In the past I’ve written a number of articles on how to start thinking about the consumerisation of IT – if you aren’t familiar with the term hopefully this link will help. Now I think it’s time to move beyond thinking about how you’ll build a consumerisation strategy and how your support will change and start looking at the tech that you’ll need to support a flexible environment. In this post we’ll take a look at the two major variables, People and Devices, and look at the types of tech to help support more variability in them.
There are two variable user-centric components that you use to control access in your organisation, the identity of your people and the identity of your devices. If you’re like most IT shops you’ve had your eye on these for a long time and have probably locked things down around these two things. First and foremost your people have become user accounts and this is where your access controls are probably currently more focused. Secondly you have control of devices because they’re corporate issued assets, you named them, you have admin access, you say what software is installed and what isn’t, you have to fix them when they break. We’ll spend most of our time in this post discussing devices.
The first thing to note is term I’m using – I’m not saying desktop, I’m specifically being more inclusive than that. Devices includes desktops, laptops, mobile phones, smart phones, embedded devices (you might have Electronic Point of Sale (EPOS or tills to everyone not in retail). It really doesn’t matter what the device is, people have so many today (device multiplicity) that you need to think about how to best support them all.
Traditionally we controlled devices in a binary, red and green way – you either have a corporate one or not, allow or deny. Today though people will try to bring in what they want and they love those devices so much that they will fight to make them work on the network, and when they do they break some kind of corporate policy. If we think about the Windows environment that we all have devices have identity – an account in active directory and it’s that identity that allows us to
control secure and support them.
What we need to aim for then is a world in which we have as much knowledge about the devices on our network as we can, given the devices constraints. For example you can’t domain join an Android device. The upshot is that you can’t
control secure and support it using the traditional methods of Group Policy etc. but the only reason you can’t is because there isn’t an account there. Most people know that the majority of mobile devices connect to our corporate network using Exchange Active Sync so that they can receive their email. There for the management connector for mobile devices – the thing that knows what that device is – is the email system.
Of course devices don’t receive email….people do. So what we really know here is some information about the device based on the person, not just the device. Given that a device does things without the person using it knowing necessarily (I’m thinking looking for resources but malware could also be a problem) don’t we need to think in pure device terms? Yes
What we need then is a lower level identifier than just the individuals identity, perhaps we consider the devices identity as it presents itself to the network.
At the network level we can see the devices MAC address first, then it’s IP Address (which we give it probably) then once meaningful communication is established we can ask for certificates, identity attributes, capability profiles and the like. Of course we need to enable the right components. It sounds obvious but the best way to support devices you have no control over is to ask them what capabilities they have and respond to that.
Managing people is far easier than managing devices because what we need to do here is long established. Essentially we manage what an individual is allowed to see, and do from both an information (data) and resource perspective. Normally we manage both based on Access Control Lists or permissions and on Privilege. Dave has READ access, Donna has WRITE access, Helen is DENIED access. Simple.
We are able to do this because people have a user account on the system they need access to and the really sensible shops have already introduced and enforce a single identity or at least Single Sign On. If you don’t this is your starting point.
People on Devices
The tricky considerations come into play when we use both variables together, P + D = x , and this is where the challenge for us comes in as IT Professionals. We need to build an environment that responds to this.
If Dave has access to the company accounts on his work PC (which is a fully managed, encrypted, asset) and he has the same level of access from his very beautiful mobile phone, what happens if his devices are stolen? First thing you do to respond is change is disable his user account and change his password. Second you know his work PC is encrypted so you classify that a low risk of loss. Then you turn to his mobile – it might be encrypted, it might not, perhaps just the mail box, not the app storage, did he sync the files to a public cloud location, can it be remote wiped, yes, is it switched on, is the SIM card still in the device? Questions pop up thick and fast. All I’m getting at is that you need to take into account not only the person, but the device that the person is using.
P + D = x
What a person can do on device A might need to be different to what they can do on device B, C and D so we need an infrastructure that can help manage that.
To secure & manage people on devices you might like to look at using:
- Active Directory
- Exchange Active Sync
- System Center Configuration Management 2012
- IPSec policies to control access to your most secure resources
- Network Access Protection – to ensure minimum standards
- A modern gateway – to present secure web access to internal resources
- Firewalls (!)
- RemRemote Desktops and VDI – to provide a consistent fall back environment, or secure remote access
- VPNs or (better) DirectAccess
- App-V – to deliver virtual applications so that you can remove them easily when no longer needed
For most this should be a familiar and not so scary list of technology. Deployed in a flexible way you won’t loose control but you’ll allow people in your organisation to do what they want – which sounds like too good to be true marketing fluff…but it’s not.