Planning for Bring Your Own Device (BYOD) (Part 1)

by [Published on 5 Feb. 2013 / Last Updated on 5 Feb. 2013]

One of the hottest trends in IT is Bring Your Own Device (BYOD). This article series discusses important considerations that must be taken into account prior to allowing users to access your network from personal devices.

If you would like to read the other parts in this article series please go to:

Introdution

Ask any industry analyst what the hottest IT trends of 2012 were, and Bring Your Own Device (BYOD) is sure to be near the top of the list. The consumerization of IT has become so prevalent that users expect to be allowed to access corporate data from their own personal devices. However, you shouldn’t grant users this type of access just because it is the popular thing to do. There is a lot of planning that must be done ahead of time in order to keep your network and your data secure. This article discusses some of the decisions that will need to be made in order to ensure a successful transition to BYOD.

What Resources Should Be Accessible?

I have heard some IT pros say that the essence of BYOD is that users should be able to do anything from their own personal devices that they could do from the PC in their office. Personally, I disagree with this philosophy. There is no law that says that users must have mobile access to absolutely everything.

Users should have access to the applications and data that they need to do their jobs, but the convenience of mobile access must not jeopardize the security of the organization’s network or data. I recommend examining network resources one by one, and determining which resources are safe for mobile access and which are not.

As you work through this process, you may determine that it isn’t really a problem for users to access corporate resources from personal devices, but that you don’t really feel comfortable with certain types of data being accessible from beyond the network perimeter. In these types of situations, you don’t necessarily have to deny users the ability to use their own personal devices. You might instead configure some firewall rules that make the resources available to users working from personal devices so long as they are accessing the organization’s wireless network. Access to these resources could be denied to VPN connections or other remote access solutions.

What Types of Devices Should Be Allowed?

One of the primary reasons for using BYOD is to allow users to work from the device that is the most convenient for them. However, that doesn’t necessarily mean that you should permit access to your network resources from all device types.

As you determine which types of end user devices to allow on your network, it is best to think about the security implications of each device type. For example, I know of at least a couple of organizations that allow users to access network resources from smart phones or from ARM based tablets, but not from PCs. The reason for this is that the rate of malware infections are much higher for PCs than for other types of devices.

Some organizations attempt to mitigate this risk by letting mobile users access remote desktop sessions rather than establishing a direct connection from their mobile device to network resources. While the use of remote desktop sessions does improve security to a degree, there is still a chance that the PC that the user is working from might contain a key logger or other type of malware that could hijack sensitive data.

If you have users who need to be able to access corporate resources from their own personal PC, then you have a few different options for making sure that those resources are accessed in a secure manner. One such option is to use Windows Server’s Network Access Protection feature.

Network Access Protection is a part of the Routing and Remote Access services. It allows an administrator to define what it means for a remote client computer to be healthy. For example, you might require specific operating systems to be used. You can also establish other security requirements such as up to date antivirus protection or having the Windows firewall enabled.

In some cases it is even possible to use automatic remediation if a user connects to the network from an unhealthy PC. For example, if you require remote clients to have the Windows firewall enabled and someone connects to the network without first enabling the Windows firewall, your server could automatically enable the firewall on the user’s computer prior to granting them access to the network.

Although you can use Network Access Protection to make sure that remote clients connect from healthy PCs, Network Access Protection isn’t a perfect solution. Sure, Network Access Protection lets you define what it means for a remote client computer to be healthy, but the criteria that you can use in determining the client’s health is somewhat limited. That being the case, a better solution for those who need to remotely access the network from a PC might be to use Windows To Go.

Windows To Go is a new feature offered by Windows 8. The basic idea is that Windows 8 can be installed onto a bootable USB flash drive. The reason why this approach is so helpful is because when a user boots Windows to Go, they are booting directly from the USB flash drive, not the computer’s internal hard drive.

A Windows to Go device can include a Windows 8 instance that fully complies with all of the organization’s security standards for desktop computers. Additionally, you can even install applications onto the flash drive, so long as the applications are small enough to fit.

When it comes to using Windows to Go as a BYOD solution, many organizations configure the Windows to Go environment to be as secure as possible and then provision it with access to a remote desktop session, rather than attempting to store data and a full set of applications directly on the flash drive.

Even if a Windows To Go device doesn’t contain any data, security is still an extremely important consideration. After all, if a user were to misplace a Windows to Go device then someone could potentially find the device and then use it to gain access to corporate resources. The best way to keep that from happening is to encrypt Windows To Go devices by using BitLocker encryption.

In case you are wondering, you can use Windows To Go on almost any 32 GB USB flash drive that is USB 3.0 compliant (although Microsoft wants you to use USB drives that are Windows To Go certified). The client computer only requires sufficient hardware to run Windows 8, and the ability to boot from a USB device. Even though Microsoft requires the use of USB 3.0 flash drives, you can boot a Windows To Go device from a computer that has a USB 2.0 port. Of course Windows will perform a lot better if you use a USB 3.0 port instead.

Conclusion

Hopefully you are starting to get the idea that there really are a lot of things to consider if you want to allow users to take advantage of BYOD. In Part 2 of this series, I will continue the discussion by talking about more considerations that should be taken into account.

If you would like to read the other parts in this article series please go to:

Featured Links