According to IDC, 25% of employees at businesses with 10 or more workers purchased the primary PC they use for work. My organization already has a bring-your-own-device (BYOD) policy in place and is now considering a BYOPC policy that will allow users to buy their own PCs for work. What considerations should we make for allowing user-purchased PCs on the corporate network, specifically to make sure they function as hardened endpoints?
Ask the Expert
Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
Unfortunately for many security admins, the bring your own (BYO) trend is nearly impossible to ignore. While I'm not a fan of the BYO craze (call me a control freak, but I think there's definitely something to be said for network infrastructures that are totally owned and controlled by the organization), there are several suggestions I have to offer to help ensure that BYO devices (and BYOPC devices in particular) are securely accessing corporate networks and assets.
First, be sure to segment your network in such a way that all personally owned devices are on their own portion of the network. This can be performed at the firewall or done via a virtual local area network, or VLAN, or physical segmentation, with the decision dictated by policy and risk tolerance. If employees only need to connect to the Internet, this should be sufficient.
A few well-configured firewall rules would also be helpful. For example, you may consider disallowing executables from moving from the BYOD segment to the operational portion of the network. Furthermore, if end users simply must access corporate resources from their personally owned device, require them to do so via a VPN. This should be a simple network configuration; and, if your company is like most, an existing VPN infrastructure is probably in place already.
Next, many BYOD policies require that personally owned devices maintain some sort of antimalware functionality. This is fine for laptops operating within a Windows environment, but it's definitely not a cure-all. It is vital to ensure that all BYOPCs are scanned and inspected periodically by the IT department, and you may also consider utilizing that time to ensure the computer's operating system is up to date.
Lastly, and perhaps most importantly, create some sort of baseline with regard to what software is and is not allowed to operate within the network. This can be verified during the above-mentioned IT department scan, and it should be predetermined as whether a blacklisting or whitelisting approach will be used. Which method your organization chooses depends on your company's needs and the accompanying realities it faces.
This was first published in December 2013