BYOB was an acronym first coined in the 70s to tell party-goers to “Bring Your Own Booze/Beer/Bottles.” The idea was to share responsibilities between the hosts and guests; hosts would provide the venue, entertainment, and food, and guests would bring their own drinks.
Similarly, the BYOD (Bring Your Own Device) movement that began with the advent of smartphones connotes a sense of shared responsibility. While employers provide the IT infrastructure and services, employees have the option to use their personal smart devices for work (if the devices adhere to company security standards).
Relatively fast and reliable home Internet service, along with corporate infrastructure and policies that supported remote work, helped instigate a boom in BYOD talk. In theory, employees would benefit from familiarity with their own devices, a preferred operating system, and, in some cases, a stipend to cover costs. Meanwhile, IT overhead would also potentially fall because users themselves would purchase and maintain their devices.
However, the bright promise of BYOD often fell short in areas such as security, management complexity, and costs. From a technical standpoint, BYOD generally took one of the following forms:
- Corporate applications were fully exposed to the internet -- that is, employees could connect from any device, managed by corporate IT or otherwise
- Virtual Private Networks (VPNs) that create a logical tunnel to the IT infrastructure from personal devices
- Virtual Desktop Infrastructure (VDI) environments securely connected users to the IT infrastructure from personal devices
The first two approaches were risky from a security perspective and the third, though more secure, was often more complex and expensive to manage than providing PCs in the first place. For these reasons, not many companies have actually implemented BYOD on a mass scale.
Fast forward a few years and public clouds, now prevalent, supported the now-more-mature VDI option by reducing initial capital expenditure via the cloud’s utility billing. Low-cost thin clients and tablets have also made VDI more appealing, although management costs, given the virtualized architecture, were still fairly high. Recent desktop-as-a-service (DaaS) offerings have further simplified VDI implementations. Many industries have also leveraged VDI to help secure sensitive data because only the pixels that represent data are streamed to the user, not the data per se, even for access from corporate devices.
Meanwhile, BYOD without VDI was still a challenge because VPNs and application delivery controllers (ADCs) sometimes expose corporate networks to hackers through discovered vulnerabilities. Even implementing BYOD VPNs at all proved difficult for many organizations because users typically reject mobile device management (MDM) or other IT security agents on their personal devices. The outcome: those devices were either insufficiently secure or couldn’t access IT services at all.
Excluding VDI solutions, another major complication with historical BYOD strategies was that access was based on an “all-or-nothing” concept, with no context of the user, the device, or the application considered to determine if the access was appropriate. The user either had access or didn’t as determined by ownership of the device and the ability to authenticate. And if the enterprise did not offer personal devices access to IT applications, a secondary access method had to be implemented. This increased complexity, management overhead, and operating costs.
Worst of all was the scenario in which the enterprise offered ubiquitous access regardless of device ownership. In this case, the security shortfalls were enormous and enterprises would often struggle to cope with the consequences of compromised devices.
Enter Zero Trust Network Access (ZTNA)
Fortunately, we have a fundamentally superior option today. ZTNA platforms, which require all human and machine entities to securely authenticate, offer a compelling alternative to previous BYOD strategies. Via ZTNA, organizations can dramatically improve security while also avoiding the expense of VDI.
By introducing context into the authentication process, ZTNA platforms provide flexible application access decisions based on the user, the device, and the sensitivity of the data being requested.
Users on non-corporate devices, or devices that have sign-in attributes deemed risky, can be limited to pixels-only access, which is streamed to them via a remote isolated browser. Security is bolstered further via restrictions or blocks on printing and copy/paste actions while leaving less-sensitive resources more accessible.
Users on corporate devices use the same methods as BYOD users to access IT applications. However, the security posture of the managed devices can be analyzed, and application access can be blocked if security agents don’t exist or aren’t functioning, if malware is detected, or if there are other abnormalities.
Third party and business customer access scenarios both benefit from the ZTNA model as well because it enables both BYOD and BYOI (Bring Your Own Identity) capabilities for corporate application access. This reduces the burden on the organization to provide corporate identities (and sometimes equipment) to non-employees and helps subtract even more risk from the application ecosystem.
Cloud-based ZTNA makes the enterprise effectively invisible to the Internet while also eliminating gateways that would otherwise have to be managed or secured. True ZTNA implementations abstract application access from the network, delivering a boost to security that increases over time, as opposed to a VPN (which, once compromised, can potentially expose the entire corporate network).
For these reasons, I think it’s time for many to revisit the corporate BYOD strategy. For best results, most organizations should investigate ZTNA and all the security enhancements, cost reductions, and management benefits it can bring.
What to read next