Security Manager's Journal: BYOD planning gets a big boost
A key technology to allow for the secure use of personal devices on the network is virtual desktop infrastructure.
We're making big strides toward our CIO's goal of enabling a "bring your own device" (BYOD) policy. For me, it's none too soon.
That's because employees are increasingly finding ways to connect their own Macs, tablet PCs and other mobile devices to our internal corporate environment, both from within the office and remotely. In the absence of a policy, it's been a case of anything goes as long as you don't get caught. By embracing this trend and setting up guidelines, we stand a chance of controlling what's connected to our network and securing our environment.
One important technology that will make this work is virtual desktop infrastructure, commonly referred to as VDI -- if it's deployed in a secure manner, that is. This week, I met with the VDI project team to make sure that's how it happens.
One of the benefits of allowing only known devices to connect to your network is that you can track a PC to a user and location because you know all the IP addresses, machine names and MAC addresses that are permitted. With VDI, we can expand the pool of devices that can connect to the network because the VDI will identify the user. If, for example, some piece of malware enters the network, we can use our audit and event logs and our security incident and event management tool to track down the source.
We plan to allow VDI access from untrusted environments -- for example, a PC at an Internet kiosk halfway around the world. One of my requirements is that we enable a sandbox mode to ensure that there is no possibility of direct interaction between the untrusted PC and the VDI environment. This way, malware can't be uploaded to the trusted VDI environment, and intellectual property can't be downloaded to the PC. (Some of these restrictions can be waived if the VDI determines that the remote PC is, in fact, a company asset.) I also want aggressive settings for session timeout and screen lock, to mitigate the problems that arise when forgetful workers walk away from a kiosk without logging out of the VDI.
VDI could also be helpful in managing the access of our contingent workforce. This includes vendors, partners, suppliers, distributors, contractors and consultants. Some of these people need access to our infrastructure and applications, but providing them with a VPN client can be a logistical nightmare, since varying levels of access are needed for each engagement. VDI will allow us to set up a "rule of least privilege" (one of my primary security philosophies) for all of our contingent workers. Once again, this will help protect our infrastructure and limit the compromise of our intellectual property.
Security Ground Rules
I also told the project team that we need a login banner notifying users that they have no expectation of privacy. Our legal department has demanded that we force users to click a box indicating that they accept the possibility that the company might monitor their activity.
Another of my requirements is that there be no residual data pertaining to VDI activity on the host PC after a user has logged out. This will be especially important when the PC is untrusted (like one used in an Internet cafe, for example). In addition, the VDI environment must be integrated into Active Directory, so we can easily make the VDI unavailable to former employees and current employees who no longer need access.
Finally, as with all remote connections, any access to the VDI environment must be encrypted and require two-factor authentication.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Bring Your Own Device (BYOD) in Computerworld's Bring Your Own Device (BYOD) Topic Center.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Securing the enterprise workspace: protect your organization while supporting mobility and BYOD This white paper explains how Dell Mobility Solutions for security can help protect your organization's data, simplify administration and support forward-thinking mobility initiatives.
- Enabling devices and device management for your mobility/BYOD program In this white paper, learn how to select the right mobile devices for your organization and manage them with efficiency, flexibility and security...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Bring Your Own Device (BYOD) White Papers | Webcasts