Forget BYOD just Bring Your Own Office

IT's place in a BYO world is less and less about "thou shalt not pass," and more and more about "meet me half way" and this has important ramifications for SMEs.

The computer security buzzword that dominated last year was BYOD, or Bring Your Own Device.

That's where you let staff hook into the company network with their personal Androids and iPads, or use their own Macbook instead of a company-issued Windows PC. Clearly, there's a win-win here: you no longer have to pay to provide your staff with a second phone that they'd prefer not to carry around anyway. Of course, there's a concomitant risk, since you no longer have as much say over how BYODs are configured, or what they get used for outside work.

An entire industry around MDM, or Mobile Device Management, has evolved to support BYOD, with the better products from the more perspicacious vendors recognising that IT is less and less about "Thou shalt not pass," and more and more about "Meet me half way."

So why did I call BYOD last year's buzzword?

Not because BYOD is a fully-done-and-sorted deal, but because BYOD opens up a whole new can of security worms – what you might call BYOO, or "Bring Your Own Office."

If I can bring my own device to work and use it there, why can't I use it anywhere?

And that throws a whole new spotlight on a long-running network headache, which usually gets buzzworded as Branch Office Security.

After all, with BYOD thrown into the mix along with traditional distributed workplaces (e.g. home offices, a retail store chain, or a network of service stations), it becomes even more difficult to keep the bad stuff out, and the good stuff in.

So, what about your non-technical users, with no IT staff, perhaps using computers you didn't even supply, who are located on the other side of the harbour, the city, the state or the world?

Leaving them to their own devices

One sadly rather common approach is to leave them their own devices, literally and figuratively, and just give them a cloud-style web portal into head office. But that's not a very inclusive solution, since there are invariably work-related things that "insiders" on the network can do, but "outsiders" on the portal can't.

Anyway, you'll never actually know if their devices are secure; in fact, they probably won't be, not that you could do anything about it anyway.

What you really want is a VPN, or Virtual Private Network, where you set up matching encryption software on your side and their side to create what's known as a secure data tunnel.

High-end VPN solutions can make this all happen, but they often come with a reassuringly expensive price tag, and are correspondingly complex to set up.

That's fine if you're going to be buying hundreds of the things, and have a dedicated VPN team to configure them, deliver them, swap them out if they go wrong, even to travel the world setting them up perfectly at remote locations.

For SMEs however, having a dedicated IT team at all is often a bit of a pipe dream, let alone a sub-team just to take on the network security challenges.

Consumer-grade solutions are the other end of the scale, where you tell your remote staff to buy some sort of SoHo router like they might use to get their household online, and then try to mould it to the shape of your business security needs.

That sounds like a simple way to get started, but there's that little matter of "setting it all up" to deal with first. What if your remote users can't install the router or the VPN software it needs? What if they've got wrong sort of computer that isn't properly supported? What if they press the wrong buttons?  Why should non-technical remote staff have to care about any of this stuff anyway?

At the risk of sounding a bit commercial, those are the questions we kept in mind at Sophos when we designed our product called RED, or Remote Ethernet Device.

The RED is small and inexpensive box that you can send (or have delivered directly) to a remote user; it has a port labelled "internet," a power socket, and nothing else to go wrong.

You type a code off the RED into your network gateway (UTM) at head office, and send the RED to your remote site. A non-techie can receive it, plug it into the internet, plug it into a power socket...and that's it! The remote user can't press the wrong button, for the brilliant simple reason that there isn't one.

It's automatic: the RED wakes up, connects to the Sophos Cloud, securely grabs its setup, and joins itself onto your network. Now your remote users can plug any sort of networked device into their RED – a Windows PC, a Mac laptop, a Linux server, printer, scanner – and apart from its physical location, it's effectively, and automatically, part of your local network. Their devices are visible, manageable and secured, as if they were sitting at the next desk.

In short, branch office security doesn't have to be difficult. Whichever product you choose, just make sure it really does put the "zero" in zero configuration, so you don't need lots of IT rules, regulations and time-consuming fiddling to get it all working properly.

Make yourself the sort of organisation that gets rid of "Thou Shalt Not Pass," and embraces "Meet Me Half Way!"

Paul Ducklin is a cyber security expert and a blogger on the Sophos Naked Security blog.