It’s no secret that most businesses and organizations work better when they embrace mobility. The old formula of having droves of suited workers sitting at their desks from nine to five every day, typing away with desktop computers or even older technology simply doesn’t hold up in today’s always on, always connected world.
Modern workers must be connected with the tools and data they need to perform their jobs from anywhere, and at any time. And while we have the technology to enable that to happen, securing it has proved more challenging.
In the beginning, companies took a brute force approach to mobile security, purchasing thousands of devices for themselves, locking them down, and then distributing them out to their employees for work use only. That might have been a relatively safe plan, but it was also extremely expensive and required organizations to buy, maintain and constantly upgrade a fleet of relatively sparsely used mobile devices.
Today, almost everyone has a smartphone that can be used for work in a BYOD (bring your own device) type program. But that does not mean that users will surrender control of their personal hardware. No employee is going to allow their bosses to install monitoring software, agents and other draconian security methods. Just because someone is employed by a company does not mean that they can’t play Angry Birds, watch movies, enjoy social media or talk in private to whomever they choose in their off-hours on their own personal devices. Yet, what happens if those activities endanger company secrets, or pose a risk to an organization’s cybersecurity defenses?
The innovative Bitglass platform aims to tackle this conundrum by completely securing and controlling official work-related interactions between a mobile device and company resources, without infringing on, or in some cases even touching, a user’s smartphone or their personal applications. They do this by leaving the phone alone, and instead securing the connections and the data flowing to it, but only when a user is working with protected applications and data. The system works with any endpoint, including iOS, Android and Windows devices.
Bitglass is installed in the cloud, which technically makes it a cloud security program, or more specifically, it makes the company a cloud access security broker (CASB). How it works is that users on mobile devices first sign into a portal and then access all of their work data through Bitglass. The interface is seamless to users, with only the Bitglass name being inserted into the URL field at the top of the browser page to indicate that Bitglass is enforcing policies on those interactions. The program resides inside the secure Amazon cloud, or organizations with heightened security concerns such as financial institutions or government agencies can instead have the brains of the program installed on an internal, private cloud.
To keep the pricing model simple, and to avoid forcing organizations to count devices, the cost of Bitglass is dependent on the number of users being protected and the number of applications where policies and security are being enforced. For example, a user can have a desktop, a laptop, a tablet and two smartphones, and it will still only cost as much as a single user in terms of billing. That same user could even access company resources from new or unknown devices, such as a kiosk at a hotel or the computer at their grandmother’s house and it would not affect the cost – though the program would likely enforce different policies on the user when working with an unknown or public device.
From a user’s point of view, there is not much involved with setting up Bitglass. Nothing gets installed on their personal devices. For this testing, we just needed to authenticate the apps that we wanted to use and everything automatically configured to work with the Bitglass service. There are no agents and no software to install. Thereafter, whenever we wanted to use protected apps, we first signed on to the Bitglass portal. Personal or non-work related apps were accessed in the normal way, and not affected by the Bitglass protection or monitoring.
Back on the admin side, complete control is given in terms of what users are allowed to see and what information gets transferred, or is blocked from transferring, to their systems though those official channels. The whole thing works because Bitglass is able to use multi-protocol proxies to control data going to devices.
The control offered is extremely precise. For example, specific devices can be given higher permission levels than others. That way an employee accessing a company database using their phone might be okay, while doing the same thing from a public computer might not. But Bitglass goes well beyond the typical allow and block options. For example, apps can be set to read only, meaning that a person could use them and get information but not send any data back out to them. Or coaching is also an option. In coaching, users are given a warning about using an unsanctioned application and are directed to an approved app that has the same functionality.
Data can also be automatically encrypted or even redacted before it gets to a user. And the circumstances that initiate those acts can be tightly configured. For example, when we downloaded a confidential document to an approved laptop, it came through fine and we were able to work with it. However, when the same user account attempted to download the Word file to another, unknown device, the entire contents were redacted and replaced with a note that the contents were removed according to company policy.
Another great feature with Bitglass is that it has lots of features normally only found inside complex mobile device management (MDM) platforms. For example, when a user leaves an organization, all an administrator needs to do is remove them from Active Directory. Immediately, Bitglass will change their permissions so that any company files they still possess point to a null data version, essentially wiping them from their mobile devices.
It’s worth noting that all testing for this feature was conduced with the agentless version of Bitglass. For organizations that still own their mobile devices, an agented version is also available. Having the agent sitting on phones allows administrators an additional level of control, including controlling what apps can be installed and used on them. The agent version of the program wouldn’t be appropriate on something like a user-owned tablet, but does really lock things down for company-owned devices.
Any organization that wants to tap into the unprecedented productivity offered by a mobility program but doesn’t want to purchase a fleet of smartphones or worry about an increased attack footprint should give Bitglass a try. It’s essentially an agentless and lightweight MDM platform without any of the over-burdensome complexity or draconian rules those mobile management tools normally require. Bitglass can instead bolster organizational cybersecurity for mobility programs while also being unobtrusive and even mostly invisible for users.
Copyright © 2019 IDG Communications, Inc.