By Toby Makepeace, Technical Director, Netutils
Views expressed in this post are original thoughts posted by Toby Makepeace. These views are his own and in no way do they represent the views of the company.
Ok, so we all know the term BYOD has been in the news for a good while now. And I’m still challenging my customers and contacts interested in deploying a BYOD strategy by asking them why? Why are you interested in a BYOD strategy for your organisation?
Personally, I think the concept of a secure network access control (NAC) policy is essential for any network, but when it is solely being linked to BYOD I have to ask the question ‘why?’
In my view the reasons behind a BYOD policy within organisations is normally driven by one of 3 things:
- The staff are asking for it
- The senior management team want to use their iPads (happens a lot, believe me!)
- The organisation sees a business benefit to allowing users to access their own devices at work
If it is the latter, great and I’ll address that further on in this blog.
If the reasons for BYOD are driven by either of the first 2, my suggestion is that you consider (instead of a full-on BYOD strategy) simply deploying a guest network with internet access and ensure all the relevant monitoring and filtering is in place.
In addition make sure you use something to control the traffic usage, and don’t ever just put up an open network for staff to use; you do not want to actively monitor staff, but you do want to deter people from just using a company connection to the internet for personal use. You also need to ensure the company has relevant protection in place to comply with the legal obligations no business should ignore (such as data retention and the Digital Economy Act) to reduce the responsibilities of your IT team in terms of managing and reporting on the data used and accessed by guests using your network.
You’ll probably find that the primary applications your staff wish to access will be (surprise, surprise) Facebook and Twitter and to be honest in most cases my advice would be to allow that. Happy staff work better. What you don’t want to find is a load of BitTorrent data being downloaded, or uploaded over the network, so hence the need for a solid guest access solution. So in this case you are not deploying BYOD you are just being nice to staff by helping them reduce their mobile data costs! And, let’s face it, most of them will be accessing these applications during the day with or without a guest network.
So back to full blown BYOD, I suggest you ask yourself and your organisation the following questions.
- Which applications do you need to support?
- What types of devices are you happy to support?
- Which employees are you happy granting access to?
Once you’ve answered these questions, I suggest you follow this simple process:
- Start with the resources
- Involve your staff
- Deploy a layered approach
Consider which resources you want staff to be able to access. Are you going to do things via Terminal server/Citrix sessions? Or are you going to allow users to actually use their devices to connect? Take each application and think of simple rules, for examples Outlook Web Access / Email are you happy with these being accessible on a personal device? Will the staff be more productive if they are? Ok, then consider do you require full Mobile Device Management or just a simple ActiveSync policy? (This will always come down to the volume of the data in peoples email).
Next, involve your staff. Let them know you are rolling out BYOD, but you are going to do it slowly and ask them to submit their suggestions as to what applications they seek to use and why. This way you can set priorities and assess the level of control you are going to need to be in place. You might find the Remote Access policy you have in place just needs to be tweaked, and a new wireless network that is very similar to the guest network gets created, that has a link through to certain resources like Lync/Citrix and other applications.
Deploy a layered approach. Allow staff to login to the BYOD network using their Active Directory credentials, this way they will be logged onto a secure network but separate from the corporate network. Then to get access to a resource like your CRM for example, you might consider using 2 factor authentication via an SSL portal, which is only available in the office, so you know who is accessing the network, the fact they are present in the building, and they know their 2 factor password.
I hope these tips give you food for thought and help you in your BYOD strategy planning. If you have any question then do feel free drop them to me via Twitter @tmakepeace. Thanks for reading and good luck!