Re: [Fed-Talk] Re BYOD
Re: [Fed-Talk] Re BYOD
- Subject: Re: [Fed-Talk] Re BYOD
- From: "Marcus, Allan B" <email@hidden>
- Date: Sat, 23 Feb 2013 00:47:54 +0000
- Thread-topic: [Fed-Talk] Re BYOD
Do you have any idea how much work it is to "protect what you care about"?
I've seen three letter agencies do that. For every document saves, for
every e-mail sent the suer has to identify the data protection regime for
that data. Then you have to track that and institute rules for where data
in each regime can go. We got:
Applied Technology
Export Control Information
Naval Nuclear Propulsion Information
Reactor Safeguards Information
Unclassified Controlled Nuclear Information (UCNI)*
Official Use Only (OUO)
Personal Identifiable Information (PII)
Medical Records
I'm sure there is more. We've looked in DLP solutions for this, but there
aren't any for Mac! I can't even imagine what there isn't for iPads! :-)
Yes, we could set up a terminal services farm and have everyone compute
there, but our Linux and Mac desktop users would string us up.
--
Thanks,
Allan Marcus
Chief IT Architect
Los Alamos National Laboratory
505-667-5666
email@hidden
On 2/22/13 12:15 PM, "Peter Thoenen - NOAA Federal"
<email@hidden> wrote:
>> If we stick to IOS and Linux like in-channel update mechanisms are the
>> resources required to vet loads worth it? If everything that is
>> installed on the device comes from upstream on a device that you are
>> willing to trust enough to have it in your users hands I think that
>> may be sufficient for some level of generic use in the Enterprise.
>> Depending on the Enterprise email system many MDM settings can
>> be implemented through ActiveSync for data protection and device
>> protection against common events. That same mechanism can be
>> used to monitor and require OS updates as well. I would prefer to do
>> checks against unusual traffic and services rather than using lots
>> of effort to lock down devices. If the personal or Enterprise device
>> configured in such a way that the average user has to carry two or
>> more segregation of duties starts getting problematic on the devices.
>
>TBH I'm not sure why we (NIST / government) waste the time with all this.
>Just adopt a straight BYOD environment (including full on workstations)
>and
>implemented a kiosk/hotel strategy to include even making devices on your
>local wired LAN VPN in to the trusted servers/resources couple with fun
>stuff like Terminal services, x windows over SSH, Zenapp, etc etc.
>
>We are overcomplicating this trying to make BYOD mean "mobile" and mean
>"special". I know that isn't popular with the kingdom building fiefdom
>security / system admin types but it's always seemed to me the future
>since
>the private sector started experimenting with it in the early 00's.
>Protect
>what you care about (given our limited resources and all of us Federals on
>this list know how tight security budgets are) and ignore the rest.
>
>-Peter
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden