Q&A with James Brown of StillSecure
VSM: How do you determine who’s allowed onto the network first? Which employees have access & why?
JB: The most important aspect of determining who should have certain types of access is to look at what classes of users gain access and what they should be able to access. Classes of users would include regular employees, contractors, guests, etc.
It all comes down to policy compliance. If an endpoint complies with your organization’s corporate security policy, then the user should gain access to the network at whatever level is needed for the employee (endpoint) or department (Finance, HR, Research, etc.) to complete his daily job functions. Also, if a user doesn’t comply in some way, but complies in others--for example, maybe the endpoint hasn’t got all the latest Windows updates, but has AV that’s up to date--the endpoint may be given access, but the IT help desk should be notified of the situation.
And finally, if an endpoint doesn’t comply sufficiently--maybe it has no working anti-virus software, or its virus signatures are out of date--it will get limited (perhaps Internet-only) or no access at all until it does.
VSM: How much access should each employee have on their 'BYOD' device? Is it different depending on the type of device?
JB: Defining access by device type isn’t required, but in order to be productive in any given environment, an employee needs to be able to access particular in-house applications. That holds true whether they bring a laptop from home, a smartphone or tablet.
VSM: How can a company address the increasing amount of malware on 'BYOD' devices?
JB: There are several layers of defense that should be in place to minimize malware on a BYOD device:
- App stores should have appropriate measures to attempt to identify malware up front, scanning for known malware code and preventing users from ever seeing it. Both Apple and Google app stores scan all software prior to allowing access to users.
- On-device anti-virus (whether laptop, phone, or tablet) is the next line of defense. These look for known malware on the device and alert the user.
- Mobile Device Management (MDM) software can be used to set a specific group of allowed or disallowed applications. After that, network access control (NAC) should ensure that only devices with approved applications are allowed access on the network.
VSM: Can employees use corporate software on their personal devices?
JB: Relative to hosted applications, using corporate software on personal devices is the safest way to deliver application functionality to any device. Because the data remains on the company's servers, there's no potential for loss. When considering on-device applications, the question then becomes how much data the on-device application stores locally and how that data is protected. For example, Data-At-Rest encryption, Data Loss Prevention, Anti-Virus, and Host-based IDPS should be considered.
VSM: Is an employer responsible for securing and monitoring these devices?
JB: Regardless of responsibility, most employers want to ensure that 'BYOD' devices comply with applicable security policies and that any data local to those devices is protected in the event of loss of the device, termination of the employee, or compromise by an outside party.