With the growing demand for BYOD (Bring Your Own Device) as a possible cost saving measure for many companies, IT networking and security groups have to properly plan for this new IT model. To the untrained eye this might look like a great idea to cut IT costs but in the long run it could cost a company much more than what they saved on pc hardware. Some things to consider: 1) how to properly ensure all pc’s have some form of virus protection, 2) are pc’s being kept up to date with security patches and updates, 3) will BYOD be centrally managed.
Even though this is a novel idea, it’s also a hacker’s playground for mischief once the door is open for them to gain access to your network. This article gave great pointers on processes one should consider if choosing to go down this path. For instance: 1) Create a structured network segmentation strategy, 2) Limit access to systems through a single point and apply fine-grained access controls, 3) Increase authentication to corporate resources, 4) Manage your devices.
I’m currently at this same crossroad in my current position as Director of Desktop Support and Systems Administration. We are seeing the push for people to work from home and also bring those same mobile devices into work to gain access to network resources. The work from home part isn’t new. We currently use VPN tunneling and depending on network access required a RSA token is assigned. What is new is if we will allow BYOD on to our physical network.
Note: Deleted graphic to eliminate authentication request
At work we use a VDI to do anything work related. Even if we bring a our own device, we still need to login to the VDI using our RSA tokens. Obvoiusly the VDI isn’t as great performance wise, it solves a lot of the security issues with having to do work on your own device.
I work at a school district. We opened up BYOD 4 years ago. We had many decisions to make. Would we enforce things like Anti-Virus on the machines, updated patches for operating systems, etc. After looking at all the possibilities, we decided our best defense was NO defense. It would be impossible for us to try to enforce those things, even with all the software and appliances out there that check for these types of things. It would merely frustrate the users and stunt the use of BYOD for learning.
What we did decide to do: use 802,1x so that each user authenticates to the Wifi. BYOD users were assigned to an IP scope that had no access to any other resources on the network except a server for authentication and Internet access. To further limit issues, each graduation class had their own IP subnet, so if you did start to poke around, you could only see a limited number of devices. And we did encourage users to install AV and keep up to date, but we didn’t check/enforce it. We couldn’t!!!
Wayne,
Great point, Allowing users to BYOD in a workplace is tricky. Having standard workstations allows standardized support and patches to be issued organization wide. Many people who would BYOD also risk of having old hardware requiring more support. Also, since devices might be older they might not be able to even run the standardized antivirus that we might need to implement on the system.
I can definitely see how BYOD would be a cost saver for businesses as long as the opportunity cost associated with increased vulnerability to your network is not too high. The more sensitive information the user is requesting access to, the more tricky the situation when handling BYOD. Restricting access to a specific subnet, and limiting access to resources works fine, but what happens if the user is in a position who handles sensitive data such as finance or legal? I think it is important to have some kind of NAC that ensures a device is hardened to a particular point before access is granted into the network. I’ve seen several articles with a quick google search that states the increased popularity of BYOD in the workforce is fueling a comeback of NAC to secure networks.