Like CIOs at many organizations, Kenneth Corriveau saw the writing on the wall. The employees in his company wanted to use their own devices for work and were going to keep asking, regardless of what policy might state about using personal technology to connect to corporate networks.
"It really increased in the last 18-24 months when mobile devices starting becoming more and more prevalent," said Corriveau, CIO of Omnicom Media Group, a global advertising and marketing communications services company. "About the same time, users really started going out and purchasing their own equipment. There was this shift from whatever we issued at the office was what everyone used, to having users that worked on their own personal computers at home and were saying they have a mobile device and it was their platform of choice for work. That was a tipping point when we decided we had to put a plan together."
With a presence in 80 countries and a lot of grumbling from a wide swath of users, Corriveau wanted to open up access for Omnicom employees — but he wanted to do it securely. That meant getting a handle on the visibility of all mobile devices trying to touch his network, and then implementing discreet controls that would allow people access within corporate policy limits.
Today, Corriveau's team manages approximately 10,000 nodes - everything from iPads, iPhones, Androids, Blackberries, laptops, desktops, conference room computers and more. With his current policy enforcement system in place, Corriveau notes the platform no longer matters, as long as the device is up to snuff with his policy. Here, he explains how his system works.
CSO: Where were you with device policy a few years ago?
Kenneth Corriveau: We had a policy, and still do, that only corporate devices can connect to the corporate network. But there was a tone out there; we were noticing a trend and more requests were coming through for access to the network, usually to read email, on non-standard or non-corporate devices. That was where we started to see the trend.
So, we started to have some focus groups and talking to different constituents about what would help them. Our population skews younger in our environment. That played a role as well. The younger population seems to have more of an affinity for technology, for using their own gadgets and we knew we had to make it possible for them to do that securely.
What are you doing now to accomplish that?
We have an essentially managed environment using ForeScout's network security products and have rolled out our policies on a global basis. It impacts everything; from the edge, and how we put the active scan on the edge of our network, to how it runs inside our network.
[See also: 9 tips for protecting mobile workers]
Previous to having this network-access-control (NAC) environment, we were not allowing other devices on the network. It had to be a corporate device. We separate our networks out in guest, employee, and vendor networks and, with the NAC, what we've done is when any device connects to the network, we run a policy to ensure they have the correct virus definitions and that they are up to a certain standard, before we allow it on to tour network. Previously we werent allowing non-corporate devices onto the network. But now we are, as long as they conform to our parameters.
What happens if the device is denied access?
If it doesn't conform then IT gets a notification and works with the person trying to get connected to the network. They are put in holding container of sorts and get a note. Then IT gets a note. Most of the time they work with employees on the help desk to update whatever definitions they need. Nine times out of ten we resolve it.
What have you had for feedback from employees and guests?
Both positive and negative. Some who understand we are offering a better service and giving more options for access now are grateful and acknowledge that it was easier than it was in the past. On the other side, you have people who don't understand why we have controls in there at all. They still ask "Why can't it just be open platforms and standards?"
What is your gauge that the policy enforcement system is working?
Our Altiris ticketing system monitors incidents and trends. We have a category in our system for security requests, network requests. We've seen the trend go up and down. The question is: do people still need to reach out to IT group to do what they need to do? Or is there enough of a balance between the freedom to get on the network and the security that is around it? We monitor that through our system have seen a downward trend in requests. We saw it bottom out about a year ago, although lately there has been an upswing again with the emergence of the pad devices and mobile devices that more people are using.
What are you anticipating next in terms of mobile technology, user-driven work devices and how it impacts your operations?
I think we are still in an infancy stage in this evolution. As these new devices become more prevalent, consumers are trying to find new ways to them. And I think that will really shift the way business interacts with these devices and how we use them, too.
I think we are marching in the direction of an even more open environment. We're ensuring all of the things we were doing previously from a security stand point have caught up to the demands of today's user. And the technology is allowing us to open things up more and more and still have that security around it.