There is an increasing level of noise in the enterprise about Bringing Your Own Device (BYOD). That you like it or not, it is most probably happening right now within your company unless your are “lucky enough” to be able to enforce strict controls as to what devices are allowed and able to access your data.
For a true BYOD concept, meaning with no restrictions on what that device might be, there are only 2 possible way to enable it:
1) To allow network access to your data/application directly from any devices
or
2) To make your data/application available from the Internet, and the easiest incarnation of that is through web applications.
With the first approach, focusing on the network access, the positives are that you can have more control over the environment from which the data/application is accessed from. Such as enforcing a minimum set of security controls and quarantine non compliant devices. The negatives, though, are the need for a relatively complex VPN framework that works on a variety of Hardware/OS to support access to your applications. It will also have a user impact, as if you enforce security policy changes to the user it is likely to change their user experience (i.e.: longer and more complex password, the dreaded password expiry, etc).
With the second solution, direct internet access, the advantage is an easy and fast deployment as well as having no impact on the user experience, their laptop behaviour will not be changed. But the drawback is obviously the security risks related to the front/back end of your internet facing application.
More importantly though, there is an inherent security risk with Web Applications: You cannot control the environment it is being accessed from. No longer do you check for the AV version, the GPO, the Firewall status, etc.
Could those security checks still be done as part of some sort of client java application that would do some security look up as part of the required credentials to access the app?
Yes.
Would it be intrusive?
Yes. Users will have to download some kind of client (Java?), would probably have to get through some warning messages, etc.
Is it done today by any internet facing application in your organisation?
No.
Is this a massive security risk?
Yes, because you are now allowing key applications to be accessed from anywhere in the world and from any devices that has an Internet Client such as a public Internet Kiosk with dozens of malware and key logger…
Whatever way you are looking at it, doing BYOD right from a security perspective is not easy.