Control mobile access with device management policy

Like CIOs at many organizations, Kenneth Corriveau saw the writing on the wall. The employees in his company wanted to use their own devices for work and were going to keep asking, regardless of what policy might state about using personal technology to connect to corporate networks.

"It really increased in the last 18-24 months when mobile devices starting becoming more and more prevalent," said Corriveau, CIO of Omnicom Media Group, a global advertising and marketing communications services company. "About the same time, users really started going out and purchasing their own equipment. There was this shift from whatever we issued at the office was what everyone used, to having users that worked on their own personal computers at home and were saying they have a mobile device and it was their platform of choice for work. That was a tipping point when we decided we had to put a plan together."

[See also: Just say yes: Why banning consumer devices makes your organization less secure]

With a presence in 80 countries and a lot of grumbling from a wide swath of users, Corriveau wanted to open up access for Omnicom employees — but he wanted to do it securely. That meant getting a handle on the visibility of all mobile devices trying to touch his network, and then implementing discreet controls that would allow people access within corporate policy limits.

Today, Corriveau's team manages approximately 10,000 nodes - everything from iPads, iPhones, Androids, Blackberries, laptops, desktops, conference room computers and more. With his current policy enforcement system in place, Corriveau notes the platform no longer matters, as long as the device is up to snuff with his policy. Here, he explains how his system works.

CSO: Where were you with device policy a few years ago?

Kenneth Corriveau: We had a policy, and still do, that only corporate devices can connect to the corporate network. But there was a tone out there; we were noticing a trend and more requests were coming through for access to the network, usually to read email, on non-standard or non-corporate devices. That was where we started to see the trend.

So, we started to have some focus groups and talking to different constituents about what would help them. Our population skews younger in our environment. That played a role as well. The younger population seems to have more of an affinity for technology, for using their own gadgets and we knew we had to make it possible for them to do that securely.

What are you doing now to accomplish that?

We have an essentially managed environment using ForeScout's network security products and have rolled out our policies on a global basis. It impacts everything; from the edge, and how we put the active scan on the edge of our network, to how it runs inside our network.

[See also: 9 tips for protecting mobile workers]

Previous to having this network-access-control (NAC) environment, we were not allowing other devices on the network. It had to be a corporate device. We separate our networks out in guest, employee, and vendor networks and, with the NAC, what we've done is when any device connects to the network, we run a policy to ensure they have the correct virus definitions and that they are up to a certain standard, before we allow it on to tour network. Previously we werent allowing non-corporate devices onto the network. But now we are, as long as they conform to our parameters.

What happens if the device is denied access?

If it doesn't conform then IT gets a notification and works with the person trying to get connected to the network. They are put in holding container of sorts and get a note. Then IT gets a note. Most of the time they work with employees on the help desk to update whatever definitions they need. Nine times out of ten we resolve it.

What have you had for feedback from employees and guests?

Both positive and negative. Some who understand we are offering a better service and giving more options for access now are grateful and acknowledge that it was easier than it was in the past. On the other side, you have people who don't understand why we have controls in there at all. They still ask "Why can't it just be open platforms and standards?"

What is your gauge that the policy enforcement system is working?

Our Altiris ticketing system monitors incidents and trends. We have a category in our system for security requests, network requests. We've seen the trend go up and down. The question is: do people still need to reach out to IT group to do what they need to do? Or is there enough of a balance between the freedom to get on the network and the security that is around it? We monitor that through our system have seen a downward trend in requests. We saw it bottom out about a year ago, although lately there has been an upswing again with the emergence of the pad devices and mobile devices that more people are using.

What are you anticipating next in terms of mobile technology, user-driven work devices and how it impacts your operations?

I think we are still in an infancy stage in this evolution. As these new devices become more prevalent, consumers are trying to find new ways to them. And I think that will really shift the way business interacts with these devices and how we use them, too.

I think we are marching in the direction of an even more open environment. We're ensuring all of the things we were doing previously from a security stand point have caught up to the demands of today's user. And the technology is allowing us to open things up more and more and still have that security around it.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicshardware systemssmartphonestablets

More about Altiris AustraliaFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place