Re: [Fed-Talk] Re BYOD
Re: [Fed-Talk] Re BYOD
- Subject: Re: [Fed-Talk] Re BYOD
- From: Ron Colvin <email@hidden>
- Date: Fri, 22 Feb 2013 14:04:03 -0500
If we stick to IOS and Linux like in-channel update mechanisms are the
resources required to vet loads worth it? If everything that is
installed on the device comes from upstream on a device that you are
willing to trust enough to have it in your users hands I think that may
be sufficient for some level of generic use in the Enterprise. Depending
on the Enterprise email system many MDM settings can be implemented
through ActiveSync for data protection and device protection against
common events. That same mechanism can be used to monitor and require OS
updates as well. I would prefer to do checks against unusual traffic and
services rather than using lots of effort to lock down devices. If the
personal or Enterprise device configured in such a way that the average
user has to carry two or more segregation of duties starts getting
problematic on the devices.
On 2/22/13 1:30 PM, Neely, Lee wrote:
IMO (Yes Opinion) - I'm fond of a container for BYOD as it can be the hard boundary to protect our corporate data/contacts/etc. And from there I don’t have to care much about the device, nor do I want to fight with the user over forcing a password or encryption, or... (I'm dead set against allowing BYOD or GFE rooted/jailbroken devices, and prefer to not allow buggy/unsupported OS loads - but that's me.)
Lee
Lee Neely, CISSP, CCUV
Lawrence Livermore National Laboratory
Cyber Security Program
7000 East Ave L-315
Livermore, CA, 94551
-----Original Message-----
From: fed-talk-bounces+neely1=email@hidden [mailto:fed-talk-bounces+neely1=email@hidden] On Behalf Of Ron Colvin
Sent: Friday, February 22, 2013 8:21 AM
To: Marcus, Allan B
Cc: email@hidden
Subject: Re: [Fed-Talk] Re BYOD
While I have no doubt that in many cases something like Good for data segregation is a requirement, I do not see it as a global requirement for Government BYOD. We really need to be looking at the data rather than the device. If the user is a climate scientist working with public data why do I need to segment the data? With appropriate data typing those things that are sensitive can go out encrypted and BYOD devices would not have the private keys to decrypt, but the user could access non-sensitive things.
We have a generation that is used to having a computer in their pocket and making it hard to use by default will lead to both loss of talent and lots of interesting workarounds that defeat controls. I want everyone's iPhone to associate with the Enterprise APs as soon as they are within range and for pull email to work for them. There are ways to do it securely and instead of impacting the user experience a better architecture to meet user expectations would be my first goal.
On 2/21/13 4:33 PM, Marcus, Allan B wrote:
I was speaking of Government Furnished Equipment (GFE).
For BYOD a solution like Good for iOS and Android seems appropriate.
The new BB has a business and personal partition built in. Just saw a
demo yesterday and it looks good. Is it enough to come back? Probably not.
--
Thanks,
Allan Marcus
Chief IT Architect
Los Alamos National Laboratory
505-667-5666
email@hidden
--
********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<email@hidden>
Direct phone 301-286-2451
NASA Jabber (email@hidden) AIM rcolvin13
NASA LCS (email@hidden)
********************************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden