Security appliance firms are using the big industry push towards cloud services, and the trend of allowing staff to bring their own devices into work, to sell technology that attempts to fix the resulting security mess. ForeScout Technologies launched a scheme to sell its CounterACT Network Access Control (NAC) technology as a …
What happens if you can palm the bouncer a twenty and have a larf anywhere you want?
And by that, I mean, the more complex and lengthy the code, the more likely it is that an overworked corporate stooge decided to cut some corners and make some mistakes. And then suddenly one chunk of Perl later and a clever 16 year old has remote root on boxen on your network.
This kind of security measure is a house of cards, and really, it's only thanks to built-in protections in hardware that we're not overrun with new buffer overflows every day.
Poor configurations set up by idiot systems administrators, bad code by stupid programmers, and moronic users in general are the problem, and no matter what you have installed, they'll find ways to mess it up.
Sorry, but I'm tired of people selling us snake oil.
AC, because I can.
I use one of the NAC solutions listed above. The issue with implementation is security vs. usability. My NAC gets AV vendor/version updates monthly....for most vendors. The problem is that when supporting early-adopters, the rules on the NAC have to be relaxed because the latest udpate on the consumer side ALWAYS precedes the ruleset update on the back end.
Its very hard to tell users they have to keep current on their AV, protect their passwords, etc,... and then turn around and tell them that they can't upgrade to the latest version for another 4 weeks. Especially on their personal devices.
Still looses me
How on earth can an organisation with even a passing interest in security allow employees to attach whatever computer they like.
Perhaps I come from an organisation that is more retentive about security than most (NHS) but this is so patently a bad idea from the start. We have had calls from various people who feel that it is terrible that they can't attach $SHINY_THING_OF_CHOICE to our network but the answer has to remain a simple "no" whoever they are. No personal phones, iPads, laptops, USBs, netbooks or even boot CDs. We want to remain secure.
A different question...
Why do employees want to bring their shiny devices to work?
Phones I can understand for calendar sync and mobile email. Calendar sync should be easy though mobile mail is more difficult to do properly. Webmail over a vpn through a firewall is probably the way to go here to keep things clean and easy.
But laptops, as indicated in the article? That tells me that the company kit is rubbish. The CPU is rarely the issue, so what we are usually talking about is the screen, keyboard and mouse.
No problem with users bringing those in, though I would say that a good screen will probably pay for itself with enhanced productivity. Go for a couple of 19-24" each - they aren't expensive compared to an employee. A decent mouse & keyboard is also a fairly low-cost option which makes people feel important. I've seen quite a few (dell?) detachable keyboards which have all the grace of 1980's tech with none of the nice clickity-click feel. They are like typing on a corpse. Yuck.
Think of the kit as a slightly higher recruitment cost.