For some time I’ve been trying to work out with colleagues how to articulate what I see as a solid model for dealing with consumerisation of IT in the workplace or even allowing people to bring their own devices. It’s quite tough to find some mental model to help people to understand the kind of approaches that work. I’m looking for a way to help you manage more than the standard IT desktop, to make more sense of productivity at work and with a view of IT security risks.
The key is balancing the approach: do more with less, more permissive access to less secure stuff. Most of an organisations “stuff” tends to require less security than IT think. Be a guide not a gate keeper.
Good, Better, Best, seems to be the most applicable that I’ve found.
GOOD is most open, your users being able to access your network, get IP addresses, get to some apps / services / data. They probably have to keep entering credentials and they may be storing those credentials on their device.
BETTER is having some modicum of remediation over the device – the ability to remote wipe it for example.
BEST is having an authenticated connection with general purpose security (you could say domain joined PC)
N+1 is having the ability to ensure end to end security, encrypted device, encrypted communications, rights managed documents, remote wipe, policy based management, policy based enforcement.
Not all devices will fit into all categories, in-fact probably only Domain joined Windows PCs will be able to enter the N+1 category (that’s because all the things mentioned are built in from the ground up). That said most people probably don’t need everything in the N+1 category. Most organisations will also see their users adding GOOD and BETTER devices to their mobile worker armoury along with a BEST or N+1 devices.
A further note on N+1 is that this is where I see private cloud hosted apps and desktops and there is no reason that a GOOD, BETTER or BEST device can’t be used to access an N+1 hosted app or desktop.
*caveat: this is a simple model, there will be many exceptions, the key is mixture.
A technology that’s been around for quite some time is IPSec, it helps to ensure security of communications between two network devices. With IPSec in place two devices need to establish a peer-to-peer trust before communication can take place, it’s kind of like having a secret handshake.
If your enabling an environment where people will be able to bring their own device you probably have some requirement to prevent them accessing some services, such as the HR system, so that they don’t walk off with the CEOs pay slip. IPSec is perfect in this situation to preform something called Server and Domain Isolation. Essentially this means that only specific devices can access the super-secret servers but every device can have broad network access.
Accesses to services and resources is somewhere that an 80/20 rule applies. Most people need access to most of the network for most of their work, some people will need access to the other 20%. Using SDI and IPSec you can require people to access secure information from devices you consider to be more trustworthy. Perhaps they can’t access the HR System from their Windows Phone but they can from their Windows Laptop, that’s BitLocker encrypted etc.
IPSec is implemented in Server 2008R2 and Windows 7 using Group Policy controls for Windows Firewall with Advanced Security. Essentially you place your super-secure resources into a group or OU that REQUIRES access and place clients that you are happy to have access to those resources into a group or OU that set things up so that clients will reply correctly if asked to do the secret handshake. If the client doesn’t know the secret handshake that’s the end of the conversation. Whilst you’re at it you can raise the general security level on your network by telling all clients to REQUEST access. That way the first thing the client will say is “do you know the secret handshake” if the answer is no they can still talk to each other.
For Windows everything is controlled through Group Policy, so not only is it easy to administer it’s easy to get very granular, for example you could say that only clients that match a specific WMI query get the IPSec policy's applied.
If you’re wondering why you wouldn’t just do this with some app level access control or some file level access control then consider this: you don’t know what’s running in the background maliciously on any device that someone casually brings in.
RESOURCES for IPSec and SDI have been gathered together in one place already on this IPSec Page of TechNet but I thoroughly recommend the following:
If you’re thinking about how you can make your environment more suitable for a world where people want to bring their own devices into the office then you could do well to attend an IT Camp where we talk about just that. Of course those events are now full, so I won’t bother to link them but now you can build the lab at home.
We’ve just released the Test Lab Guide that is part of the basis for the stuff we show at a camp, download, evaluate and have fun.