Practicing What You Preach (even if you are not quite ready)

Recently, one of our (Enterasys) Solution Architects published this white paper on "Managing BYO Device Programs". Of course a bunch of my enterprising users immediately contacted the service desk asking if this was now policy, and when they could bring in their devices from home. Of course, while we have been working on this, we are not really ready to fully support this. We have been trying several things, looking for the balance that meets user needs, is not prohibitively expensive, and that will still provide us with reasonable security.

Here is where we are at:

• We evaluated full remote desktop type VDI, both from VMware and Citrix, and dismissed it, as at our user counts, it cost about as much per user as a good laptop, and left us with more infrastructure to manage
• We are allowing a limited set of folks to direct connect, and using our own NAC capabilities, limiting access to web resources. By using our SSL VPN portal, they can then get to internal web resources. Several folks have been doing this for quite some time, and it seems to work for them
• We are actually moving as many of our applications as possible to the cloud, which offers access from anywhere. As a side note, shame on you cloud providers that sell access from anywhere yet force your own employees to VPN in to access your applications. You know who you are
• We are in the early stages of deploying a cloud identity management solution (Okta) that will soon offer two-factor authentication, which will meet our security requirements going forward
• We have started evaluating the new HTML 5 Citrix client in an application virtualization deployment, and this one shows great promise
• We already allow employee owned Active Sync devices to connect to our Exchange environment as long as the user sets a simple unlock pin, and grants us the ability to do a remote wipe if necessary to protect our data

I have come to the conclusion that a single strategy is probably not enough. For some users, the guest wireless solution will be sufficient. For others, they will need a bit more access until we have more stuff in the cloud. At some point, I believe the only folks that will still need access to non-web internal resources will be the engineers that need to access our labs. Everything else will be on the web, and most of that in the cloud and accessible from anywhere and any device with internet access and an HTML 5 compliant browser. I attended a Google Enterprise event a few weeks ago where they presented there 100% web vision. I'm not sure I'll ever get us to 100% web, but I think 80% within the next two years is doable.

If our solutions team keeps writing white papers, I may have to do it sooner :). As we get closer, BYOD becomes much easier, thanks in large part to our NAC deployment's ability to classify the end devices and then allow only appropriate access.