I recently presented at Forrester’s Security Forum (Twitter: #FSF09) and Forrester’s Infrastructure & Operations and Security & Risk Leadership Board meetings on how companies can make BYOPC a reality. Overall, the feedback was great! Yes, there were absolutely skeptics in the room (especially the security pros), but slowly I was able to alleviate most of their concerns. It really goes back to what I have said in the past, BYOPC is really just an advanced form of remote access. And Google, Citrix, and Cisco agreed — each had their CSO/CIO up on stage with me talking about their own respective BYOPC and consumerization programs.
Overall, here were my talking points about the necessary components to make BYOPC work:
- Device: Self-explanatory – let the user choose the device he/she wants to use
- Desktop and application virtualization: This is how you deliver applications and desktops environments to unmanaged devices. When possible, using hosted desktop and application virtualization will deliver best results as you can just have users access their desktops/apps over any network connection. For users that are mobile and can’t be guaranteed a network connection, local desktop and application virtualization will do the trick.
- VPN: First and foremost, with BYOPC, all users should be considered un-trusted. This means that they should never connect directly to the LAN. With that said, a VPN is how you give secure access from the user’s PC to the datacenter hosted desktops and apps – it will also make sure that all connecting PCs abide by your security policies, such as up-to-date AV. VPNs are not new to any of you as these technologies have been used for years to give remote workers, contractors, etc. access to corporate resources. Now, we will just use the technology more broadly. My recommendation is an SSL-VPN to prevent the required install of a client.
- DLP: Data leak prevention tools should be used to protect the data where it lives. So, this means putting rules in place on the data in your employees’ VMs (either hosted or locally installed) about what the user can do with it. For example, making sure that confidential information can never be removed from the VM and brought down to the user device.
- Client management and security: Using your standard client management and security tools, you can make sure that all VMs look identical to your managed machines. So, companies will need to use client management to configure, patch, etc. the VMs (both hosted and locally installed) that the users work on, and client security will remain in place to secure those VMs. The only thing to keep in mind is that client security now needs to be in two places – the VM and the BYOPC.
Using these five components will make BYOPC possible – and most attendees, after some initial hesitation, agreed. The best quote from an attendee from a financial services company was this: “If BYOPC is a competitive advantage today [because it has been known to help with recruiting and employee satisfaction], it will be a requirement tomorrow.” I couldn’t have said it better myself.