Beyond the Hype of Consumerization of IT, Part II: The Device and Its Role

Security3 minutes readOct 5th, 2011

Now that you’ve looked at the IT architecture, you need to examine which devices should be enabled to get the data, and how you’re going to deal with them.  There are several approaches to achieve great success in device management at a relatively low cost to the enterprise.

Where to Begin on Devices? Don’t boil the ocean.

I’ve seen a growing number of organizations purchase a technology to manage the end point device and deploy it to the entire population at a huge cost.  Buy it, deploy it and claim victory. Not so fast.  Think of all those companies that put their security into the hands of just one vendor only to find out that the vendor was compromised and in turn so could they.

First, Tackle the Everyday Employees’ Access to Simple Email, Calendar and Contacts

Preferable to the single vendor approach is the implementation of multiple technologies with role based access determination.  So you likely will have most employees who really want to use their personal device to access simple email, calendar and contacts.  Also perhaps being able to book some travel and complete their timesheets.  You could achieve success by ensuring

  1. the device authenticates to the enterprise,
  2. the individual authenticates to the enterprise and
  3. restrict access based on the trust in the device.  So in this instance you can use Public Key Infrastructure (PKI) certificates along with strong multi-factor authentication.

Give Access to Sensitive Data without Data Ever Leaving the Data Center or Cloud

So what do you do with the employee that really needs/wants to get access to highly sensitive corporation data?  Consider the virtual desktop as one solution coupled with a good thin client application.  That way they can work on the device of choice but the data never leaves the data center or cloud.

There are draw backs to this approach based on what employee needs to do with this data.  Although the off-line capability is getting better, ensure you have a well thought out plan for who is using this capability and who should still have a corporate issued device with all the security bells and whistles.

Clear and Concise Policy Document

Now that you are embracing the personal device to access organization data, begin reviewing policies and acceptable use agreements.  I’m not talking about the “disclosing sensitive data” form but a clear, concise document that lays out the agreement between your company and the employee.

Take into mind the possible confiscation of the personal device if there is a ‘legal hold’ or investigation and clearly spell out the reimbursement plan.  Don’t forget that if the employee chooses this route you need to be able to account for what happens if the device stops working and the employee is not able to work.  Think about the service desk changes and educate your employees about who to call if the device is lost or stolen.

Stay tuned for Beyond the Hype of Consumerization of IT, Part III: Cowabunga – we’re ready to deploy.

Tags-   Data protection End point device Security