9.1. All PCs Are Not Created Equal

In recent years, the sheer number of device platforms that you can find in a typical enterprise network has mushroomed Windows, Macintosh, Linux, Unix, Solaris, Windows Mobile, Apple iPhone, Symbian, RIM BlackBerry, Google Android, and more.

Different groups within the organizations have different reasons for their platform of choice, and nowhere has choice manifested itself more openly than with the enormous popularity of mobile devices. The question you have to ask yourself right now is, "How can I possibly keep our data secure with so many different types of devices on the network?"

Figure 9-1 shows several possible devices that a typical end user might use during the course of the day. Multiply this group of devices by potentially thousands of users, each with his or her own personal machine preference, and you end up with a very large list of devices on the corporate network that require access to e-mail, files, applications, and more.

Without help from a NAC solution, you definitely can't easily classify these different devices and gauge an appropriate security posture. Fortunately, most NAC vendors realize that today's modern organizations require choice and mobility, so product offerings are evolving to support more and more devices. After all, the first step in deciding whether a device can access the network involves determining what type of device it is.

Figure 9.1. The types of devices that a user works with during a typical day

After NAC determines the device type, the question becomes what (if anything) the user should be able to access on the corporate network from that device. While the policy you use will vary with your organization's requirements, here's a list of questions to ask yourself so that you can make this determination:

• Who's requesting access from the various types of devices, and what type of data do they need to access? For example, application developers may need to access sensitive databases and source code from Linux machines, which is their primary development platform.

  In this case, you may want to allow them on the network so that they can do what your organization pays them to do — write code.

• Does your CEO request e-mail access from his or her Apple iPhone?

  Although you might allow access based on this person's title, you can require that any data be encrypted on disk or restrict what the CEO can access from this device.

• Do salespeople want to access your customer database — which contains Social Security numbers, credit card numbers, and other sensitive information — from their personal laptops, which also double as gaming/hacking devices for their teenage children?

  In this case, you probably don't want to provide access at all.

• Do you ever wonder when you can consider a device secure?

  Different platforms and operating systems (OSs) come with different concerns regarding security. The Microsoft Windows platform, for example, is more likely to be attacked simply because it's the world's most common OS and many hackers go with the numbers. So, is Windows inherently less secure than Macintosh or Linux? Maybe, maybe not (though most seem to think that it is). You might decide to allow access to different types of information depending on the type of machine accessing that information, leading you to a device security policy that relates to which device can access what information. A device that's allowed to access sensitive financial records, for example, might require a more stringent security policy than a guest user's device that only accesses the Internet.