Welcome

Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Monday, May 23, 2011

Bring Your Own Device - what's the big deal?

So Alice went out and bought herself an iPad for her birthday and now she wants to connect it to the network.   Employees will continue to bring their own devices to work and they want to connect them to the corporate LAN.   Don’t try to ignore it and bury your head in the sand because it isn’t going away.

If you haven’t done so yet, you better get some procedures developed or you will be playing catch up.  First, you need to decide what the Bring Your Own Device (BYOD) means in your environment.  Does it include only tablets and/or Smartphones?  Or are you going to allow laptops?   Just remember the line between tablets and laptops from a year ago is not the same line and is getting blurrier as I type this blog.    What data are you going to allow access to…email only or access to backend systems?   These are the decisions that need to be made and implemented via your policy with very few (preferably none) exceptions.

If you are going to allow tablets and smartphones access to data other that email, how are you going to manage the devices?  If your users want access to the data, they will need to give up some of their “ownership” of their devices.  You will want to be able to ensure password protection, remote wipe, certificates, and some sort of encryption on their device.  If they don’t agree to these requirements, don’t let them on the network. 

Another option, especially if you are going to allow BYOD laptops is to utilize virtualization.  Creation of virtual desktops for these users and allow the device to connect to a virtual desktop environment.  Most are configurable to control which services are or aren’t available…i.e. USB, drive mapping, etc…

You must also make the decision on what level of support your organization is going to provide.  If they parameters are identified up front, a lot of “un-forecasted” man-hours could be spent on troubleshooting user issues.  Also identify what operating systems will be acceptable and allowed to connect to the network.   For example, do you allow IOS devices, Android, Blackberry, and Windows Phones, or do you limited it to a smaller subset of devices?  What about laptops…Windows (all versions or just Win7), Mac, Linux?  

As you can see there are many decisions that need to be made and you must have management agreement.   One thing to remember is don’t back yourself into a corner that will force you to accept additional, unneeded risk in the future.  For example, make sure the controls you implement will adequately protect your most sensitive data because whatever your backend systems are, you can bet that the vendor is going to develop an app that will allow access to that system. 

~Skeeter

8 comments: