How to Secure the BYOPC?
Having been widely democratized over the past 3 years due to the unexpected and massive lockdown caused by the first wave of the Covid-19 epidemic, the BYOPC (Bring Your Own PC) concept is now becoming a real issue for the IT departments of organizations. For them, this practice provides as many organizational solutions as it generates security issues for the information system. While it is generally not recommended to let employees use their personal computers to access their organization’s applications and resources, today there are certain solutions that allow to secure this practice.
What is BYOPC
BYOPC is a subset of the BYOD (Bring Your Own Device) concept that focuses on personal computers, including Windows PCs or Macs. This means that employees can use their personal computer to access their organization’s information system from their company’s premises, from home or in a mobile situation, either on a regular basis or exceptionally (in addition of using a professional computer).
In the Hype Cycle for Endpoint Security report for 2022, Gartner predicted that BYOPC security would peak in 2-5 years. According to Gartner’s senior research director, Rob Smith, the “urgent need” to let employees work from home and the absence of hardware has bolstered BYOPC adoption globally.
What are the challenges for the the information system security?
In a BYOPC situation, the IT department of the organization does not “control” nor “manage” the employee’s workstation. If they do not use an appropriate solution for this specific situation, the IT department is not able to guarantee the integrity of the employee’s workstation. If a malware is present on the employee’s personal computer, it can easily spread throughout the entire information system as soon as the user connects to the organization’s resources.
This was particularly true during the lockdown period, when the number of teleworkers has more than doubled in just a few days. A large number of these employees were forced to use their personal computers, given the lack of availability of professional laptops (controlled by the IT department). Therefore, during the lockdown period in 2020, the number of cyber attacks exploded, largely due to teleworking and the porosity between personal and professional use of the same computer. The lockdown also allowed hackers to introduce themselves permanently and discreetly in the organizations’ information systems, in order to attack and ransom them several weeks or even months after entering the information system.
Securing access to the IT system from a personal device
Securing BYOPC is nevertheless possible, particularly by using a ZTNA (Zero Trust Network Access) solution, which is much better suited to BYOPC than VPN. While VPN gives access to a network, ZTNA gives access to an application or resource, depending on the user’s access context, which allows a granular access and better partitioning of the organization’s information system. Applying this principle of least privilege is an essential pillar for Zero Trust. Applicable to all users (internal or external to the organization, using a managed device or not), the use of ZTNA becomes essential when it comes to BYOPC.
cyberelements, as a Zero Trust SaaS platform, allows to secure the BYOPC, to turn untrust into trust. A device posture check can be enabled in order to validate, for example, the presence of an antivirus, a firewall or updates, to ensure the proper management of the user endpoint device which is not managed by the IT department. The access policies can be set according to the trust one can have in the user endpoint security context: as an example, an employee in teleworking will get less rights than when the office, when it comes to accessing critical assets of the organization.
Zero-Trust goes beyond access policy management
When we think of Zero-Trust, the first thing that comes to mind is these policies which must be enforced: “least privilege”, “JIT privilege”, “zero standing privilege”. But it also takes intrinsic characteristics of the access infrastructure in order to reach a full zero trust level: characteristics such as: using dynamic, random and disposable network ports to protect against brute force attacks; hiding the web applications/resources to the Internet by rewriting all applications/resources urls, so that the urls exposed in the end user browser cannot be used outside of the access platform itself; creating the connection tunnel to the resource only at the time and for the time of the use of the application or resource; etc. So, beyond access policy management, you need to enforce “least connection”, “JIT connection”, “zero standing connection”, to reach the utmost level of Zero Trust.