May 17th, 2012
I had the privilege of attending a great event put on by our partner Netelligent this week and there was one topic that came up over and over again – Bring Your Own Device (BYOD). It was clear to me that the market is finally driving down the exploratory road of allowing employees to use the device of their choosing in their day-to-day business functions. The explosive growth of iPads, followed by MacBooks, into the enterprise environment (look around at your next meeting or conference) is fundamentally pushing this agenda forward. Excellent – right? It might depend on what team you belong to.
If I am an IT professional maintaining the corporate network, I would certainly be a little less than excited. “Are you telling me that I am to allow an untrusted device on my corporate network?” No. Emphatically “NO”.
You see, I think the whole BYOD movement is fundamentally equated with a concept that is wrong. It is this misunderstanding which is holding the business back from embracing a more efficient and agile work environment with BYOD. BYOD does not (or should not) equal untrusted devices on a corporate network. BYOD equals the ability for the employee to use a personal device of their choosing to access a corporate workspace or resources. That’s it. The trust should come from the authentication layer, not the physical layer.
About a decade ago, the IT security world agreed that the “perimeter” of the organization was dead. Firewalls would not solve the security problem. The reality was that too many external entities were coming into the corporate environment and basing a policy on the fact that all internal assets were trusted, was not a good idea. This shift in agreement meant that vendors selling firewalls, IDS, IPS and other security systems had a whole new green field of opportunities to sell – internal. It was good for their business.
However, the BYOD movement has simply highlighted that the concept of the perimeter was not truly killed in the minds of IT. They still have a level of trust, though lowered, of internal devices. I would argue that they shouldn’t. Nothing internal should be trusted. The office building is Starbucks (the coffee isn’t as good) and anyone can bring their own device in. It is when the user needs to access corporate resources that the user is actually authenticated, authorized and brokered to desktops, applications, storage and other corporate resources. We shouldn’t give lip service to the fact that the perimeter is dead with inneffective network access controls - we can implement it with the BYOD movement.
You know that guest wireless network you have running in your office? With the implementation of BYOD, maybe that should be the primary network for all the users to access. And guess what? You can save money on all those internal network controls. BYOD does not mean that untrusted devices are allowed on a trusted network. It is about the enabling the employee.