Patrick Lambert revisits some of the basic precautions that need to be taken to deal with the proliferation of employee-owned devices in the workplace.
If you work in a corporate IT environment, then the terms "consumerization of IT" or "Bring your own device (BYOD)" are phrases you have heard many times. People own more gadgets than ever before, and as a result, bring their own smartphones, tablets, and even laptops into work and don't rely only on equipment issued by the company. This, in turn, can cause a number of issues, some positive and some negative, and pose a challenge to IT administrators. It's not a new phenomenon, but in the past few years it has become very widespread. An European Union agency last week released a report about the potential risks that this brings. Let's see what those risks are, and what you, as an IT administrator, should be doing to deal with them.
Financial, regulatory, data security risksFirst, what are some of the things that can happen when an employee brings a phone, tablet or laptop into work -- something that has a lot of processing power and capabilities? There are financial risks, like the fact that you now have personal property at the workplace, which can be lost or stolen. The wider diversity of devices may require the company to hire more IT technicians to support them or at least contain any security issue. However, some of these financial items can be beneficial as well. If your company used to provide phones to workers, but some of them prefer using their own iOS or Android devices, then you may not have to provide them with any. Another type of risk is legal or regulatory issues. Several industries have strict governmental compliance rules that they must adhere to, including rules related to data security, and bringing in unknown devices can compromise those regulatory requirements. The lack of a clear distinction between corporate and personal devices can also hurt any discovery process should a lawsuit erupt. Finally, there are risks related to data security, like the fact that confidential data may be copied into an unsecured device.
Those risks aren't surprising or groundbreaking, they are common sense items that any IT pro can realize about BYOD. One solution to those risks is obviously to simply ban all personal devices in the workplace, and that has been done in highly confidential areas like government buildings, but it is increasingly difficult. People like to have their devices with them, and preventing them may lead to employees smuggling them in instead, which could end up being worse. Also, you would lose the potential benefits of having employees bring their own devices, like cost savings or a higher workforce morale. So instead of seeing how consumer devices can be outright banned, let's see what can be done to make sure they are safe. Like anything else in IT security, no one method should be used. Instead, you should take a number of steps to ensure that these devices don't pose a risk, from having good policies, to using NAP, network level safeguards, and finally, good monitoring.
Policy firstThe first step in controlling these devices is to have a comprehensive policy. Every business should have a policy in place that describes what users can and cannot do. Never wait for employees to start bringing their devices to work before trying to impose restrictions. Be proactive and bring those rules to everyone's attention. Items that should be part of your policy include which devices are allowed, like phones or tablets.
You may not realize how crafty some of your employees are, but it's not rare to see someone bring an actual home router into work, plug it into an Ethernet plug, and then broadcast free wireless signals to everyone nearby just so they can use their tablet and browse the web. So you should make clear in that policy this type of act is not allowed, and instead set up a wireless signal that employees are expected to use for their own devices. Finally, make sure the policy clearly states which corporate data can't be transferred to those devices, and state that employees are responsible for their own things in cases of theft or lost items. Having a lawyer help you out with making a policy comprehensive is usually a good idea.
Lock down corporate servers
Having good policies is crucial, but you also need to make sure the devices are safe from the corporate servers. If you use Windows servers, then you should be using Network Access Protection (NAP), which is the most popular way to control these types of devices in the workplace. NAP is built around the Network Policy Server, which is a RADIUS system that can be run on any Windows server, and control who can connect to the network, and what they will have access to. Coupled with DHCP and DNS, NAP can ensure that any new device is seen, scanned for potential issues, and then allowed to connect to the corporate resources. NAP can also force a Windows laptop to get the latest updates, or to have an anti-virus software installed, before it will be allowed in. No personal device should ever be allowed to touch corporate resources without first being checked and authenticated.
Finally, there a things you can do at the network level as well. For example, the corporate wireless signals should only allow corporate devices, and a separate one should be created for consumer devices, in order to separate them. The same can be done for physical network ports as well. You can easily configure your routers and switches to check the MAC addresses of devices attempting to connect, and if they are not in the whitelist, then they should be denied access. Any unused port should be physically disabled so no one can connect something into them. Finally, VLANs should be used in order to create more isolation. As always, multiple solutions should be used, so that if one protection fails, another can help mitigate any issue. For example, while MAC filtering is very useful to restrict devices, should an infected laptop be connected to the network, an attacker may use it to bypass this protection by spoofing the MAC address.
In the end, the main problem with consumerization of IT is that suddenly the bad guys aren't just outside your network trying to get in -- they may now already be inside. You may have disgruntled employees trying to break into your corporate resources, or simply someone not tech savvy bringing in an infected laptop which opens a back door right into your network. So firewalls and IDS systems at the edge of your business aren't enough anymore.
Security must be extended throughout your building, and monitoring, including reviewing access logs, having internal intrusion detection systems, and even going around the office intermittently with a Wi-Fi device scanning for rogue access points, are actions you may end up having to take in order to stay secure. BYOD is a popular phenomenon, and is unlikely to go away, but you must make sure it doesn't compromise your network.