inspection (DPI) and real-time, session-based analytics, as crucial to a BYOD program as to the premises environment.

With the major, critical resources that a company has at stake in its network, the ability to see and monitor network and applications availability and performance is critical. In order to handle the flood of BYOD traffic and ensure network security, a company may need to invest in more tools. In addition, users will demand better quality for portal services; as more video is consumed, network latency and application performance become an issue.

10

By uniting Performance

Management with Intelligent Access,

Spyke forges the total network

monitoring and access architecture

needed by BYOD.

Visibility and Security Monitoring Are Vital to Avoid the BYOD “Danger Zone” An AA-NPM solution like Net Optics Spyke™ becomes an important BYOD resource, offering critical insights into the network and the impact that employee devices are having in terms of both security and performance, Spyke delivers a rich set of capabilities to monitor and review the network, seeing through its layers for total visibility. This real-time visibility supports constant network intelligence; it ensures that applications are safe and performing up to par and can find, diagnose and resolve issues before they become crises. With Spyke, IT can monitor and optimize for provisioning, security and high application performance cost-effectively and without disruption.

VoIPMonitoring

Spyke™Email

Attachments

Top Talkers

BadwidthUsage

Application-speci�c intelligence is critical to timely root cause analysis for BYOD security.

Application Aware Network Performance Monitoring (AA-NPM)

By uniting Performance Management with Intelligent Access, Spyke forges the total network monitoring and access architecture needed by BYOD, extending visibility and control to the critical application layer. Spyke as a BYOD resource can be used in tandem with existing performance and availability solutions to plug visibility holes in the monitoring infrastructure.

Spyke’s real-time monitoring addresses critical business needs at gigabit speeds and provides insights and analysis on a sub-minute level. Application-specific intelligence is critical to timely root cause analysis for BYOD security—including identification of actual user names, individual VoIP calls, and deep visibility of email traffic. With a near real-time and historical view of key performance indicators (KPIs) such as traffic volume, top talkers, application and network latency, top conversations and application distribution, the IT department can monitor bandwidth usage and acquire needed information to quickly resolve issues for application performance. IT can also perform capacity planning and trend analysis to see how the BYOD program affects the baseline of network resources.

Spyke automatically discovers applications using Deep Packet Inspection (DPI). This allows for detection of which applications and clients use the network and how they use it: when users/applications go through a non-standard port number, IT can then distinguish legitimate from illegitimate traffic. Continuous and ad-hoc packet capture and analysis and VoIP monitoring with Jitter analysis and MOS score address issues of user satisfaction. All of this can be done through a single pane of glass with easy-to-use interface for a low cost way to reduce MTTR and quickly, accurately resolve network and application issues. There is less reliance on costly network engineers, better business continuity and a more satisfactory user experience.

11

Using Director as part of the BYOD security architecture makes the program more cost-effective and scalable.

Network Packet Brokers (NPBs) and BYOD: Key Security Resources An NPB such as the Net Optics Director™ Family is another major resource for enabling successful BYOD security. Director forwards relevant network traffic from multiple links to multiple monitoring tools for centralized monitoring and analysis. Its flexible, high-performance features give customers the ability to view more traffic with fewer monitoring tools as well as prevent oversubscription. Director also makes it simple for users to connect additional tools for reinforced security. Using Director as part of the BYOD security architecture makes the program more cost-effective and scalable by leveraging existing monitoring tools to maximize performance while increasing security, compliance and scalability.

Layer 7Filtering

Director™

TapFlow™Filtering

Low Latency

Aggregation & Regeneration

Security

Audit and Privacy

Performance

Forensics

Network Packet Brokers (NPB)

Director forwards relevant network tra�c from multiple links to multiple monitoring tools for centralized monitoring and analysis.

This access switch provides intelligent, flexible centralized control and monitoring of all traffic streams in the network operations center. It heightens security and compliance, providing advanced filtering options based on packet headers and protocols (layer 4 filtering) as well as packet payload (layer 7 filtering); filtering by VLAN tags and MPLS labels as well as pattern matching anywhere within a packet (e.g., HTTP headers). Director performs forwarding, aggregation and regeneration of traffic received in-line or out of band. Low-latency, hardware-based TapFlow™ filtering makes sure that only traffic relevant to each tool is forwarded. Director increases performance and scalability through its ability to share tools and data access among groups without contention. A BYOD program becomes more efficient and cost-effective by maximizing utilization of existing monitoring tools

Director can aggregate traffic from multiple links and load balance the traffic to multiple tools—ensuring that all monitoring tools are utilized efficiently and maximizing the monitoring capacity of the entire network. Without investing heavily in additional tools or risking oversubscription, a company can achieve peak network performance. With its ability to support Network intelligence statistics such as volume, oversubscription and protocol distribution, Director keeps traffic flowing even in the event of a power loss using its Zero Delay technology—helping a BYOD program to please users.

12

DynamicLoad Balancing

xBalancer™

TapFlow™Filtering

PacketSlicing

Aggregation & Regeneration

Security

Audit and Privacy

Performance

Forensics

Network Packet Brokers (NPB)

Scalable load-balancing that supports virtually any scenario.

1G

1G

1G

10G

10G

Load Balancing and BYOD: Cost-Effective Assurance That Tools Perform Optimally As the BYOD phenomenon expands and networks grow under the influx of ever-increasing traffic, the need for a cost-effective way to protect and optimize tool performance rises accordingly. Load balancing thus had become a key element of maintaining tool performance within a BYOD security architecture. By providing a cost-effective way to prevent overburdening and consequent loss of tool function, a solution like the Net Optics xBalancer™ can help companies achieve and maintain peak performance and security in their 10G networks. Even better, this can be done without requiring heavy investment in additional 10G tools or risking oversubscription. xBalancer distributes the traffic load to multiple monitoring tools; its 24 SFP+ ports and integrated data rate conversion make it ideal for load balancing traffic from 10G links to multiple 1G tools, leveraging legacy investment; the versatile solution also enables two or more appliances to be deployed in parallel, either in-line or out-of-band.

