BYOD solution for your network - Part 2

In part 2 of my recommendation I look at bring your own device (BYOD).  I'd consider my recommendation as a simple and somewhat sane method that also addresses a fair but low friction way to enable BYOD as a corporate device.


In a recent Gartner  report, 80% of CIO's say they will  allow users to BYOD by end of 2016, making a individually owned devices a norm. This could be looked at as a risky proposition as these potentially unhygienic devices become welcome on your corporate network, and could cause havoc. On the other hand, BYOD maybe a way to save money, and increase your users satisfaction, and productivity.

I've outline six simple steps to consider when you get ready to make the plunge to bring BYOD to your world.

Step 1 -  Decide and understand your device ownership model. The two scenarios on ownership are corporate owned/managed, and user owned/managed. 
Most likely if the device is owned by a corporation it will be managed by the corporation, and users will expect the corporation to service, maintain, license, configure, and possibly monitor the device.  User expectations to freely use these devices are generally low. In this scenario the users usually will do some corporate work on the provided device, and also have their own device, they will use to do their personal computing, at home and possibly at work.
On the other end of the model, the device is user owned, maintained, configured, licensed, and operated. As a corporate user, they have access to their personal device at all times, and access to corporate data when connected to the correct service, or network. Problem with this is the device may, or may not be infected with malware, or have technical, or configuration issues that can be costly for an organization to correct.

Today the best BYOD scenario is one I'd consider in the middle. A shared ownership/management model may be subsidized by the organization, but ultimately the user owns the device. In a shared model the user would be made to  purchase a device from an 'approved' devices lists to minimize configuration issues, and provide some level of compatibility.


A shared model can reduce an organizations risk of BYOD, and maximize the user's ability to pick a device they own, and care for.

Step 2 -  Consider the use of a Mobile Device Management (MDM) tool. These tools provide a great means to ensure  the devices can be kept malware free, prevent them from being jail broken, and remotely wiped if lost. Here's two good MDM comparable I'd recommend if you're looking to introduce an MDM.

--Side note-- Since this blog's about tech and cloud, before you buy ask the vendors if THEIR solution is in the cloud?... I think it's reasonable to expect that the providers of MDM solutions embrace cloud computing for their capabilities. I think it's interesting to see many still have dedicated data centers!

Step 3 -  Invest in training and creating an acceptable BYOD use policy. The policy and training should explain the need to keep devices malware free, It should address why jailbreaking devices is not advisable, and the training and policy should address how a MDM would be used to ensure the devices stays safe from a corporate view.

Step 4 -  Require encryption, and possibly geolocation - Part of the use policy, MDM management, and selection criteria for devices would be to ensure that the device provides an encrypted storage mechanism, and a means to track the device using geolocation. On most recent handheld devices this is not a problem for instance Galaxy s III and newer, IOS 4.0 and newer, Windows phone 8 and newer provide encryption. As for geolocation - this may be controversial, as people generally don't like being tracked, but it's important to weigh the benefits. A good MDM will ensure that only when devices is on another continent to alerts your security expert.  This can address the question why did your iphone suddenly popup in Thailand?

Step 5 -  Require pin lock, and consider a banned app list. A device pin lock is a bare minimum that should be required. As for a ban list… Hmm…What to allow, and what not to allow. Here's the skinny in opinion..

Unless you absolutely have to…and I mean absolutely have to, I'd recommend you ban JAVA.. Yes based on my experience JAVA is not safe enough to run on a corporate network. Especially older version of JAVA.

Step 6 - Keep versions current and devices patched - stay on the most current version of the OS as vendors tend to send security fixes out with their updates. Keep a device up to date, and current can be a pain, but essential…. I've heard from many iPhone users complain that upgrading may bugger itunes and other apps… I'd recommend this is just too bad…tough love… Upgrades keeps devices healthy.


That's it.. 6 simple steps right?

One last recommendation I'd have is consider having a dedicated solution to do administrative tasks, and manage systems that have data classified as High.  There are several technologies, and mechanisms to consider for administrative tasks. I'll look at what it takes to enable a Secure Administrative Workstation (SAW) in a future blog.


Next recommendation I'll address Software Defined Perimeter (SDP), and Deperimiterizing of your network.



Comments

Post a Comment

Popular posts from this blog

Protecting sensitive data

Image
Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can
Read more

Why is privileged access important?

Image
Last year about this time I had published updates to the Azure Secure Workstation that was originally released two years ago. And This month the solution has been considerably rewritten and revised to provide a better more complete management for privileged access!  Collaborating with two great security experts James Noyce, and Mark Simos The content got a massive overhaul, and a broad perspective on what it takes to build and manage a comprehensive privileged access solution, including account management, device management, intermediaries such as VPN's and interfaces such as Web and Cloud services. Additionally, the solution was uniformly designed with three distinct security levels that anyone reading the article can deploy from a more flexible Enterprise security, to a comprehensive isolated PAW or privileged Access Management. Over the past two years I've been working to explain and illustrate how you can use a cloud-based solution to build an effective Zero tr
Read more