We all know that no matter what policies and controls IT puts in place, when users are restricted, they find ways to circumvent controls. This is not necessarily out of malice, but often because they believe IT should be an enabler, and the users have tasks they need to complete. As Bring Your Own Device (BYOD) becomes commonplace, the war between IT and users only worsens. Organisations understand that continuously fighting this is a losing battle, and what is required is a proactive approach that gives users what they want in a managed way, such that IT can still implement best practices for support and security.
For almost 10 years, Gartner has promoted the Managed Diversity Model for BYOD and Choose Your Own Device (CYOD)*. This Information Technology Infrastructure Library (ITIL) compliant model presents three service choices available to users within the organisation, ranging from the traditional ‘IT controls and manages everything’ device to the ‘user free-for-all’ device. Together with a high quality Network Access Control (NAC), offering this choice need not come at the expense of security. Along with each choice comes a corresponding set of responsibilities, controls and security levels. The word ‘choice’ is important here – the users should be able to decide which of the three service choices they would like with full knowledge as to the trade-offs of each choice.
The Fully Managed Devices choice is the traditional ‘corporate’ model, where IT decides on the device, purchases it, takes full responsibility for security and support, and implements whatever controls they feel are required to take on these responsibilities. Technology that is required by staff members to do their job should be (and in many jurisdictions is legally required to be) made available to them in the form of a Fully Managed Device. Commonly, the Windows PC or laptop would be in this category. In some organisations, a particular mobile phone and/or a specific tablet may also be available to staff. IT will typically select a minimum number of devices in this category in such a way that the full gamut of workers’ needs is covered, at an appropriate cost. They will select devices which they know they can manage securely and support (or outsource support of). Procurement and ownership of the devices ultimately remains with IT.
When IT owns and controls the device, security is relatively straightforward. Together with NAC such as Forescout CounterACT®, using an agent or an agentless approach, control over devices is available and devices become inherently trusted. Fully Managed Devices in the Diversity Model become fully managed devices from the NAC’s point of view. NAC policies can be used to ensure security measures are in place and the device is configured as it should be, not running applications it should not be, is up to date and patched and used by the people who should be using it. Devices which do not meet the strict control criteria set forth by IT is, by definition, not a Fully Managed Device according to the Diversity Model, and consequently restricted from accessing the network by the NAC, therefore preventing the horizontal spread of security concerns.
Stay tuned for our next blog post in the series where we discuss the Semi-managed Service offering, where users are given more choice, but also more responsibility.
*To find out more about Gartner’s Managed Diversity Model:
Use Gartner’s Managed Diversity Model for BYOD and CYOD to Manage and Safeguard Users, IT and the Business
25 August 2015 G00276989
Analyst(s): Rich Doheny | Ken Dulaney