Bring Your Own Device. Shudder.

26 May

It had to happen. Maybe they saw us secretly playing with (sorry, I mean testing) iPads in the IT department. Perhaps they saw the headlines that David Cameron plays a “scary, crazy” amount of time playing Fruit Ninja on his iPad. Whatever the reason, I was told yesterday that our Executive Committee wants us to recommend to them that they need some form of wireless tablet that they can connect to the corporate network to help boost productivity.

I couldn’t help but groan when I heard this. While I certainly think proper, secure Wifi access is something we should be thinking about (currently our wifi’s allow access to the Internet only – no corporate LAN access), I just know the CEO and co will be thinking that this is as simple as 1. purchase device and 2. connect to network. Unfortunately this way of doing things quickly leads to 3. clean up the malware infestation and 4. watch your data walk out of the door.

While the request specify mentions this Exec Committee, I see this as part of a growing trend towards Bring Your Own Device (BYOD) policies. Many users already use their own laptops at work rather than the Windows 7 desktop PC’s we supply, choosing to copy data between laptop and desktop via USB sticks (or simply keeping their data on their own laptop). For that reason, I think that this is a good opportunity to put forward recommendations for personal device usage that encompasses the whole organisation.

For me, there are two areas of concern. Firstly, we must ensure that personal devices cannot compromise the security of the corporate network by introducing malware. Whilst we cannot take responsibility for the state of a personal device (eg does it have antivirus enabled and up to date? Is it fully patched?) we must be able to prevent devices that are at risk from connecting to the network.

Secondly, we must be able to control (or at least, audit) what happens to corporate data. If Joe Bloggs is fired, we must be confident that he doesn’t walk out of the door with our customer database on his laptop. Unfortunately, given that many users already choose to use their own laptops for storing work, we are already falling behind with this. Equally unfortunately, this is as much an HR/management issue as it is a technological one. And our management are notoriously bad for giving in to user demands (we once implemented an endpoint policy using Safend software, all approved by the Executive Committee, only for it to be scrapped within an hour of being enabled due to a handful of users complaining that their own USB devices were being rejected. Despite the fact that we’d made the relevant people aware that this would happen, and had supplied approved USB devices to be used instead).

So this weekend, I shall be putting on my creative thinking cap and doing some research into how other companies are dealing with this. My first thoughts are perhaps to continue separating corporate and personal devices on different networks, and implementing a Windows 2008 Remote Desktop Services system on the corporate LAN to publish remote applications that users can use to work on corporate data, perhaps combined with a network quarantine solution to ensure that devices meet a minimal approved specification before being approved on the network. The advantage (or perhaps the disadvantage!) to RDS is that it could potentially be made available to the outside world, allowing users the freedom to work from anywhere.

Leave a comment

Posted by on May 26, 2012 in Computers, Security, Work


Add Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: