Putting it simply, people are bringing their own mobile devices to work—a growing activity known as bring your own device (BYOD). These devices—smartphones, tablets, even laptops—are designed to work on networks, have substantial storage capacity and can run powerful applications. They can connect to an organization's wireless network, they can connect to a LAN, and they can be connected via systems like USB and Bluetooth to existing LAN equipment (PCs, printers, etc.).
And once they're outside the office they're prone to loss and theft. This combination of portability, capability and private ownership makes mobile devices a substantial issue when it comes to securing an organization's assets.
Naturally, a security-conscious IT department—perhaps also wary of supporting countless mobile platforms—is inclined to ban the devices from the organization's network.
But employees use these devices in support of their work, doing things like staying on top of their email, managing workflow, working with documents, etc. They therefore expect that they should be able to use these devices to access company assets.
Portfolio Aid decided to have it both ways.
Portfolio Aidis a Toronto software company that sells compliance solutions to the financial industry. We host a solution on a cloud platform that involves sensitive financial data. Moreover, we do development on some of the very platforms in question—our clients require that they use our platform on their tablets. What's more, we have contractors, vendors and even clients in our office on a regular basis who want Internet connectivity but who are not authorized to use our LAN.
Our clients, being heavily regulated firms, require that we undergo regular audits of operations and security. We had to produce a policy on mobile computing, and it had to guarantee the security of our client's data while meeting all of these other demands. We'd been thrust directly into the mobile-computing dilemma.
Our LAN had already been hardened with end-point security policies on PCs (where Bluetooth, USB and optical drives are disabled), as well as the usual firewalls and central control of identity and entitlements. Supporting this, we banned mobile devices from the secured company LAN and told our employees that we would not support their devices.
Then we provided a Wi-Fi network to enable mobile devices to be used in the office. The Wi-Fi network is password protected and furnished with a dedicated Internet connection. In this respect, walking into our office is very much like walking into a coffee shop. The ban on mobile devices for our company LAN is enforced by a network-switch configuration that denies IP addresses to unfamiliar mobile devices as identified by their MAC address. Our IT personnel will support only those tablets our firm provides for development purposes.
Separating LAN and Wi-Fi at Portfolio Aid
With this solution, we've covered all of our requirements in a cost-effective way. Our obligations to our clients are met. Our auditors are happy. And we encourage employees to bring their own devices in a way that frees us from the hassle of having to support and understand those devices and worry about their security.
Portfolio Aid Risk Manager
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.