BYOD was killed by her father

A year ago I was holding a speech on how to look at your internal network (client), at that time the word BYOD was in its mother’s womb. My point then was that your client internal network is just an extension of Internet.

I now you think - Dude, his crazy…...

So how did I get to this conclusion?

The combination of device and user gives certain access to information.

To day you have laptops on your client network that's connecting to all the services, and there by the information, which is accessible to that user with that device.

When that device and user is traveling, you have installed different controls (Disk encryption, VPN) so that specific device and user combination will be given the same access to information as when sitting in-house.

That device will be connecting to the office over a network that we would have classed as internet (Hotel WLAN, 3G or worse - Defcon network). The device will be exposed to all evil and should thereby be secured for that environment. Otherwise you, as an administrator or even CIO, should not give that device and user access to the information.

You have already started a policy work where you say that if the following controls are in place on the device and for that approved user, then it’s OK to access this information.

OK. Let’s take another example - SmartPhone.

Maybe you have a policy that’s says it’s OK to check you mail on your phone if you use a certificate for transport and the user can present the write credentials.

Again that device is exposed on Internet and again you give that device and user access to certain information.

Depending on your possibility to enforce controls on that device and user they will get access to certain information.

One last example – Internet user.

No device control and no user control gives access to company website and the possibility to send mail to your company.

Why is this different from your internal client network? I know:

1. Company brand – You need to protect your brand. Your face towards internet. If there’s a botnet using you domain or IP it would be bad for the company brand. So controls to protect the brand should be in place. 
2.  Secured network – If you have a client network that you have full control over the devices and where all devices are stationary. Administratively fully controlled.

This leaves us with following:

A device that is OK to access information externally and is OK to be exposed to Internet can also coexist with devise under no control but on your network - An extension of internet, a.k.a. guest network. You just put the same controls in effect. Is our brand safe, is this a secured network, can I validate the device and can I validate user. And depending on those controls give access to certain information.

The discussion in the IT-community is how to handle BYOD’s.

Well….what controls do you have in place? If you know that, you know which sort of information that device and user will have access to.

That’s why BYOD was killed by her father. Because he thought that he could give all information to a device and user with no control.