15 Replies Latest reply on Jan 21, 2014 2:52 AM by tspwayne

    Can You Bring Your Own Patches?

    Tom Hollingsworth

      I've got several devices that I use frequently.  Smartphone, tablet, and laptop are all frequently used devices.  When I spent my time working at a VAR, I saw examples of all these devices being brought into the environment.  One problem - sometimes they didn't play well with patch management.

       

      Most corporate IT environments use Windows as the "approved" operating environment.  It's easy to manage and configure.  Most people learn how to use Windows as their first computer.  Microsoft has written several tools to help manage Windows ecosystems.  But users don't always want to have the corporate laptop.

       

      Bring Your Own Device (BYOD) has caused an explosion of IT assets that aren't necessarily friendly with the corporate plan.  I used a Macbook in a Windows shop.  Before that, I ran a Linux desktop in a very locked-down Active Directory network.  Both times I had to take care of my own patching.  Which is fine for an IT person like me.  But what if the user isn't computer savvy?

       

      How can IT enforce patches on systems that they don't technically own?  I've seen all kinds of crazy quarantine systems and network access policies that prevent non-corporate devices from accessing the network if they aren't running agents or detection software.  But does that really help when more than half your workers are bring the systems they feel the most comfortable using?

       

      IT needs to help enable knowledge workers to accomplish tasks quickly and easily.  If that means that those workers are going to use a tablet instead of a Windows laptop then that is the way things need to be.  That doesn't mean that the security of data inside the organization should be at risk due to spotty patching practices.  Do you want to see medical records leaked publicly because someone keeps delaying a patch reboot?  Laugh, but people delay that little prompt all the time.  And on a non-corporate asset, how can you enforce reboots and patch installations?

       

      There have been "solutions" before.  I can remember seeing Network Access Control (NAC) demos that forced users into quarantine areas to remediate their issues.  These were all cumbersome and manual affairs.  And how are you supposed to keep with zero-day outbreaks?  There was a time when Apple decided to block execution of Java to prevent an exploit.  The problem was the version number that Apple specified was above the currently released version.  Java wouldn't function until that little gaffe was fixed.

       

      How are you handling patch management for your BYOD devices?  Are you enforcing something via network policy?  Are you leaving it up to the whims of the user?  Or have you decided to build a perimeter around your user-facing edge to prevent disaster from striking?

        • Re: Can You Bring Your Own Patches?
          byrona

          We manage BYOD by only allowing the use of non-company issued and supported systems on an isolated network.  Most of our critical resources can be accessed from that network as most of our critical resources are web based, if they need access to all company resources they can establish a VPN and access a company provided terminal server.  This seems to provide a good balance of flexibility for BYOD while still having a good separation for the necessary security.

          • Re: Can You Bring Your Own Patches?
            th3cap3

            I do not directly manage patches for my devices here at work or any BYOD type scenarios either. However, if I were in such a position, I would have the BYOD stuff all on a seperate network much like Byrona mentioned above. Not only would it help isolate devices that may not be up to scratch on patches, anti-virus, etc..., but could also help to keep unauthorized users out of the more important areas of my network.

             

            For devices that are on the internal network, there would have to be control over current patches, software installed, etc... As sys admins, we can't trust our users will do the right or proper thing, however some IT professionals should have a little more wiggle room however as they should know and understand the guidelines for the network and follow them as it applies to their OS/device of choice (some people are more productive in a certain OS since they know it better, or they have found OS specific tools to be very handy). There should still be some approval/testing of the devices and such before being allowed to be used as well as restrictions on what systems can be access by them.

            • Re: Can You Bring Your Own Patches?
              fitzy141

              In past companies were in lockdown modes .. only trusted devices were allowed on our trusted vlans , other devices were regulated to guest vlans which were restricted from accessing networks with in certain vlans. I hated this approach but understood why it was in place ..

               

              We are a mixed shop of windows and apple workstations and laptops - we have multiple phones , tablets and are looking at ways to manage those devices on the network.

              • Re: Can You Bring Your Own Patches?
                Alen Geopfarth

                In our environment BYOD is verboten. We issue iPhones as corporate phones and iPads as our corporate tablet. At this point I would consider anyone allowing a use of Android operating systems in their network as a bad idea because Android stores all wireless passwords and is probably transmitting that information back to Google. Google knows nearly every Wi-Fi password in the world | Computerworld Blogs

                 

                For other systems in our network, Oracle servers running on Linux, we have taken to opening the servers to the internet in order to pull down the patches directly and then turning off that access again. It is kinda bulky but allows us to manage the patching on the limited number of servers not running Windows. I think this would be very difficult to manage for end users however.

                 

                A policy that  restricts what someone can use in a BYOD environment is probably best. If anyone can bring anything to the party, you end up with an uncontrolled rave going on with little or no parental supervision.

