Working with privately owned, untrusted computers in corporate networks
Can we work with untrusted, not managed computers in our networks? There is a shift in thinking about the management of client computers going on for the past years. The well-managed client paradigm will be replaced by the data-protection paradigm. It’s not the client integrity that we should protect, we should protect the data. Why is this important?
- Organizations are confronted with an increasing number of privately owned laptops and devices. People, especially the Gen Y, tend to choose their own equipment. You decide what’s good for you.
- The productivity decrease that comes along with automatically cutting of non-compliant computers from network resources (like in Network Access Protection) will be unacceptable expensive, while the workers, most of the time, can’t be held personally responsible for working on a non-compliant computer;
- It’s really hard to manage all devices. Take printers for instance: there’s an operating system installed on most multifunctionals, without anti-malware software.
- Client protection comes along with banning certain possibilities. Unless you work with highly sensitive or secret data, cutting off digital possibilities and opportunities will lead to a decrease of improvement and innovation initiatives;
- With the introduction of IPv6 protocol client to server and client to client traffic is direct and IP-Sec protected. Computers are able to exchange data directly, without the use of the corporate (wireless) network. Inspecting the data in transit will be extremely difficult in some cases.
- I can surely come up with more examples. The point is: the network itself and client-devices in particular cannot be trusted. A common way to deal with this problem is to
create security-zones within a network. In the old days, all equipment like clients and servers, were directly connected. When working with untrusted computers, this must be avoided. The protected data, should be placed in a secure zone, which can be accessed thru firewalls over a limited protocol set like http-https rdp/ica and ssl/vpn. Old-style client-server traffic, as in file-sharing protocols, should be eliminated.When we build on-premise networks like this, we act just like any internet based provider of applications, systems or network services.
Question is: should we avoid managing client computers/devices at all? Nowadays we provide network users with a desktop and applications, completely centrally managed. We have decoupled the operating system from hardware and the desktop and applications from the operating system. We deliver applications the same way to any solution: desktops, laptops, terminal servers, virtual operating systems. The device itself doesn’t matter that much anymore.
An example: a managed virtualized operating system (VDI-VMWare View), can be accessed in a network by an unmanaged computer. One works on this virtualized computer on premise or thru an internet connection. This virtualized computer can be streamed to a laptop computer for “offline” work.
These solutions will certainly make working with privately owned computers in corporate networks possible. The conclusion is that we can work indeed within corporate networks with untrusted, privately owned computers.
