Am I finally ready for BYOD?
Eric - at my old job, we were almost always on company provided gear. If & when we allowed for BYOD, we made it clear to users what we could support and what we would not support. For example - if the user had issues with a company required application that we support and it was probably caused by something on their laptop - we would support the effort to resolve that. If it was support for a non-work application, we made it clear that they were on their own.
We did offer to support to certain C suite users for all IT issues, but the rest of the work force had to fend for themselves.
One key thing to keep in mind - if you use a VPN appliance or a hosted VPN service, confirm that you can turn on "posture assessment" or whatever it may be called. Cisco Anyconnect called it Posture Assessment. When a remote user attempted to connect to VPN, it automatically checked the anti-virus status of the endpoint. If the user had no AV protection, or they had AV but it was out of date, or the AV tool was not one that we supported - we denied the connect to the VPN and we responded with a clear message. The user had to obtain one of several AV protection tools and install it, and keep it patched.
Also, for all VPN users, and if not all - at the privileged accounts (C-Level, department heads, IT administrators) - select and implement 2FA (two factor authentication to use with the VPN.
If they are using BYOD for smartphones & tablets - enforce the use of pass codes or PIN's to open them up, and setup remote wipe capabilities. However, before you execute a remote wipe, the user needs to consent as it is their device.
Thanks Michael. These folks will not be allowed to VPN- they can only come through NetScaler. Although using VPN and "posture check" is an intriguing idea for our business areas not subject to NIST security controls. It feels "uncomfortable" but if we limit machine privilege and user privilege correctly perhaps it's not as bad as I think.
And yes- we already do BYOD on cells/tablets and have remote wipe enforced.