Endpoints are a necessary part of our business infrastructure, and though sometimes they feel like a necessary evil, that should not be the case as often as it happens in reality. Users often feel a sense of personal ownership over the devices they use at work. Visiting customers, partners, and the advent of Bring-Your-Own-Device (BYOD) compounded IT frustration with the problem of device ownership and management. Each of these situations creates a different use case and thus situation, creating frustration for both IT and the device owners.
Traditionally, the approach for unmanaged devices trying to get access to organizational resources was total denial of access. Then visitors entered the picture. IT had to decide how to hook up LAN ports to the conference rooms and whether to make them persistent or not, which went against corporate security policy. Then came Wi-Fi and the conversation turned a little with the answers, “yes, we can create a guest Wi-Fi” and “yes, it can be persistent.” That pretty well covered visitors. However, corporate-owned systems and BYOD are causing a bit more friction.
Corporate-owned devices still have the issue of personal attachment or perceived ownership; users want to download and install applications and generally use them like a personal machine. Added to this are the myriad users who, for one reason or another, have administrative-level control on their devices. This creates a situation where organizations have a less trustable device acting as an agent within its bounds.
BYOD drives a similar problem, only worse. These devices are totally untrustable and yet at a minimum, they demand access to email. From there they may move on to file shares and other data repositories as well as key business applications. Business users, similar to visitors, generally do not allow the installation of an agent on their personal devices and not all organizations have a mobile device or mobile application management solution. This means many business admins have no control over and little visibility into these devices and are, in many cases, caught between a rock and a hard place when it comes to security.
Gaining Flexibility AND Control
According to the traditional approach, access has been all or nothing. This really does not work for today’s business environments. The user revolution demands access from a plethora of devices on multiple operating systems and hardware platforms and the word NO can be a CLM (career-limiting move).
This means that in order to meet the business and user requirements, a solution must allow for grades or levels of access based on the level of trust in the device. Flexible control requires that each device can be interrogated to determine if it meets organizational policy, which is different for each use case and probably has multiple levels within any or all of the use cases. Owned and fully managed devices have to meet the most stringent policy but are also granted the most open access. Devices that are owned but co-managed by IT may not require as stringent a policy but are somewhat limited in access; user-owned devices, depending on their management status, have other policies assigned to them and most likely the least amount of access. The key is that everyone gets some level of access according to business risk tolerance and operating needs. If a device falls out of compliance, its access is revoked until it is back into compliance. The user is notified about why access was declined and in many cases can be offered a solution to obtain renewed compliance, such as offering the latest application versions, patches, and other updates.
The Hard Part
Finding a single agent-driven solution is virtually impossible. Few, if any, solution providers support all operating systems and hardware platforms in a single control agent. Additionally, using multiple solutions to achieve coverage is a non-starter due to cost, complexity, and overall staff burden. This is beside the fact that an agent-driven solution will not meet all use cases and their requirements. That leaves the need for either a network-based solution or a single-vendor hybrid solution that can use a network and an agent approach to cover all use cases.
In today’s world where endpoints are under constant attack, they must also be under constant scrutiny to determine if they are eligible to access resources. Control is referring to control over corporate resources, not the devices. Similar to public hotspots where users have the option to accept the user agreements and connect or not accept and move on, users have the option to comply or not to comply with policies required by the business to gain access to the resources. The business must understand the use cases that apply to its environments, the level of access they are willing to provide, and the risks that those choices incur. Once those are defined, adaptive policy-based control allows network access based on device posture. The organization’s security policies can be automatically assessed, compliance can be remediated, and business will get done. On the contrary, failing to make those choices and decisions opens the business to higher risk (no controls) or work production impacts (control is too restrictive).