Mobile Device Domain Policies

In the previous section, we briefly mentioned mobile devices; however, the use of mobile devices in the workplace is growing and is deserving of more detailed consideration. Mobile devices are part of our lives. Smartphones are the obvious example; however, there are other devices, including smartwatches and tablets. Many people use these devices as an integral part of their daily lives, and they bring them to work. How do you address this on an organizational network? Many questions arise, beginning with whether to allow personal devices to connect.

In most organizations. it is simply impractical to forbid personal devices. Some highly secure defense-related organizations can do this, but for most companies, you will simply have to accept that your employees are likely to be carrying personal devices. These devices pose substantial security risks. They present an entirely new attack vector. These issues must be addressed.

The first issue is defining how these devices can be integrated into the organization. Some established terms accomplish this:

• Bring your own device (BYOD)—This is a scenario in which employees bring whatever device they may have purchased and can connect, at least to a guest network. This poses the greatest security risk, but it is quite common.
• Choose your own device (CYOD)—This is a situation wherein the organization provides a list of approved devices. If the employee purchases a device from that list, then they can attach the device to the organizational network. This provides some level of security. The company at least knows the device meets minimum security requirements.
• Company-owned and personally enabled (COPE)—This is an approach wherein the company provides personal devices, most often phones, to employees who can then also utilize the devices for personal use. This poses the most direct security, because the company has a high degree of control over the device’s security. However, when the employee exits, parsing the employee’s personal data from company data can be problematic.

There are several approaches that can further mitigate security risks, regardless of the approach implemented. The first is Network Access Control (NAC). NAC functions by scanning a device when it first connects. This scan looks to see if the device meets minimum security requirements and has no obvious malware on it. This can be done in either an agentless or agent manner. The agent approach installs a small software agent on the device in order to scan. This is far more effective, but some people object to the agent being installed.

Another approach is to allow devices to connect to only a guest network, not the corporate network. In this way, the employee still can use the networked device, but it poses far less of a threat to the organization’s network. There is still a threat, but no more than from any guest accessing the guest network.

When it comes to mobile devices, one solution doesn’t fit all. With mobile devices being so ubiquitous, network security professionals must address them. As with any security issue, an objective threat assessment must be conducted, risks analyzed, and only then can appropriate policies be implemented and enforced.