Why Everyone Gets It Wrong About BYOD 377
snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
BYOD means I/T loses some control over it (Score:5, Insightful)
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.
BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want? BYOD is not just about cell phones or property. It's about people taking work laptops home and home phones to work.
If you want to make sure everything is and remains standardized, you're going to need to implement NAC and have everything on your network be a dumb terminal.
BYOD is not just about someone saving money. It's about people expecting to have their devices work and IT in organizations being too slow or not having enough funding to give everybody their device of choice.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Not sure about you, but no one plugs in whatever they want to our network, all network ports are authenticated at the switch, you plug in a non authorized device the port simply shuts off. BYOD is a fucked up concept by people that simply have a poor understanding of IT that think what they do at home is "better" as the guys running the network can't possibly know more than them. I have seen BYOD in 3 places now and in all it has been 3 complete failures where it was rolled back due to the insane increases in support costs.
Re:BYOD means I/T loses some control over it (Score:4, Interesting)
Then it sounds like you and the rest of the IT staff were incompetent. I work at a company right now that's been using a BYOD approach for nearly 5 years with no real issues. And with only 4 IT staff to support around 400 people.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Your company has no secure resources that you or your superiors are worried about then and you are not a candidate for NAC as the parent poster was. That or your company's IT staff, including you, is actually the incompetent group and if you ever get compromised by an outsider with malicious intent, you're fucked.
We have about 25,000 BYOD users and ferociously protect our IP. I wish you luck in your crusade against the customers you serve. It seems to be working out for the RIAA/MPAA.
Re: (Score:3, Insightful)
We have about 25,000 BYOD users and ferociously protect our IP. I wish you luck in your crusade against the customers you serve. It seems to be working out for the RIAA/MPAA.
I don't understand your rationale that company security policies are some 'crusade' against the customers that company serves. Customers are not the same as employees...
Maybe the 'BYOD users' you are talking about are your customers and in that case, you probably have some other heavy security mechanisms to prevent those users from manipulating your IP. Either way, your business is not a candidate for NAC and your input is pretty much irrelevant.
No, I meant 25,000 actual employees, which is about 1/3 of our total internal user base. We've been running on a BYOD basis for about four years already.
BYOD is, much like LANs were, largely user-driven with IT reacting to demand.
Re:BYOD means I/T loses some control over it (Score:4, Funny)
Re: (Score:3)
I suspect you would be better served to ask how many subnets/VLANs he uses, and how they're structured to isolate the BYOD bits from the rest of the infrastructure.
Re:BYOD means I/T loses some control over it (Score:4, Informative)
Could you tell a bit more, please? What are use cases for those BYOD devices, what kinds of data and applications they're used for?
The primary BYOD users are a global sales force and executive staff. The core applications are email and calendar, which is pretty typical. I'd guess something close to 100% use those two. Other deployed applications are VDI, IM/presence, VoIP, sales process, commissions visibility, and expenses. Android and iOS have the most support, and new stuff generally launches on iOS first and Android second. Blackberry is supported, but I don't know what the story is with the various flavors of mobile Microsoft platforms. Could be we support them, I've never been interested enough to look.
We publish white papers on our BYOD deployment and have detailed statistics about what kinds of devices are being used and their growth rates. It's interesting stuff. I don't want to get more specific than that because we also manufacture things that could be used in a BYOD solution, and I don't want anyone to think I'm shilling or astroturfing.
Re: (Score:3)
If you don't understand that for your IT department, your employees are your customers then no wonder you don't like and can't deal with BYOD. I bet you also lock down their screen savers because it's easier for you to deal with as well.
The issue is that IT has become commoditized. With a lot of the basic services out there, employees have found ways around IT that treat them like dirt (we are the monopoly, and you HAVE to use us to do your job!). That is where the conversation around BYOD begins.
In my o
Re: BYOD means I/T loses some control over it (Score:5, Insightful)
1 IT tech per 550 users is indeed a very unreal ratio unless you work at a place like Google where everybody is highly technically adept. Even with heavy handed standardization and lockdown, you simply cannot maintain even the most basic of communications. You would be manning 1500 users, ~2000 computers, ~50 servers, ~150-250 printers and ~100 switches, 50+ access points if you have wireless, miles of cabling you should be halfway upgrading to fiber pretty soon... with 3 people? Who is developing anything? Who is rolling anything out?
Unless you have everything outsourced to the cheapest bidder and a host of consultants that don't count towards your FTE. Even 1 of you guys falling sick or getting hit by a bus would be devastating. From my experience a typical IT person can handle ~100 desktop users, ~250 if you have a well-run tiered help desk system.
