Blogger: Eric Maiwald
If your employer offered you the opportunity to bring your own computer to work would you do it? What if your employer offered you a stipend to buy a new computer to use at work – would you do it then? For those of you who are security folks – would you want all of your fellow employees to do it?
Well, the opportunity may come. Last Wednesday I listened to Michael McKiernan from Citrix talk about the BYOC program at his company. According to Mr. McKiernan, the program at Citrix has about 10% of the employees participating. Citrix is seeing a cost savings because of the program so it is also attractive to the company’s management.
If a program like this is interesting for management, it might be a good idea for the security teams to think about managing risk in this type of environment. In the Citrix program, there were certain requirements around security software that must be installed before the employee’s computer can be used for work. You might want to think about the requirements you would want to place on any employee-owned computers.
Right after the Citrix talk, Burton Group Principal Analyst Dan Blum presented a talk titled “Endpoint Virtualization: How to Protect Data When You Don’t Control the Desktop.” The timing of that talk was very good as it showed how an enterprise can use virtualization technology to manage risk if employees are allowed to bring their own computers to work.
Keep an eye on technologies like desktop virtualization. Even though it is not a security technology, it will be very useful in managing enterprise risk if employees are allowed to bring their own computers to work.
Eric,
I think the same can be said of Cloud Computing, to a certain extent. Of course, the user can cache emails and other docs from Google Apps for off-line access, but same can be done when you publish apps on Citrix.
But I would agree that a virtualized environment would provide better security controls.
Saqib
Posted by: Saqib Ali | August 04, 2009 at 02:43 PM
already back in 2001 I posted a paper on securityfocus on how to use terminal services in order to achieve better security.
what I said then, still applies as long you change "terminal services" for "endpoint virtualization"
I love when I can forecast things with 8 years in advance... :-)
Posted by: Andre Fucs | August 06, 2009 at 05:07 AM
Kunjan,
NAC on the switch is not necessarily required. While the enterprise will need to protect sensitive information and systems, how this is done depends on the other requirements the enterprise sets out. For example, the enterprise could use a VPN from the various endpoints to the data center and use the data center perimeter to limit access to systems and information.
Eric Maiwald
Posted by: Eric Maiwald | August 20, 2009 at 07:53 AM