According to IDC, 25% of employees at businesses with 10 or more workers purchased the primary PC they use for
work. My organization already has a bring-your-own-device (BYOD) policy in place and is now considering a BYOPC policy that will allow users to buy their own PCs for work. What considerations should we make for allowing user-purchased PCs on the corporate network, specifically to make sure they function as hardened endpoints?
Ask the Expert
Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
Unfortunately for many security admins, the bring your own (BYO) trend is nearly impossible to ignore. While I'm not a fan of the BYO craze (call me a control freak, but I think there's definitely something to be said for network infrastructures that are totally owned and controlled by the organization), there are several suggestions I have to offer to help ensure that BYO devices (and BYOPC devices in particular) are securely accessing corporate networks and assets.
First, be sure to segment your network in such a way that all personally owned devices are on their own portion of the network. This can be performed at the firewall or done via a virtual local area network, or VLAN, or physical segmentation, with the decision dictated by policy and risk tolerance. If employees only need to connect to the Internet, this should be sufficient.
A few well-configured firewall rules would also be helpful. For example, you may consider disallowing executables from moving from the BYOD segment to the operational portion of the network. Furthermore, if end users simply must access corporate resources from their personally owned device, require them to do so via a VPN. This should be a simple network configuration; and, if your company is like most, an existing VPN infrastructure is probably in place already.
Next, many BYOD policies require that personally owned devices maintain some sort of antimalware functionality. This is fine for laptops operating within a Windows environment, but it's definitely not a cure-all. It is vital to ensure that all BYOPCs are scanned and inspected periodically by the IT department, and you may also consider utilizing that time to ensure the computer's operating system is up to date.
Lastly, and perhaps most importantly, create some sort of baseline with regard to what software is and is not allowed to operate within the network. This can be verified during the above-mentioned IT department scan, and it should be predetermined as whether a blacklisting or whitelisting approach will be used. Which method your organization chooses depends on your company's needs and the accompanying realities it faces.
Dig deeper on Secure Remote Access
Related Q&A from Brad Casey, Contributor
Can Project Sonar, an Internet-scanning project, benefit enterprise network security? Expert Brad Casey discusses.continue reading
Does your enterprise track eliminated firewall rules? It's one of the change management best practices suggested by expert Brad Casey.continue reading
The Department of Defense is using a converged network security architecture to simplify security management. Learn about the security benefits.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.