Original URL: https://www.theregister.com/2011/10/12/mobile_devices/

Round up those wireless devices before they cause trouble

Stand up to consumerisation

By Trevor Pott and Iain Thomson

Posted in On-Prem, 12th October 2011 10:19 GMT

Shiny new mobile gizmos are driving the consumerisation of IT. As a systems administrator, I am naturally wary.

Sure, it makes end-users happier, but they aren’t the ones who end up in front of the firing squad when security gets breached.

Users don’t care about security. They never have and they never will; it is an inconvenience to them.

Art of deception

Users view security in any form as either an impediment to productivity or an attempt at empire building. You can hold 1,000 seminars and try to educate them all you like but you won't change their minds.

So security must not be obvious. It has to lurk stealthily in the background where users don't notice it. And with the increasing use of consumer IT, this is forcing a change in network design.

Some users will consent to having their personal devices managed by mobile device management (MDM) software.

These are the people (treat them kindly) who make your life easier. Their acceptance of such programs minimises the possibility of you getting fired or going to jail to pay for end-user obstinacy or stupidity.

Perimeter patrol

These users – and their properly managed devices – can be allowed to play with the grown-ups and their devices treated as full-blown members of the network. They can use data locally on the device and their connection point into your network can occur behind the front-line defences.

What about the rest, the ones who probably got the whole consumerisation ball rolling in the first place through a protracted campaign of wailing and gnashing of teeth? They are least likely to agree to participate in a MDM scheme.

You have to have a plan to deal with refuseniks and troublemakers

If the IT department has been pushed into consumerisation, then it probably does not have the right to set corporate data security policy and cannot simply make acceptance of MDM software a requirement. So you have to have a plan to deal with refuseniks and troublemakers bearing untrusted endpoints.

Untrusted devices obviously can’t be allowed behind the perimeter defences, so you need to build out a set of connection points just outside your perimeter.

As most of the consumer devices brought into workplaces are mobile, the obvious choice is 802.11n Wi-Fi points. However, 4G usage is picking up, which means that very soon a goodly chunk of your network accesses will be coming across your internet links as well.

You have to bear in mind that users are likely to be doing more with those devices than simply holding an RDP connection into their corporate virtual machine.

They will be streaming media all day long – often the prime motivator behind consumerisation schemes in the first place – and using their local systems to perform internet research that is "faster" and "more familiar" when done on their personal device.

Over the edge

This means that each of these devices is going to be a big bandwidth draw. Combined with the increased internet demand from staff and customers, the edges of our networks will see an increased demand for capacity.

The day where we can demonstrate a real need for intrusion detection, firewall and packet inspection gear overseeing edge networks running at 10Gbit Ethernet (10GBE) is upon us. This requires an upgrade to our perimeter systems and an overhaul of the network to cope with demand.

Like virtualisation and cloud computing, the consumerisation of IT is not going away.

We can resist it for a time, but eventually we will all be trunking 10GBE out to the firewall. ®