The stresses on network tools caused by multiple threats and exploding data volume from countless devices used by BYOD employees makes xBalancer a smart component of BYOD strategy. xBalancer preserves the vital role played by security tools even as the BYOD phenomenon grows, ensuring business continuity. xBalancer also offers high availability (HA) modes that include heartbeat packets, redundancy and link-state awareness.

Scalable load-balancing that supports virtually any scenario, plus ultra low-latency with a cut-through architecture make xBalancer an economical and high-value investment for a BYOD security infrastructure. Its TapFlow™ filtering and packet slicing mean that only relevant traffic is forwarded to tools. With its network intelligence supporting many statistics including volume, over-subscription and protocol distribution and the latest load balancing capabilities based on MPLS labels, xBalancer adds the stat-of-the-art network security protection that BYOD demands.

The sooner the better is the ideal

timeframe for a company to focus its resources on helping

more employees make BYOD part of

their jobs.

13

Holding Back the BYOD Tide Is Neither Cost-Effective nor PossibleThe sooner the better is the ideal timeframe for a company to focus its resources on helping more employees make BYOD part of their jobs. An integrated BYOD architecture ensures that IT operations, application support teams and network engineers can always detect and fix network problems before service delivery is degraded or security compromised. Whether an SMB, a distributed office or an enterprise data center, this architecture enables the network intelligence, visibility, security, availability and quick troubleshooting capabilities that make for BYOD success. Properly implemented, BYOD helps employees to stay in touch with their personal lives while keeping their business lives separate, preserving the confidentiality and integrity of each—all on the same device. This adds up to productivity, security and morale.

BYOD Essentials: Where to Start

Here are a few simple steps that an organization can take to ready itself for a BYOD program.

• Choose consistent basic features and security measures Make sure that you and your employees have consistency across the company in terms of threat protection, such as security settings, and policies.

• Obtain appropriate legal guidance and advice You should know where you stand with regards to yours and employees’ rights. Ensure that your company policies are valid and enforceable.

• Inform and socialize BYOD fundamentals throughout the company Simplify and explain BYOD concepts to the workforce; set up meetings so that everyone is on the same page, including which expenses you will take defray and which are the employees’ responsibility, and reimbursement policy.

• Create an internal advisory group An internal advisory group can do the legwork to identify and compare providers for mobile device management; security risks and privacy concerns; Rules of Behavior, and creation of an internal web site.

• Establish a pilot program You can explore such issues as rate-plan optimization, software, device access to email, contacts and tasks, costs and budgeting.

Properly implemented, BYOD helps employees to stay in touch with their personal lives while keeping their business lives separate.

14

Footnotes:

1. OECD Insights, January 31, 2012 http://oecdinsights.org/2012/01/31/the-internet-of-things/

2. 2. Information Week Reports, February 2012 http://reports.informationweek.com/abstract/83/8838/it-business-strategy/research-2012-consumerization-of-it-survey.html

3. Knowledge@Wharton on Forbes http://www.forbes.com/sites/knowledgewhar-ton/2012/05/10/182012/

4. “Bring Your Own Device (BYOD) Unleashed in the Age of IT Consumerization” http://resources.idgenterprise.com/original/AST-0055442_BradfordWP0103_2_.pdf

5. Hamilton, Robert, “RSAC Panel Insights: Can Data Breaches Be Stopped, Really?” March 29, 2012, In Defense of Data http://www.indefenseofdata.com/page/2/

6. McLaughlin, Kevin, “Cisco Security GM: Embracing Consumerization Is Smarter than Fighting It.” September 28, 2011, CRN http://www.crn.com/news/security/231602340/cisco-security-gm-embracing-consumerization-is-smarter-than-fighting-it.htm

7. Bring Your Own Device: New Opportunities, New Challenges http://www.gartner.com/id=2125515

About the Author

Bob Shaw, President and CEO, Net Optics, Inc.

As President and Chief Executive Officer of Net Optics since 2001, Bob Shaw is responsible for conceiving and implementing corporate vision and strategy. He is instrumental in positioning Net Optics as the leading provider of Total Application and Network Visibility solutions in both the physical and virtual environments. Under Shaw’s guidance, Net Optics has achieved consistent double-digit growth, launched more than 35 new products, acquired over 8000 customers, and expanded its global presence in over 81 countries. The company was recently included in the Inc. 5000 elite list of highest performing companies and won Best of FOSE honors. In addition, Net Optics has earned the coveted Red Herring Top 100 North America and Top 100 Global Awards for promise and innovation, the Best Deployment Scenario Award for Network Visibility and many other accolades. Shaw’s leadership experience spans startups to Fortune 200 organizations, where he held Senior Vice Presidential executive positions. Shaw earned both a Bachelor of Arts degree in Business and a Bachelor of Science degree in Economics from Geneva College in Pennsylvania.

15

EBOOK

Ixia Worldwide Headquarters26601 Agoura Rd.Calabasas, CA 91302

(Toll Free North America)1.877.367.4942

(Outside North America)+1.818.871.1800(Fax) 818.871.1805www.ixiacom.com

Ixia European HeadquartersIxia Technologies Europe LtdClarion House, Norreys DriveMaidenhead SL6 4FLUnited Kingdom

Sales +44 1628 408750(Fax) +44 1628 639916

Ixia Asia Pacifi c Headquarters21 Serangoon North Avenue 5#04-01Singapore 554864

Sales +65.6332.0125Fax +65.6332.0127

915-6886-01 Rev. A, January 2014