Why Everyone Gets It Wrong About BYOD 377
snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
BYOD means I/T loses some control over it (Score:5, Insightful)
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.
BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want? BYOD is not just about cell phones or property. It's about people taking work laptops home and home phones to work.
If you want to make sure everything is and remains standardized, you're going to need to implement NAC and have everything on your network be a dumb terminal.
BYOD is not just about someone saving money. It's about people expecting to have their devices work and IT in organizations being too slow or not having enough funding to give everybody their device of choice.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
From the IT side, it means a nasty festering pile of vulnerabilities. It means more vectors for the Chinese hackers, more attack vectors for competitors, more attack vectors for malware, more vectors for government and corporate spying, and more ways for information to accidentally leak.
From the personal side, it means being on the clock continuously without additional pay. It means additional personal liability. It means if something goes wrong at work the powers that be can brick your phone. It means that your boss or peers are always watching, sometimes expecting you to reply to emails at all hours or work on reports over the weekend.
From the bottom line perspective you may get a little more hours out of the worker, but at the cost of reduced total productivity from them never disengaging and the costs of supporting an alphabet soup of devices.
Nobody wins.
BYOD means IT imagines less control over it (Score:5, Insightful)
No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.
In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
And then there are the Chinese hackers who have infiltrated the network.
Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Not sure about you, but no one plugs in whatever they want to our network, all network ports are authenticated at the switch, you plug in a non authorized device the port simply shuts off. BYOD is a fucked up concept by people that simply have a poor understanding of IT that think what they do at home is "better" as the guys running the network can't possibly know more than them. I have seen BYOD in 3 places now and in all it has been 3 complete failures where it was rolled back due to the insane increases in support costs.
Comment removed (Score:5, Insightful)
Taxes (Score:4, Insightful)
I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Maybe you should improve your licensing options or choose better products with less licensing. Throwing out high quality people because a 3rd party company bullies you is not really great business practice.
Re:BYOD means I/T loses some control over it (Score:2, Insightful)
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA.
That's the point though. BYOD isn't about enabling jack shit. It's about shifting the cost to your employee. If it breaks the employee pays. If the employee doesn't like it they had other options so it's their fault. Well here's the thing the employer wants to do that THEN lock down the device so that the end user can't use their own hardware. It's just petty and cheap. Petty and cheap is not going to facilitate security.
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
Ah, but from upper management's side, it means costs are shifted from purchasing physical hardware (who's cost is hitting a floor) to employee hours (which can keep going down). It means next quarter's expenses will be lower (the difference of which they can collect as bonuses now) and when the following quarter's expenses are back up (from IT having to maintain the mess), the bonus has already been collected. Then they can start looking to cut costs again by shipping the (now fungible) labor overseas, and collect another bonus. When the whole house of cards collapses, they've already cashed out.
Somebody wins (just not you).
Re:BYOD means IT imagines less control over it (Score:3, Insightful)
many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
These are all things that can more or less be prevented or detected.
For starters... the implementation of 802.1X authentication of Windows computers, Network Access Protection
The other big one is a semi-deny by default webfilter policy; with a firewall device that validates the HTTP stream is actually HTTP (identification by protocol regardless of TCP/UDP port), allows access to only IP space on known web hosting providers, datacenters, and large Enterprises, but specifically doesn't allow connections to VPN services; and only allows HTTPS to specific known destinations.
VPN attempts can then be screened for and detected based on traffic anomolies: HTTP session duration and Download to Upload ratio.
Any session with a high Upload ratio sets off alarms, and gets blocked in a short period.
Re:BYOD means I/T loses some control over it (Score:3, Insightful)
Managed switches.
No unauthorised devices get plugged in. Every device has to authenticate with the switch (so not simply MAC address blocking).
From the fine summary:
Because you own the device, you have certain rights to what is on the device and what you can do with the device.
Yeah right, feck off.
When you BYOD onto my network, we control it, we can wipe it, we can install and uninstall apps and if you dont agree to our terms, dont bother complaining that you cant BYOD. BYOD is not open slather, if you want to bring your own device, fine, we welcome that but you will be registering it with our MDM (Mobile Device Management) system before you're even so much as able to put mail on there, that means our policies get enforced on your device (and your administrative privileges for that device get taken away). Sorry, but this part isn't negotiable.
Re:BYOD means I/T loses some control over it (Score:1, Insightful)
Re:BYOD means I/T loses some control over it (Score:1, Insightful)
Sorry, but this part isn't negotiable
Maybe not - but I'm sure your employment is. The first time you tell the CEO to "feck off" I suspect it will be negotiated to no longer exist.
Re:BYOD means I/T loses some control over it (Score:3, Insightful)
Sorry, but this part isn't negotiable
Maybe not - but I'm sure your employment is. The first time you tell the CEO to "feck off" I suspect it will be negotiated to no longer exist.
LoL,
You do realise this policy comes from the CEO.
Besides that, one data leak and it's the CEO's who's job will no longer exist. They get real paranoid when you make it clear their job is at risk. Besides this, if management wont take security seriously, I'll have another job by next week anyway.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
So maybe you shouldn't try to control web access from your network if you allow it at all, but rather deal with people browsing Slashdot or porn sites all day long when and if it becomes a problem?
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Sounds like a plan. got a FOSS version of AVID? same quality and same abilities?
No? how about a FOSS version of AutoCad? no the two toys running around out there wont work.
Well then how about a FOSS version of my automotive computer tuning software? IT supports all the modern cars, so what FOSS program is out there that does that?
Lastly how about a nice FOSS large accounting software system? no?