If your department truly believes you personally have a hand over 550-800 users, then simply go out there, most likely what has happened is every single department has one or more official or unofficial IT tech and a number of desktop-servers and wifi routers on the desks.
Re: BYOD means I/T loses some control over it (Score:5, Informative)
The technically adept people (read R&D dept) are the bane of our existence, as they constantly need changes made / make changes without consulting us.
Only because you insist on having control.
Re: (Score:3)
1 IT person is good for nothing because humans need downtime to function correctly and tech needs to function correctly 24/7. At 400 users a good minimum is 4 IT folk. Fewer users: outsource it. From 400 to 3,000 you shouldn't need more though. After that somebody needs to assume a leadership posiiton.
Re: (Score:2)
So you have implemented NAC, you therefore have already sunk an insane amount of money and resources into getting this to work. And now you're protected until a home device with malware has authenticated itself...
Re: (Score:2)
There was a BlackHat presentation made in relation to NAC that presents some of these potential attack vectors (http://www.blackhat.com/presentations/bh-dc-07/
Re: (Score:3)
I meant the "security" a NAC gives is defeated as soon as a device authenticates itself. Whether it's your company's laptop or a home device, as soon as the user authenticates the device it has free reign over the network and any malware on the computer gains access as well while you think the network is "secure". Typical malware is installed on devices that are still used by actual users.
Re: (Score:2)
Re: (Score:2)
Once implemented, a NAC isn't
Re: (Score:3)
NAC isn't actually all that costly. There are free (as in beer and as in speech) solutions that top the expensive, vendor-centric NAC solutions.
The problem is that NAC is not a security tool, it's a network access control tool. It gives you some control as to what devices can connect to which portions of the network and typically you bump other devices to a VLAN that goes directly to the Internet (like a guest network on WiFi).
Once a device is authenticated (either by a malicious user or more likely, shared
Re: (Score:2)
It means you have to have staff available and plans in place to deal with viru
Re:BYOD means I/T loses some control over it (Score:5, Informative)
Sorry to tell you this, but you're not doing your job. As a network administrator, your job is to make sure that the people using the network are able to do the tasks they need for their job.
Yes BYOD means you need to be careful about what happens on the network, but it does not mean the network will instantly fall over if you, the network administrator, is even half competent. What it also means in many (most?) companies is significant productivity gains for the people using the network, and ultimately, that's why you're there – to facilitate their productivity, not to sit in your ivory tower with your pristine "perfect" network that actually doesn't do what the users need it to.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
I am sorry but people like you who have that attitude toward it are absolutely every bit as wrong as the it types who think the answer to everything should be "no".
When some gets a worm on your network and it takes the entire business offline for the better part of a day while everyone chases down and cleans the machines you will still say IT failed to do the job you refused to let them do.
When you customer list is published on wiki leaks, or near perfect copies of your flagship product trade secrets and all start coming off the boat from china you will say it did not do their, which you refused to let then do.
Yes, IT needs to help you be productive but they also need to protect you and the company, which means they can't just let you do *anyhing* any time. It's not that simple, you need to stop looking at IT as your bitch and start thinking of then as trusted advisors just like you do your legal department or your HR people.
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
"Not sure about you, but no one plugs in whatever they want to our network..."
I agree with you 100%. And I go further: if the company wants me to BMOD, then they can damned well pay me for the use of it. It's okay... I'll rent it to them at the going commercial rate.
Re: (Score:2)
You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want?
Yep, I've had customers insist they don't need to worry about antivirus, etc. on their workstations because they have a company policy that no one plugs unauthorised kit into the network. A few weeks later they invariably get an infection because one of the directors ignored policy and plugged his personal laptop in - afterall, who's going to tell the director off?
BYOD is not just about someone saving money. It's about people expecting to have their devices work and IT in organizations being too slow or not having enough funding to give everybody their device of choice.
I've found BYOD is actually a big PITA for large organisations because the devices people are bringing are almost universally Android or iOS, an
Re: (Score:2)
Both devices have plenty of support for HTTP proxies. Even then, Squid has a transparent proxy option. Or you could filter at the DNS level... options, options.
Re:BYOD means I/T loses some control over it (Score:5, Informative)
Both devices have plenty of support for HTTP proxies.
Android Gingerbread lets you set a single HTTP proxy which applies to all networks. That means device owners have to manually enter and clear the proxy settings as they move between the office network and their home network. Not that it matters - almost all apps ignore the proxy settings anyway.
