Si Kellow (Europe) - 'Why Aye Sir' or 'Why it's Necessary to Embrace the i'

• 0

• Posted by Si Kellow

• Company Proact UK

• on April 20 2012

Security management is a thankless task, but wouldn’t it make a change to be the security manager that says “ok, not a problem” when confronted with the Chief Executives iPad and a directive that he is to be able to use it for business?

Historically, the mantra of security managers has been “unless you can show me a receipt that the company owns it, you can’t use it”, which has worked reasonably well, but with senior management wanting to play with shiny toys, can security managers really keep saying that? And once the CXOs have the latest gadgets, people down the chain will start shouting for theirs too.

IT departments everywhere are under constant and growing pressure to allow the use of iStuff – either privately owned or corporately supplied and sooner or later they’ll give in. These things are security headaches as you can’t apply the same controls that you would on Blackberrys and Windows-based laptops so the problem faced is how to allow them on the network without compromising security of the data on the devices or all the lovely storage servers that they can access.

What our under-thanked security manager needs before he starts to deploy technical controls, is a written policy that permits the use of iStuff. This should also set out the corporate position on who is responsible for the upkeep and maintenance of iStuff, and whether any technical controls will need to be deployed in order for the user to make use of iStuff.

At this point the users should now have a choice – use their iStuff (assuming its personal) and understand that the IT Helpdesk is only going to assist if it’s a problem with the technical controls that they deployed to it, or take the corporate shilling and live with it knowing that they can get support and applications through the IT Helpdesk.

When looking at products that can assist in enabling the necessary technical controls to make iStuff useable in the corporate world, consideration must be given to

∙ Security & configuration management – set longer passwords, remote lock or wipe, clean to factory configuration, manage and deploy configurations, track the device on an internet map
∙ Application management – track installed applications, publish a list of approved apps, remotely and securely deploy in-house apps to users
∙ Asset inventory – log information about hardware and software

It is reasonable to assume that users won’t be overly happy at the asset inventory aspects, but this is one of the compromises that they have to understand is necessary. No security and tracking (making sure they haven’t got hooky software on their iStuff!!) then no data connection to the corporate network is possible.

By Si Kellow, Security consultant and chief security officer, Proact UK