There are three business types that can not use FOSS even if they wanted to, and that covers a hundred thousand of businesses in the USA alone. (car repair, car shops, engineering firms, accounting firms, TV stations and studios, etc...
FOSS is an impossible answer for a large number of businesses simply because the software does not exist.
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
I watched an IT guy try to tell a CEO that his apple TV was not allowed on the network. the CEO pointed at the door and asked the guy, "what does it say on the door?"
The IT guy was one of the brighter ones and got the hint quickly... and set it up on the corporate network.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Your company has no secure resources that you or your superiors are worried about then and you are not a candidate for NAC as the parent poster was. That or your company's IT staff, including you, is actually the incompetent group and if you ever get compromised by an outsider with malicious intent, you're fucked.
We have about 25,000 BYOD users and ferociously protect our IP. I wish you luck in your crusade against the customers you serve. It seems to be working out for the RIAA/MPAA.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Thus where I have seen IT actually play their support role is where they don't get put in the dungeon in the basement of the building but integrated into the workforce and forced to do their work in plain sight. Other staff members can see the work that they do and come and ask questions, and they can see the impact that their work has on their users. Their team meetings are infiltrated with key staff members who get to vet the plans moving forward, and key to all this, is an articulate manager who actually understands what his subordinates are doing and not just playing with dollars and cents.
Re: BYOD means I/T loses some control over it (Score:5, Insightful)
1 IT tech per 550 users is indeed a very unreal ratio unless you work at a place like Google where everybody is highly technically adept. Even with heavy handed standardization and lockdown, you simply cannot maintain even the most basic of communications. You would be manning 1500 users, ~2000 computers, ~50 servers, ~150-250 printers and ~100 switches, 50+ access points if you have wireless, miles of cabling you should be halfway upgrading to fiber pretty soon... with 3 people? Who is developing anything? Who is rolling anything out?
Unless you have everything outsourced to the cheapest bidder and a host of consultants that don't count towards your FTE. Even 1 of you guys falling sick or getting hit by a bus would be devastating. From my experience a typical IT person can handle ~100 desktop users, ~250 if you have a well-run tiered help desk system.
If your department truly believes you personally have a hand over 550-800 users, then simply go out there, most likely what has happened is every single department has one or more official or unofficial IT tech and a number of desktop-servers and wifi routers on the desks.
Re:BYOD means I/T loses some control over it (Score:3, Insightful)
We have about 25,000 BYOD users and ferociously protect our IP. I wish you luck in your crusade against the customers you serve. It seems to be working out for the RIAA/MPAA.
I don't understand your rationale that company security policies are some 'crusade' against the customers that company serves. Customers are not the same as employees...
Maybe the 'BYOD users' you are talking about are your customers and in that case, you probably have some other heavy security mechanisms to prevent those users from manipulating your IP. Either way, your business is not a candidate for NAC and your input is pretty much irrelevant.
No, I meant 25,000 actual employees, which is about 1/3 of our total internal user base. We've been running on a BYOD basis for about four years already.
BYOD is, much like LANs were, largely user-driven with IT reacting to demand.
Re:BYOD means IT imagines less control over it (Score:4, Insightful)
Which is what is wrong with IT. You can't see past your own policies to the fact that users have genuine business needs to use Linux on their laptops or in VMs, and those web filters you install to stop anything with *p?rn* in the URL are preventing access to sites that people need to access to do their work.
Instead of "OMG, people are bypassing our restrictions! How do we stop them?", your first response should be "why do they feel the need to do this, and how can we accommodate their business needs?".
Too bad he wasn't fired ..... (Score:5, Insightful)
Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.
You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)
As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.
At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.
I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)
What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.
Re:BYOD means I/T loses some control over it (Score:2, Insightful)
4 IT staff to support around 400 people.
1 IT person should be able to support 1000-10,000 people depending on system homogeneity. BYOD makes everything heterogeneous unless the company mandates what hardware you're allowed to buy. That's why you could only support 100 people per IT person.
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
"Not sure about you, but no one plugs in whatever they want to our network..."
I agree with you 100%. And I go further: if the company wants me to BMOD, then they can damned well pay me for the use of it. It's okay... I'll rent it to them at the going commercial rate.
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
AutoCAD is the basis of an entire ecology of add-ons and workflow tools, many of which can cost ten times the basic cost of the package itself and then some. Oil refinery piping layouts, dynamic flow analysis, bill of materials, finite element analysis tools, import and export to other engineering packages, 3DMax visualisation etc. etc. Unless and until the FOSS alternatives to AutoCAD can plug in as a one-for-one replacement to that ecology then they're not going to make big inroads in the multiseat engineering/architectural world.
Re:Too bad he wasn't fired ..... (Score:2, Insightful)
Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.
Having done IT for over 10 years, I am really getting fed up with all the lazy and irrelevant staff that is crying about "enabling" functionality that is completely not work related and in the end just "enables" YouTube and Facebook for them - so they can hide more easily that they're not doing any useful work.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
I am sorry but people like you who have that attitude toward it are absolutely every bit as wrong as the it types who think the answer to everything should be "no".
When some gets a worm on your network and it takes the entire business offline for the better part of a day while everyone chases down and cleans the machines you will still say IT failed to do the job you refused to let them do.
When you customer list is published on wiki leaks, or near perfect copies of your flagship product trade secrets and all start coming off the boat from china you will say it did not do their, which you refused to let then do.
Yes, IT needs to help you be productive but they also need to protect you and the company, which means they can't just let you do *anyhing* any time. It's not that simple, you need to stop looking at IT as your bitch and start thinking of then as trusted advisors just like you do your legal department or your HR people.