Work is an activity and no longer just a place where you go. Your end users need access to company data and resources to do their jobs wherever they are in the world.
Typically, IT teams have used managed devices to enable secure access to ensure that devices accessing their network cannot do any harm. They think you should manage a device because it will be accessing your network or a part of your network, and you don't want a malware infected device on your network. In principle, there's nothing wrong with this approach. However, it's failing to focus on what's important to the organisation: its data access.
IT admins have an opportunity to shift their thinking and focus on managing access to data and resources instead of the device itself. Instead of protecting the device at one end, it means protecting the other end of the communication, the information itself. And, when you consider that cybercriminals do not worry about the device they are working on, only the access to your data, it starts to make sense to focus on where the real value lies.
However, this approach is less flexible, and increasingly, IT teams are looking for security that revolves around the data and resources, not the device itself.
What are unmanaged devices?
Unmanaged devices include devices that are not within the network itself and not managed by the active directory. They are completely unknown devices, including personal devices brought in by employees and ones used by subcontractors hired for a temporary period.
These devices are not under IT's control — there's no knowledge or compliance over them. In practice, this means there's no endpoint protection, no ability to do any OS or application updates on the device, and no way to harden a device. There's also no way for an IT administrator to know if there's some malware running on an endpoint device or not.
Sure that unmanaged device accessing your network could cause harm to the network. But ask yourself this: why would you need this device directly on your network in the first place? There's still a mindset of having these devices on your network because they need to access the data, and the easiest way to have access to the data is to incorporate this device into the network. But this isn't necessary. It's the user that needs access to the data, not the device. So a better approach is to grant the user access to the data instead of the device itself accessing the data.
It's about flipping the typical thinking of protecting devices and, instead, managing what is truly valuable to the company: the data. The devices used are not the company's IP; they're not the sensitive information, they're just the mechanism for accessing that resource.
Advantages of using unmanaged devices
Focusing on the data means IT no longer needs to worry about protecting devices. If there's a specific way for the end user to access the company network and company data, there's no need to worry about the device itself. This approach unburdens IT because they no longer have to dedicate the time and resources to managing devices, and it brings clear benefits to IT and users alike.
- Enable flexibility
The end user can choose their preferred device and still can install any application or app without informing or requesting the IT administrator. This choice might be based on a communication or device budget where employees have a specific budget to buy a device every three years.
- No risks to personal data
Another advantage of an unmanaged device for an employee is there's no possibility their data will fall into the company's hands - for example, holiday pictures, their specific location, and the contact numbers they've rung from their mobile device. There's also no risk of accidentally losing private data whenever the IT administrator decides to wipe the device.
- Use devices that other organisations already manage
If you're hiring an external subcontractor, their devices might already be managed by a different company. So there's no way to manage this device because another company is already managing it. Having a security policy that supports unmanaged devices
Protect the access to data, not the device
You think you need to manage devices because that's what you've been told. But actually, you're focusing on the wrong thing. The device isn't valuable, and that's not where your company's sensitive data is stored. It's the data itself - that's what is important.
Of course, the device itself has some financial value, but it is a very short term value. It has a lifespan of about four years, and afterwards, it's going to be worthless because it's deducted anyway from the company balance. Your data is worth more than the device.
Instead of managing your devices, focus on your data and access to your data. It's an approach that's 100% in line with zero trust policies that the world is adopting right now. And while there's no such thing as a bad solution, now is a good time to question whether your organisation's approach to devices brings you the most value and the most efficient way of working.