It's Christmas Time in the IT Shop

Sometime soon, maybe next week, maybe at the beginning of January, you’re going to start seeing the growing flood of requests. All of those employees who got something cool and electronic for the holidays are going to appear at your door and want permission to connect it to the enterprise. Perhaps they’ll be standing there with a shiny new Droid in hand. Or maybe it’ll be that laptop they gave themselves that’s soooo much cooler than the one you provide them for company use.

Or worse, you’ll find out about the problem when you start getting hits in your intrusion detection software that points at a rogue access point somewhere. But you know the drill. Your folks will want their latest gadget with them at work. What does it matter to them that they’re trying to install an unsecured 802.11n router in their office? After all, it’s just in their office. Who could possibly object?

The fact is that the person who could object is you, and it’s not necessarily the easiest job in the world to deal with this challenge. You need to let everyone know that the IT department will be as accommodating as possible, but that there are some things that can’t be allowed. And you’re going to need to enforce your rules on what can and can’t be allowed.

First, though, you will need to publish your security policy. For all those people who got a new smartphone and want to add it to the network, you’ll need to decide which ones can be allowed on the network, and to what level of access. For example, if you already support BlackBerry and iPhone devices, people who get these for Christmas will have to allow your security rules to apply to their devices, but you should otherwise be OK. Those people who got Android devices might be allowed to access e-mail, but only if they don’t get e-mail that impacts on your compliance rules. The problem with the Android is that it’s now able to link to Exchange, but it still doesn’t come with encryption and doesn’t meet most enterprise security standards.

You’ll find the same to be true with those snazzy new laptop computers people got for gifts when Wal-Mart put them on sale. They may have slick looking 18-inch screens, but they’re running Windows 7 Home edition. There’s nothing enterprise-grade about it. It’s even more true when your employees show up with a nifty new netbook. It’s probably running either Windows XP, which is already over the hill, or Windows 7 Starter Edition, which is even less capable of meeting enterprise requirements than the Home version.

And about those access points, those play stations, and those other network or WiFi capable doohickies that people will want to bring to the office. While there are some that are harmless (like the ThinkGeek WiFi Detector Shirt), Most of the things that people are likely to bring to work and put on the network are potential problems, at least. So it’s time to take the necessary steps. That means publishing a policy now, so it’ll be there for everyone to see right after they come back from the holidays. Here are some ideas:

• Come up with a policy that’s realistic and that’s based on what you can actually support. Let’s face it, if your employees buy their own smartphones, it means you don’t have to. But they have to work with your applications and your security, and they have to meet compliance requirements.
• Consider banning all personal Wi-Fi access points unless they can be made to work with your company’s security infrastructure, and if the owners are willing to let the IT staff configure them.
• Make it a requirement that all personal computers of whatever sort must be configured to meet company requirements, including the installation of monitoring software and encryption. This means that if you can’t configure them to meet those requirements, they can’t be on the network.
• Conduct internal marketing to set expectations for all employees, including those in the C-level suites. It can help to remind the CEO that breaking the rules can get him a nice orange jumpsuit.
• Explain that you will be auditing the network and plan to confiscate anything you find that breaks the rules. Then actually do the audit and confiscate some stuff. That’s the only way they’ll believe you.

While it’s true that it’ll save the company a couple of bucks to let employees supply their own hardware, the fact is that if you’re not careful you can risk the company. That’s a pretty high price to keep from having to buy a laptop for someone.

Now, go enjoy the holiday season. You might as well because it’ll end soon enough.