cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Bring Your Own Everything at the Most Secure Facilities

Level 13

By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting article written by my colleague Jim Hansen. It seems that our BYO challenges are not over, and Jim offers some great steps agencies can take to help with these issues.

In 2017, the Department of Defense (DoD) released a policy memo stating that DoD personnel—as well as contractors and visitors to DoD facilities—may no longer carry mobile devices in areas specifically designated for “processing, handling, or discussion of classified information.”

For federal IT pros, managing and securing “allowable” personal and government devices is already a challenge. Factor in the additional restrictions and the real possibility that not everyone will follow the rules, mobile-device management and security can seem even more overwhelming.

Luckily, there are steps federal IT pros can take to help get a better handle on managing this seemingly unmanageable Bring Your Own Everything (BYOx) environment, starting with policy creation and implementation, and including software choices and strategic network segmentation.

Agency BYOx Challenges

Some agencies allow personnel to use their own devices, some do not. For those that do, the main challenges tend to be access issues: which devices are allowed to access the government network? Which devices are not?

For agencies that don’t, there’s the added challenge of preventing unauthorized use by devices that “sneak through” security checkpoints.

Implementing some of the below best practices to support your government cybersecurity solutions can help ensure complete protection against a BYOx threat.

Three-Step BYOx Security Plan

Step One: Train and Test

Most agencies have mobile device management policies, but not every agency requires personnel to take training and pass a policy-based exam. Training can be far more effective if agency personnel are tested on how they would respond in certain scenarios.

Effective training emphasizes the importance of policies and their consequences. What actions will personnel face if they don’t comply or blatantly break the rules? In the testing phase, be sure to include scenarios to help solidify personnel understanding of what to do when the solution may not be completely obvious.

Step Two: Access Control

Identity-based access management is used to ensure only authorized personnel are able to access the agency network using only authorized devices. Add a level of security to this by choosing a solution that requires two-factor authentication.

Additionally, be sure to create, maintain, and carefully monitor access-control lists to help ensure that users have access to only the networks and resources they need to do their jobs. When establishing these access control lists, include as much information as possible about the users and resources—systems and applications—they are allowed to access. A detailed list could aid in discovering and thwarting fraudulent access from a non-authorized device.

Step Three: Implement the Right Tools

Mobile phones are far and away today’s biggest BYOx issue for federal IT pros. As a result, access control (step two) is of critical importance. That said, ensuring the following basic security-focused tasks are being implemented is a critical piece of the larger security picture:

• Patch management – Patch management is a simple and effective security measure. Choose a product that provides automated patch management to make things even easier and keep your personnel’s devices patched, up to date, and free of vulnerabilities and misconfigurations.

• Threat detection – Users often have no idea their devices have been infected, so it’s up to the federal IT pro to be sure a threat detection system is in place to help ensure that compromised devices don’t gain access to agency networks.

• Device management – If a user tries to attach an unauthorized device to the network, the quicker the federal IT pro can detect and shut down access, the quicker a potential breach is mitigated.

Access rights management – Provisioning personnel, deprovisioning personnel, and knowing and managing their access to the critical systems and applications across the agency is necessary to help ensure the right access to resources is granted to the right people.

Conclusion

Sticking to the basics and implementing a logical series of IT and end user-based solutions can help reduce the risk of mobile technologies.

Find the full article on our partner DLT’s blog Technically Speaking.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

11 Comments
Level 13

Thanks for the update.  I don't work in this space but it's always interesting to hear about the challenges and approaches taken to try to address those challenges.

Level 14

Thanks for the article!

Level 15

Enjoyed the post.  I too do not work in this space but being in a public infrastructure (healthcare) these types of scenarios do cross over.  Always nice to know what the other guys are doing.  Thanks!

Level 12

This is a good review but it focuses on protecting from foreign devices being introduced to a network. A smart phone or a device of similar capability such as an iPod Touch, can be used to record conversations or photograph documents and screens. Who remembers the false missile warning in Hawaii last year? Months beforehand a reporter  took a high resolution picture of the Emergency Operations Center, including the computer used to send the alert, with sufficient resolution to read the password on a Post-It attached to the monitor. Your average phone camera would need to be much closer to get a legible image, but people need to be on the alert for anybody with an unauthorized device to prevent such a breach of security.

Level 16

Thanks for the write up.

Level 16

While they do allow people to use their smart devices in most of the areas I work, there are areas where you can't have them out or use them because of concerns about the camera in the device.

I remember a few years back someone took pictures at one of the big 3 automakers of some of the car designs that were still in prototype. I heard no cameras allowed anywhere there now.

Level 20

We've never been allow to take any mobile devices into these areas... even way before 2017... basically never.  Lock boxes outside closed areas has been the norm since mobile devices were developed.  This isn't new at all.

MVP
MVP

Thanks for the article!

MVP
MVP

Bring your own is somewhat new to the IT field, but in many other fields people bring their own tools to work and this area will soon have that as a standard as well.

Level 13

Thanks for the Article

Level 12

This article is very interesting and highlights to companies like the one i work for some negative aspects about having their employees take personal equipment such as laptops or smartphones and letthem connect to the company network, make the devices of external consultants connect to the same company network used by employees, let the devices connect on the same subnetwork.