Android ICS and Jellybean let you set an HTTP proxy per wifi network, which at least means the user isn't expected to reconfigure the phone all the time. Most apps still ignore the proxy settings. Most of the apps that do pay attention to the proxy settings don't support authenticated proxy servers.
All recent versions of iOS allow the proxy and authentication credentials to be set on a per wifi network basis. That's excellent. Except that most apps (including a good chunk of the stock iOS apps that Apple ship with the phone) either ignore the proxy settings entirely or fail to support authenticated proxy servers. (Yes, Apple is aware of these problems - there are bug reports in their bug tracking system that have been open for several years, they aren't interested in fixing them).
Even then, Squid has a transparent proxy option.
Transparent proxying only works for HTTP, not HTTPS unless you are going to MITM all the sessions (which involves installing certificates on all the clients). And even then, you can't authenticate the users if you're proxying transparently.
Re: (Score:3)
Proxy servers are relic of a time before NAT. Please, please, please stop using this old hack to "share" your office Internet connection.
Thats not the purpose of a proxy server in a modern environment. A great many large organisations use web proxies to control web access; this involves stuff like anti-virus/anti-phishing (by examining the http traffic); accellerating a busy internet connection using a cache is also a big performance boost, especially in certain environmnet where you can expect a large number of people to simultaneously access some specific resources. You may consider them a relic, many organisations don't and have actual
Re: (Score:2)
Re: (Score:3)
afterall, who's going to tell the director off?
I would... in private of course. The director must be coached, and warned, in a firm and positive way order to give them an opportunity to avoid misbehaving in the future.
This is why it's important to have security policies and IT governance rules and the consequences in writing, and signed off on by multiple members of upper management, and the board.
If you commit a violation, the disciplinary action procedure has to be initiated, no matter who you a
Re: (Score:3)
The problem is that unless you can make a strong legal and/or business case for it, having the top management in a mid-size or large company held to the same standards as everyone else just isn't going to happen. For that matter, you probably can't force the company's best salesman to follow IT rules either – they outrank the IT department.
You might be able to rein in upper management if you can convince them and their peers that bad IT security practices are a violation of PCI standards (which can re
Re:BYOD means I/T loses some control over it (Score:5, Interesting)
1990 called - they want your manually set proxy server back.
We proxy everything, but the users are none the wiser and its a university where BYOD isn't even something we can control.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
So maybe you shouldn't try to control web access from your network if you allow it at all, but rather deal with people browsing Slashdot or porn sites all day long when and if it becomes a problem?
Re: (Score:3)
BYOD is not just about cell phones or property. It's about people taking work laptops home and home phones to work.
We were recently stung by this little feature.
License true-ups and program audits are fun.
People install the products on their laptops with the corporate keys, and pass it around to their co-workers saying the installs are business related. For us, a two-week network scan found nearly two million dollars in improperly-licensed and unexpectedly-installed software on all those BYOD laptops.
A whole lot of people got one-on-one meetings with management, a few lost their jobs.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Maybe you should improve your licensing options or choose better products with less licensing. Throwing out high quality people because a 3rd party company bullies you is not really great business practice.
Re: (Score:2)
Re:Throwing out high quality people because a 3rd party company bullies you is not really great business practice.
Excellent point. Licensing is key. Go FOSS.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Sounds like a plan. got a FOSS version of AVID? same quality and same abilities?
No? how about a FOSS version of AutoCad? no the two toys running around out there wont work.
Well then how about a FOSS version of my automotive computer tuning software? IT supports all the modern cars, so what FOSS program is out there that does that?
Lastly how about a nice FOSS large accounting software system? no?
There are three business types that can not use FOSS even if they wanted to, and that covers a hundred thousand of businesses in the USA alone. (car repair, car shops, engineering firms, accounting firms, TV stations and studios, etc...
FOSS is an impossible answer for a large number of businesses simply because the software does not exist.
Re: (Score:2)
Re: (Score:2)
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
AutoCAD is the basis of an entire ecology of add-ons and workflow tools, many of which can cost ten times the basic cost of the package itself and then some. Oil refinery piping layouts, dynamic flow analysis, bill of materials, finite element analysis tools, import and export to other engineering packages, 3DMax visualisation etc. etc. Unless and until the FOSS alternatives to AutoCAD can plug in as a one-for-one replacement to that ecology then they're not going to make big inroads in the multiseat engineering/architectural world.
