Here's a new security consideration: choice computing.
As we prepare to renegotiate our contract for PCs, our new CIO sees a chance to cut costs. He called me in to ask my opinion of "bring your own PC," or choice computing. We spend a lot of money buying new computers for our users every few years, and yet most of them would probably like to use the PCs they chose for themselves. Why not let them bring their own computers to the office? he wondered. We would save hundreds of dollars per month per employee in support costs, he figured, and employees would be more productive using PCs and operating systems they like.
Did I have any thoughts from a security perspective? he wanted to know. Oh, yes, just a few dozen.
I began to explain the complexities beyond security, including support, privacy and legal issues.
First, it was mind-boggling to ponder the sheer variety of computers that would live on our network -- potentially everything from netbooks to quad-processor, dual power supply, liquid-cooled tower PCs. We are primarily a Windows XP environment, but with BYOPC, our network could end up hosting machines running Windows 7, several versions of Mac OS and all the various flavors of Linux and Unix.
And could we really not support those machines? If we did, our support costs would likely go up, not down. Our help desk staffers would have to expand their operating system fluency tremendously, or else we would have to open the doors to an influx of outside service technicians.
Next, I noted that our efforts to protect corporate intellectual property sometimes result in computer forensic investigations. Would we have the right to check an employee's private PC? A similar issue would arise when an employee left the company, taking his PC home with him. Would we be allowed to check that PC to make sure it had no IP on it?
And then there's the job of keeping security patches and antivirus software up to date, which is already difficult in our Windows XP world.
Just in Case
I'm still not sure what will happen with this idea, but I have started putting together my requirements.
First and foremost is the use of a centrally managed virtual desktop. I will not allow any PC to be connected to our network without some control. But even with a virtual desktop, I would have to be sure that the operating system and applications were secure. Patches would need to be current, and antivirus software would need to be installed and maintained. If the IT department were unwilling to take on that task, I would recommend the rollout of preauthorization network access control, which would force devices to pass muster before they could join the network.
For any device that didn't comply with our patching, antivirus and other security polices, we could have a quarantine network, where users' machines would be brought into compliance before being allowed to connect to the corporate network.
We would also have to ask Legal about having all employees sign a document permitting us to investigate and take forensic action on PCs belonging to departing employees and users suspected of engaging in illicit activity, such as IP theft.
And we would want to keep all current monitoring and filtering technologies in place. If employees were using their own PCs, the temptation to conduct personal business while they were at work might be greater than ever, but we would still be liable for any activity that occurred on the corporate network.
I'll be talking more with the CIO and industry colleagues, and I suspect that I will add to my list of considerations. If you have any suggestions, please let me know.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To take part in the discussions about security, go to computerworld.com/blogs/security.