By Brian Contos, CISSP, Customer Security Strategist and Senior Director, Vertical & Emerging Market Solutions, McAfee
Bring your own device or BYOD is becoming the global norm. Prices for consumer electronics decrease while capabilities increase. People are discovering devices purchased for personal use outperform those provided by IT. The pervasiveness of these devices is allowing employees to stay more connected, work with greater agility, and be more effective.
There is an expectation that a user should be able to have the same tools and capabilities between work and home. The upcoming generation already views traditional websites like cave paintings, email like hand-written letters sealed with wax, and any communication over 140 characters as self-indulgent. This transformation has also introduced risk.
The two fundamental areas of concern are access and protecting data on these application-ready devices that are integrated with cloud services and social media. On average, users have four devices they use interchangeably between their personal and professional lives. An IT department that, for example, was concerned with protecting 10,000 user devices, such as an IT-issued laptop, now worries about 40,000 devices – most of which aren’t managed by IT.
The IT technocracy once dictated what devices would be allowed and usage standards; this has given way to a dynamic environment. Just like other disruptive trends – landline telephones, personal computers and the Internet, BYOD can open up avenues for abuse if absent security.
To mitigate data loss and control access, IT can take steps across three areas allowing them to say “yes” to BYOD without increasing risk:
- Smartphones
- Tablets, laptops and desktops
- Virtual desktops
Smartphone security shouldn’t entail managing users in different directories – laptops, tablets, and smartphone brand x. This introduces too much complexity and overhead. Centralizing user privileges and associating a user with a device, and configurations for VPN, wireless, mail services, etc. should be the focus. Other necessary capabilities are policy enforcement such as what versions of smartphone are allowed, backups, tracking and full data wipes if a phone is lost, and partial data wipes when an employee leaves an organization and corporate data has to be removed without deleting personal data.
BYOD for tablets, laptops, and desktops can make use of network access control or NAC. NAC offers control over assets entering the corporate network and interacting with business assets. User privileges are associated with devices, and controls around OS, patch level, anti-malware, etc. can be used to determine access.
Virtual desktop infrastructure or VDI allows users of BYOD assets to run a virtual desktop within their device. The virtual image is stored within their datacenter for centralized configuration. A device can only access the IT environment through the VDI client which can be configured so data doesn’t stay persistent and copy and paste, screenshots, etc. can be disabled, creating a clean bifurcation between data in the datacenter and what’s on the user’s device.
By applying security controls across these areas the value of BYOD can be embraced while mitigating many of its inherent risks.
———–
The content shared in this blog post is the author’s opinion and does not necessarily reflect the views of Xerox. Brian Contos is the customer security strategist and senior director of Vertical & Emerging Market Solutions at McAfee. To read more blogs by Brian Contos, please visit: http://mcaf.ee/had81.