                • Re: Can You Bring Your Own Patches?
                  Aaron Denning

                  As far as i know we dont have a BYOD its all Dell machines and we have a patch manager server that does everything for us. i do know that a few people have got the ok to use a Mac but those are so few that im sure even those guys have to have there patches pushed to them from someone in the company. but as long as your using windows update or whatever Mac uses for patches i say whatever and bring in what your comfy with, especially here we have 19 different sections that do 400 different things so each person has there own personal taste.

                  • Re: Can You Bring Your Own Patches?
                    syldra

                    How are you handling patch management for your BYOD devices?

                    We just rewrote our TI Policy and BYOD is out of the question for the moment. I just don't have enough time our resources to address this in a safe way so we're out.

                     

                    Are you enforcing something via network policy?

                    We eventually want to move to a open-public-internet-only/whitelisted-private-full-lan-access type of network so we may end up allowing employees to bring their devices, but with no corporate data. You need a tablet ? Prove it, we'll allow it and issue it, else, keep your laptop.

                     

                    Are you leaving it up to the whims of the user?

                    Not owning the device means there is not much we can do in way of forcing anything upon the users.

                     

                    Or have you decided to build a perimeter around your user-facing edge to prevent disaster from striking?

                    That is what we want to avoid.

                    • Re: Can You Bring Your Own Patches?
                      Kurt H

                      Our company is trying to get a better handle on BOYD devices. We are now using a Central Management Server to verify the BOYD devices are compliant with the companies standards. If they are not it pushes the required items to bring them up to standards. Very good system, and solves a lot of headaches.

                      • Re: Can You Bring Your Own Patches?
                        bsciencefiction.tv

                        Our company quarantines devices until security verifies the patch level and depending on the product adds some applications to protect the network.  Also we are testing Windows to Go which should alleviate some of the issues.

                        • Re: Can You Bring Your Own Patches?
                          freid.42

                          The BYOD policy here is to allow access to the visitors network, which is segregated from the internet network. No user device can access internal networks.  Then we put a container on the device that allows access to the users emails and a mobile browser. Needless to say we only allow BYOD for the cell phones, and mostly that is just for voice.

                          • Re: Can You Bring Your Own Patches?
                            cahunt

                            We have a visitors network as well. Only institution devices on our internal wireless and wired networks. The phones are a bit different, as many techs and users input the wifi into their own phones. So we have a manual black hole process for any offenders. We just add their MAC to the wireless controllers to block the connection.

                            For internal machines we do the same, but it is a drop of the MAC on the subnetwork/Vlan from the distribution level. So if they move floors usually they can reconnect. Hopefully infosec has the MAC Flagged at that point because a new floor will be a new IP.

                             

                            Patching for user devices relies on the user; as help for non institution devices is a best effort from our technicians. Hit or miss depending on the users understanding. We keep up our own machines whatever type it is; and Server updates are managed by the Data Center Teams, open systems or Windows.

                            • Re: Can You Bring Your Own Patches?
                              Scott Sadlocha

                              We are still working on it where I am currently at. Right now, we primarily allow only company devices on the network. In the few cases where non-company assets are allowed on the network, our Field Techs take the device and install several pieces of standard software on it (Endpoint Protection, etc.). So, in a way, we take control of the asset a bit. Also, we employ Cisco ISE/NAC on all of our ports, and access is not allowed until certain criteria are met. This can be a pain sometimes, but it does get the job done. We also have a BYOD Wireless and Guess Wireless network, but these are in the early stages, and as part of the security team, one of our goals is to define a BYOD policy and procedure in the coming months. I feel that, if it is going to be allowed, a defined policy is an absolute must so that there is no ambiguity.

                               

                              At my previous company, we had a Guest Wireless network, but that was about it. It had no access to company assets. The policy was not to allow non-company assets on the network, and this was strictly adhered to, so it was not an issue.

                                • Re: Can You Bring Your Own Patches?
                                  jspanitz

                                  My experience has been that most users would have very little idea or ability to keep their devices up to date with the latest and greatest and fully depend on the device manufacturer to do it for them.  Even then some of them never apply updates (ahem, os x users) and others jump on them the second they show up (ahem, iphone users) .

                                   

                                  So we had one unusable nac solution that was overbearing and required a full time person to run it and it never got out of the test phase.  We finally dumped it and obtained another product that has worked phenomenally well.  We are still rolling it out but in the end Guests will continue to be on an isolated network and BYOD will be segregated to their own network with limited access depending on their role and their devices security posture.

                                • Re: Can You Bring Your Own Patches?
                                  supermon

                                  We allow BYOD via VDI. The VDI is in our secure environment and can be accesses by your personal computer. Phone/Tablets are handled via MDM.

                                  • Re: Can You Bring Your Own Patches?
                                    tspwayne

                                    We do not patch BYOD as they only really need to use one program which is citrix app, which they can log into a desktop which is then remote access and is governed by group policies etc.