I've heard of this Bring Your Own Computer model but I have to say I'm surprised such a big company as Kraft is supporting it. I can see the advantages -- especially if the workforce is vocal about its technology preferences and wants what they want. But so many security risks, and how to you draw the line between owned by the company and owned by the user?
BYOC is common for smaller companies with an IT staff of a couple of part timers. Some take the PC that I like, and turn it into a acceptable PC by installing various security software apps on it, and some just leave you alone. I believe in smaller companies, trust plays a huge factor which I can understand. I personally like that model though, mainly because I am used to a specific vendor (IBM/Lenovo), and like to stick to that. Just a preference though…
This seems potentially to dovetail with the cloud computing phenomenon, in which it becomes increasingly incumbent on companies and cloud vendors to find ways to lock down data within the cloud. That would seem the most efficient way to implement air-tight security, after which it doesn't matter so much -- from a security perspective, if not for end-user support -- what type or whose hardware is being used to access the data and applications. Just a thought.
Even if data is stored within the cloud, a compromised PC can allow significant data leakage. Regardless of storage method/location, it is critical that both the company and the computer user take appropriate steps to secure data, its transfer, and the hardware accessing it.
The methodology for securing the data must be appropriate to the risk involved. For example; a credit company storing customer information including tax returns, SSNs, etc, must use a significantly more secure method of data security than a bicycle shop that only stores a product catalog and inventory details...
If I'm a bad guy and I can put a trojan on your PC without your knowledge, then any data you access anywhere is mine. That's a solid reason for any PC that has data access to be either a company owned machine or one that is "certified" by the company as being properly secured.
While DRM is a first step to protecting data, it's not foolproof. I can get around today's DRM on pretty much any PC out there. Screen capture programs, digital cameras, and other methods allow removable access to what is purported to be "secured" data.
Cloud storage is NOT a panacea for data security. In fact, it brings with it its own set of challenges. For a regulated industry, if you're going to store in the cloud, how do you PROVE to a regulator that no one at the cloud ever had access to that customer record? You can't. You have no way of knowing if someone took an image of your datafile and copied it offsite somewhere. While there are some safequards in place, the company cannot certify to regulators that their data is not accessible if it's stored in the cloud.
The Kraft policy requires employees to turn on disk encryption, which should add some security to data transported off site. I'm less clear on how the company prevents BYOCs from infecting corporate networks with viruses, malware, etc. A 20 percent savings sounds like bad deal if you have bugs running all over the place.
I wonder if Citrix's announcement of a bare metal hypervisor that runs on the client would help this issue. According to the company, the software lets users run more than one desktop virtual machine, so they can have a personal one and a corporate one. Is this the best of both worlds?