Last week in a blog titled "BYOD--Bring Your Own Disaster," I urged caution and scope for BYOD projects. This week I'm playing devil's advocate with myself. A conversation with Greg Knieriemen (@knieriemen) got me thinking of the consequences of ignoring BYOD. Let's dive into the risk of burying your head in the sand and ignoring the BYOD push.
To begin, let’s start with a small poll to build an example: By show of hands, how many of you reading this use Dropbox or a similar application for sharing corporate file sharing without IT approval? If you raised your hand in answer to that question, the people around you are probably very curious as to what’s going on. By saying yes, though, you are participating in what is considered to be shadow IT. You are acquiring an IT service that you deem necessary for your job through means other than the IT department.
While on the surface this seems like a minor offense, in reality this is a major problem for IT departments, security teams, chief security officers and risk management professionals. Services that are not under the control and visibility of IT are creating additional risk for data loss, network penetration, and so on. The reason they are being used in the first place is because corporate IT couldn’t/didn’t provide the services fast enough or flat-out refused to provide them at all.
The same principle applies to the concept of employees bringing their own devices--BYOD. If you don’t support a particular device, employees will begin to find ways to self-support it. They will bypass corporate IT and, with that, bypass security, compliance, change management and audit logging. It’s a problem that will continue to get worse, and, as with any problem, an ounce of prevention is worth a pound of cure.
The prevention in this case is assessing BYOD early and putting a policy in place that focuses on security. Rather than avoid BYOD altogether, design a BYOD strategy and rollout. A staged approach works nicely here; there are some easy first steps that can buy you additional time. Things like providing Wi-Fi network access to personal devices can be done quickly and securely. A personal device network can be deployed separately from the corporate WAN, allowing employees to gain Internet access while segmenting personal devices off from the corporate WAN.
The second stage may be using network access controls to authenticate and identify authorized personal devices and allowing them to access corporate network resources. With the proper tools in place, activities can still be secured, monitored and logged while allowing device freedom to your employees. These systems can provide resources based on both user credentials and device type, allowing you to deem which devices/OS level gain which level of access.
As your rollout progresses and employees adopt the model, opportunities will arise to publish corporate resources specifically for chosen platforms. These services can be deployed from behind your firewall on private cloud infrastructures. This will provide your end users (customers) with the applications and services they need natively on their devices. For services provided by public cloud providers, these native applications may already exist.
As stated in the previous post, this doesn’t need to be all or nothing. You have the ability to determine the scope of which devices get what access. You’ll also be able to determine the time frame in which the BYOD policy is adopted. With the "consumerization of IT" occurring at such a rapid pace, ignoring BYOD is just as dangerous as jumping straight in the deep end.
Disclaimer: In my primary role I work with several products and vendors mentioned here. This article is not an endorsement of those products or vendors.