I'm a big believer in using whatever tools do the job best, and if the job can most efficiently be done with multiple devices and brands, I support that decision. Many companies find lower costs in supporting one brand or platform, but that isn't always the best policy. Some companies may be better served by supporting heterogeneous devices. But even a highly mixed environment must have security and control, and the consumerization of IT is quickly challenging the traditional security paradigm.
New directions in endpoint security
Is your company headed in this new direction? If so, how can you ensure the proper level of security for all devices? How can you ensure that connecting computers are securely configured, running up-to-date versions of operating systems and applications, and running up-to-date versions of antimalware software? Is device and platform security still your department's responsibility or is the new requirement one of simply protecting the core assets and networks against all untrusted assets?
Many security administrators believe in a strong endpoint defense. They are eschewing the hard outer shell and chewy inside for harder insides. How can you enforce a stronger, more secure endpoint if you don't control it? Maybe a network access control (NAC) product is in your future.
What about data? Will your company allow valuable data to be copied to unmanaged devices? Unless you've been extraordinarily proactive, it's already happening.
This is not to say that support for consumer devices is a binary decision only. An alternative path, which is probably more palpable in most environments, is to support what you can secure. For example, allow email access if it can be secured. Allow document creation and editing only if the third-party application used is 100 percent compatible with the corporate standard. Don't allow blatantly risky or insecure applications to be connected to your network. Here's where a NAC solution could give the business what it wants and IT department what it needs.
Deja vu all over again
This new challenge reminds me of the dawn of instant messaging. When instant messaging first appeared, IT shops refused to support it. When a few employees were discovered using it, the app was removed from their desktops. Despite the prohibitions, instant messaging started showing up with more regularity, and it was used for legitimate business transactions. By the time the security problems began to crop up (mostly malicious file transfers), IT did not have the tools to combat them. Eventually the tools to help manage and secure instant messaging were created, and today instant messaging is typically a part of the legitimate environment and supported by IT.
Will your company fight consumerization or embrace it? From a security standpoint, if you can't control the endpoint, then you shouldn't allow it in the environment. But security is often an afterthought, secondary to operations and business needs. End-users love their iPads and Droids, and they -- and likely their managers -- see no reason they can't bring them to work.
If your IT management hasn't wrestled with this issue, perhaps this is the time to start the discussion, make decisions, and push out policies. Seize the chance to be slightly ahead of the curve on this one, or it will get ahead of you.
This story, "Androids and iPads: Network security's last stand?," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.