Am I finally ready for BYOD?

Go to the profile of Eric Herbert
Eric Herbert on Apr 23, 2020 • 2 answer
• 0
I feel like I can finally support folks working on a laptop of their choosing and still protect data / resources. We've moved enough of our core apps to cloud and we've made a significant investment in Citrix /NetScaler. Early guidelines in draft: * This is voluntary- I'm not trying to PUSH people to adopt but I'd love to quit buying laptops. * Monthly stipend in your paycheck. You get ~$50/month, you are responsible to provide laptop & maintenance. * We enforce MFA * Target pop is mostly knowledge workers / leadership as they are the least dependent on operational applications. Challenges: 1) Calculating backend costs to create solid CBA. 2) Drawing lines for support 3) Ensuring all apps are avail for pilot Has anyone gone before me? Regardless: what questions should I anticipate?

Answers

Eric - at my old job, we were almost always on company provided gear. If & when we allowed for BYOD, we made it clear to users what we could support and what we would not support. For example - if the user had issues with a company required application that we support and it was probably caused by something on their laptop - we would support the effort to resolve that. If it was support for a non-work application, we made it clear that they were on their own.
We did offer to support to certain C suite users for all IT issues, but the rest of the work force had to fend for themselves.

One key thing to keep in mind - if you use a VPN appliance or a hosted VPN service, confirm that you can turn on "posture assessment" or whatever it may be called. Cisco Anyconnect called it Posture Assessment. When a remote user attempted to connect to VPN, it automatically checked the anti-virus status of the endpoint. If the user had no AV protection, or they had AV but it was out of date, or the AV tool was not one that we supported - we denied the connect to the VPN and we responded with a clear message. The user had to obtain one of several AV protection tools and install it, and keep it patched.

Also, for all VPN users, and if not all - at the privileged accounts (C-Level, department heads, IT administrators) - select and implement 2FA (two factor authentication to use with the VPN.

If they are using BYOD for smartphones & tablets - enforce the use of pass codes or PIN's to open them up, and setup remote wipe capabilities. However, before you execute a remote wipe, the user needs to consent as it is their device.

Go to the profile of MICHAEL GAUTHIER
MICHAEL GAUTHIER on Apr 23, 2020
• 3

Thanks Michael. These folks will not be allowed to VPN- they can only come through NetScaler. Although using VPN and "posture check" is an intriguing idea for our business areas not subject to NIST security controls. It feels "uncomfortable" but if we limit machine privilege and user privilege correctly perhaps it's not as bad as I think.

And yes- we already do BYOD on cells/tablets and have remote wipe enforced.

Go to the profile of Eric Herbert
Eric Herbert on Apr 23, 2020
• 1