The City of Guelph’s BYOD—Bring Your Own Device—policy for employees gave rise to a need for deeper visibility of all possible devices that employees and contractors might connect to the corporate network, as well as a need to meet regulatory requirements such as PCI-DSS.
The BYOD policy at the City of Guelph, in Ontario, was a joint initiative driven by the human resources and IT departments in recognition of the added benefit that using personal devices in the workplace would render employees, said Shibu Pillai, network security specialist with the City of Guelph.
But that degree of device freedom on the corporate network meant the existing IT infrastructure could not provide the level of visibility and security that the IT department wanted.
“Sometimes the device had already connected and disconnected and we didn’t know what they did,” said Pillai.
The reactive approach afforded by the previous homegrown system, said Pillai, was such that, when an employee would accidentally connect a personal device to the network, IT admins would shuffle around a manual process that entailed correlating information and then contacting the employee to notify them they violated the company device policy.
With the implementation of network security technology from Cupertino, Calif.-based ForeScout Technologies Inc., Pillai said, the IT department now creates security policies per user and device type and then relies on the automated capabilities for dealing with patch updates and breaches.
“There’s tremendous amount of reduction in administrative effort—the hours that we put in it—(and it) also really augments our security effort that we put into the security network,” said Pillai, estimating a savings of five to 10 per cent in man-hours per week.
Scott Gordon, vice-president of worldwide marketing with ForeScout, said the combination of better visibility and automation in network security is important for organizations, public and private, such as the City of Guelph, given the need to safeguard employees as well as its large body of contractors who bring their own devices to work.
The ability to measure and react to security threats especially as organizations must accomplish more with less funds is particularly important as they must also deal with the consumerization of IT, said Gordon. “This way, it better manages the risk,” said Gordon.
Moreover, he added, the challenge for many is applying security policies across what is often a complex network.
Before the implementation, it was never really clear whether security policies were properly enforced, Pillai said. “We had to consistently be in touch with the business and department heads and remind them,” he said.
Now, the City of Guelph has a “deeper posture check” between security profiles such that, for instance, an antivirus update can be applied as specified by a particular policy, said Pillai.
As for alien devices on the network, Pillai said the IT department is no longer in the dark as to what sort of device it is and what it might be up to. “If it is a corporate device, it is allowed on the corporate network. If it is a non-corporate device, it is allowed on the guest network,” said Pillai.
Users of guest devices, such as contractors, are prompted for credentials and have their activity monitored for as long as they are on the network.
Follow Kathleen Lau on Twitter: @KathleenLau