Security Manager's Journal: BYOD planning gets a big boost
A key technology to allow for the secure use of personal devices on the network is virtual desktop infrastructure.
We're making big strides toward our CIO's goal of enabling a "bring your own device" (BYOD) policy. For me, it's none too soon.
That's because employees are increasingly finding ways to connect their own Macs, tablet PCs and other mobile devices to our internal corporate environment, both from within the office and remotely. In the absence of a policy, it's been a case of anything goes as long as you don't get caught. By embracing this trend and setting up guidelines, we stand a chance of controlling what's connected to our network and securing our environment.
One important technology that will make this work is virtual desktop infrastructure, commonly referred to as VDI -- if it's deployed in a secure manner, that is. This week, I met with the VDI project team to make sure that's how it happens.
One of the benefits of allowing only known devices to connect to your network is that you can track a PC to a user and location because you know all the IP addresses, machine names and MAC addresses that are permitted. With VDI, we can expand the pool of devices that can connect to the network because the VDI will identify the user. If, for example, some piece of malware enters the network, we can use our audit and event logs and our security incident and event management tool to track down the source.
We plan to allow VDI access from untrusted environments -- for example, a PC at an Internet kiosk halfway around the world. One of my requirements is that we enable a sandbox mode to ensure that there is no possibility of direct interaction between the untrusted PC and the VDI environment. This way, malware can't be uploaded to the trusted VDI environment, and intellectual property can't be downloaded to the PC. (Some of these restrictions can be waived if the VDI determines that the remote PC is, in fact, a company asset.) I also want aggressive settings for session timeout and screen lock, to mitigate the problems that arise when forgetful workers walk away from a kiosk without logging out of the VDI.
VDI could also be helpful in managing the access of our contingent workforce. This includes vendors, partners, suppliers, distributors, contractors and consultants. Some of these people need access to our infrastructure and applications, but providing them with a VPN client can be a logistical nightmare, since varying levels of access are needed for each engagement. VDI will allow us to set up a "rule of least privilege" (one of my primary security philosophies) for all of our contingent workers. Once again, this will help protect our infrastructure and limit the compromise of our intellectual property.
Security Ground Rules
I also told the project team that we need a login banner notifying users that they have no expectation of privacy. Our legal department has demanded that we force users to click a box indicating that they accept the possibility that the company might monitor their activity.
Another of my requirements is that there be no residual data pertaining to VDI activity on the host PC after a user has logged out. This will be especially important when the PC is untrusted (like one used in an Internet cafe, for example). In addition, the VDI environment must be integrated into Active Directory, so we can easily make the VDI unavailable to former employees and current employees who no longer need access.
Finally, as with all remote connections, any access to the VDI environment must be encrypted and require two-factor authentication.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Bring Your Own Device (BYOD) in Computerworld's Bring Your Own Device (BYOD) Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
MDM and beyond: Rethinking mobile security in a BYOD world
Regardless of who purchased the mobile device, if it's being used for
business purposes, it needs to fall under IT's umbrella of protection.
Delivering Enterprise Information Securely on tablets & smartphones
A technical how-to guide-updated for Android 4.2,iOS 6.1, and Windows
Phone and Surface 8
- Best Practices for Making BYOD Simple and Secure BYOD goes mainstream: Formalizing consumerization-and getting it under control
- The value of smarter oil and gas fields With global energy requirements continuing to rise, the exploration, development and production of new oil and gas resources are shifting to increasingly challenging...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the... All Bring Your Own Device (BYOD) White Papers | Webcasts