Employees are increasingly using their personally-owned ICT devices at work, whether for personal or work purposes. Organizations with BYOD (Bring Your Own Device) schemes and policies typically insist that employee's smartphones, laptops, tablets etc. are secured and managed by IT, requiring the use of MDM (Mobile Device Management) software, AV (antivirus) etc.
So what happens as employees start bringing in their personal IoT toys (BYOT - Bring Your Own Things) in the same way - their fitness trackers, Google Glasses and other wearables, perhaps control pods for their home IoT systems, and so forth?
Good luck to anyone trying to insist that IT installs MDM, AV and all that jazz on a gazillion things!
One approach to BYOT security I guess is to prohibit all unapproved and unauthorized devices/things from connecting to corporate networks, at the same time preventing corporate devices/things from connecting to non-corporate networks (including ad hoc or mesh networks formed spontaneously between IoT devices, and public networks such as open WiFi, Bluetooth and cellular networks). Keep them logically separated, with strict enforcement using compliance measures, change and configuration management, network and device/thing security management and monitoring etc. (oh oh, I see dollar signs ticking up at this point).
Another approach is to deperimiterize - stop relying on network perimeter access controls, depending on device/thing security instead. Treat all networks as untrustworthy if not overtly hostile. Easy to say, tricky to do properly.

Regards,
Gary (Gary@isect.com)
* "Bring Your Own Stuff" is the polite version, "Bash Your Old Ship" is slightly closer to the real definition.
No comments:
Post a Comment