My company had excellent news last week, announcing stellar earnings. It was especially welcome after a difficult year of budget cuts, layoffs and a general decline in morale. To address that last issue, the company decided to give every employee a gift, and I'm not talking about a $25 Starbucks gift card. No, the plan was to hand out brand-new iPads to everybody. What could be cooler, right?
At issue: Every employee is getting a free iPad, and IT wants them to be able to connect to the corporate network.
Action plan: It's time to restate the policy on personal devices and find a way to allow more leeway while keeping things secure.
I was pretty excited, until this beneficent iPad giveaway ran up against one of my most important policies.
The glow faded pretty quickly, because right after the announcement, I passed by the CIO's office and noticed a bunch of people huddling around the conference table. I joined them and found out that they were discussing how to best make it possible for employees to connect their iPads to the corporate network. My jaw dropped.
"You know that we don't allow personally owned devices to connect to the corporate network, right?" I inquired. Debate ensued, with some arguing that the iPad is similar to the iPhone, others saying that an iPad is unlike a laptop because it can't be used to download intellectual property, and one person arguing that you can't access any domain resources from an iPad.
Wrong on all counts. An iPhone can connect only via ActiveSync and is limited to synchronising e-mail data. That's not the case with the iPad, and IP would be at risk. Domain resources can be accessed, even via a device that isn't "on the domain," as long as you know your domain password. Besides, within a few months, I'm sure someone will create an app allowing iPads to join a Windows domain.
We realised that we needed to discuss changing the policy.
Currently, our policy states, "Personally owned or non-company-owned devices are not to be connected to the corporate network." To me, that means no wired Ethernet cables, no use of access points, and no use of the VPN client. Naturally, we make exceptions and turn a blind eye to some violations. For example, we let contractors use non-company-owned devices to connect to a conference-room jack. But as technology and the world change, the number of exceptions rises. Besides the iPad situation, some of the pressure points on our policy are the CIO's "bring your own PC" proposal and the advent of virtual desktops. That blanket policy statement no longer flies, so I had to decide what I really care about, from a security perspective.
The Security Angle
In the end, I have two primary concerns. The first is protecting the network from an untrusted resource. When an unpatched or unprotected resource is attached to our network, bad things can happen, and we've seen plenty of them in the past.
The second concern is that we should have a right to access or confiscate personally owned devices. Currently, for example, if an employee departs the company or is under investigation, we can't force him to let us take an image or remove files from a personally owned device for either security or business-continuity purposes.
The first concern is one I can address with a combination of policy and technical controls. The second requires input from our general counsel, which I promptly sought. He said that as long as we employ banners that employees have to click on in order to access the network, we should be in good shape. We already do this for VPN, domain and wireless access, but not for computers connected via an Ethernet cable. This is where NAC comes into play, and is yet another justification for investing in the technology.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons.