More devices, running more operating systems, has evolved as the latest headache for IT security practitioners. Concord, New Hampshire-based Bradford Networks – which began by selling its solutions to private boarding schools – has more than a decade of experience with helping its higher education customers tackle this consumerization conundrum.
Now the majority of Bradford’s revenues come from outside the higher education sector, but the lessons it has learned in helping these customers manage consumer-based devices is invaluable, according to Frank Andrus, the firm’s CTO.
“The same issues that were in the higher education space are now bleeding over into the enterprise space”, he told Infosecurity. Andrus draws a parallel between what is happening now in business and government to that which occurs each and every fall on a college campus.
But even the environment in the education sector has evolved, Andrus commented. Whereas four or five years ago, most students arrived on campus with just one personal device, nowadays they come equipped with numerous IP-connected gadgets, all requiring access to the institution’s networks and resources. This trend, Andrus continued, is also invading the enterprise as well – albeit a bit more slowly.
It’s not just the devices themselves that are proliferating, but the operating systems as well, said Andrus. He observed that most devices used by students just five years ago – perhaps up to 90% – ran on Windows, but this has changed drastically to the point where he feels that up to 85% to 90% of students now use devices running the Mac OS. As these students graduate and enter the workforce, they look to use “devices they are familiar with”, Andrus added. “It’s pretty amazing to see this change.”
The convergence of multiple devices, with multiple operating systems, is a challenge that educational institutions treated as a fact of doing business. Outside the education space, the permissiveness of the IT department operates quite differently – but not for long, Andrus predicted.
“It’s not just about letting devices on the network”, he said. “The issue becomes: What is a corporate-owned asset these days?”
The problem for enterprises, Andrus contiued, is their out-of-date usage policies, which dictate what can be done with corporate-owned devices. But with many devices on the enterprise network now being owned by employees, the lines between personal and corporate ownership/use have been blurred.
One of the first tools to combat the risks surrounding the cosumerization blitz is the segregation of networks, a lesson that higher education institutions learned quite some time ago. He cited as an example how educational institutions divide themselves into two separate networks: one for students and another for faculty.
Another suggestion Andrus made was to start thinking about a change toward device-based authentication, and not just user-based. He suggested a two-tiered strategy that, first, verifies the user and then verifies the device.
“Most authentication on the corporate side is still about the user, not about the type of device they are using”, he said. “Before we just assumed it was a corporate-owned asset...now you can’t guarantee this assumption, so you have to take into consideration the device, its physical location, and the user” when formulating an updated corporate network access policy.
“We have taken a lot of our experience from higher education and built solutions around it, and we have found that the same solutions are needed on the enterprise side”, Andrus noted. “Things that enterprises are dealing with now are the same things that higher education has been dealing with for the last decade or so.”