Re: (Score:3)
People install the products on their laptops with the corporate keys,
Why were you giving end users corporate license keys?
Re: (Score:2)
So they could install the programs on their corporate computers.
Re: (Score:3)
...Which is the wrong way to do it.
Re: (Score:2)
Re: (Score:3, Insightful)
Managed switches.
No unauthorised devices get plugged in. Every device has to authenticate with the switch (so not simply MAC address blocking).
From the fine summary:
Because you own the device, you have certain rights to what is on the device and what you can do with the device.
Yeah right, feck off.
When you BYOD onto my network, we control it, we can wipe it, we can install and uninstall apps and if you dont agree to our terms, dont bother complaining that you cant BYOD. BYOD is not open slather, if yo
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
I watched an IT guy try to tell a CEO that his apple TV was not allowed on the network. the CEO pointed at the door and asked the guy, "what does it say on the door?"
The IT guy was one of the brighter ones and got the hint quickly... and set it up on the corporate network.
Re: (Score:2)
I watched an IT guy try to tell a CEO that his apple TV was not allowed on the network. the CEO pointed at the door and asked the guy, "what does it say on the door?"
The IT guy was one of the brighter ones and got the hint quickly... and set it up on the corporate network.
These CEO's often wonder why they end up with crappy IT departments.
Yes men tend to make very poor security decisions.
Too bad he wasn't fired ..... (Score:5, Insightful)
Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.
You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)
As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.
At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.
I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)
What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.
Re: (Score:2)
Managed switches.
No unauthorised devices get plugged in. Every device has to authenticate with the switch (so not simply MAC address blocking).
From the fine summary:
Because you own the device, you have certain rights to what is on the device and what you can do with the device.
Yeah right, feck off.
When you BYOD onto my network, we control it, we can wipe it, we can install and uninstall apps and if you dont agree to our terms, dont bother complaining that you cant BYOD. BYOD is not open slather, if you want to bring your own device, fine, we welcome that but you will be registering it with our MDM (Mobile Device Management) system before you're even so much as able to put mail on there, that means our policies get enforced on your device (and your administrative privileges for that device get taken away). Sorry, but this part isn't negotiable.
Well, if it was my choice to B[M]YOD, I'd let IT get admin privileges on my devices. But if its at the company's insistence, then hell no!
Here's the deal:
- I can do off-hours work if I get email on my phone.
- I won't carry a second phone for work
- I am willing to add my work email on my phone PROVIDED:
-- I am not required to register my device for monitoring
-- I and ONLY I have admin rights on my phone
-- No remote monitoring of my phone allowed
I will, however, a
Re: (Score:3, Insightful)
Sorry, but this part isn't negotiable
Maybe not - but I'm sure your employment is. The first time you tell the CEO to "feck off" I suspect it will be negotiated to no longer exist.
LoL,
You do realise this policy comes from the CEO.
Besides that, one data leak and it's the CEO's who's job will no longer exist. They get real paranoid when you make it clear their job is at risk. Besides this, if management wont take security seriously, I'll have another job by next week anyway.
Re: (Score:2)
Maybe. Maybe not. It depends upon how well he (or she) can spin it.
And the easiest way to spin it is to blame you.
So if you're having trouble getting the CEO to support the "NO BYOD HERE" policy then start hunting for a job with a more informed CEO. Leave that job and that CEO to one of the BYOD advocates. Let them deal with whatever loss happens.
Maybe. It depends upon how high profile
Re: (Score:2)
This is exactly what I meant.
I'll have another job long before the shit hits the fan leaving the decision makers holding the bag.
Re: (Score:2)
Usability is the antithesis of security. With that in mind. BYOD can work for Some apps. Anything that stores sensitive data locally, no. Anything that requires much more stuffing around that opening up a web port, then no.
If PHB needs more than that to get $HisFaveApp working on his Pear uPad then he may find out there are some days when he must use the tools provided by the workplace. Diddums.
Having said this, the 80 20 rule will apply.
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
From the IT side, it means a nasty festering pile of vulnerabilities. It means more vectors for the Chinese hackers, more attack vectors for competitors, more attack vectors for malware, more vectors for government and corporate spying, and more ways for information to accidentally leak.
From the personal side, it means being on the clock continuously without additional pay. It means additional personal liability. It means if something goes wrong at work the powers that be can brick your phone. It means that your boss or peers are always watching, sometimes expecting you to reply to emails at all hours or work on reports over the weekend.
From the bottom line perspective you may get a little more hours out of the worker, but at the cost of reduced total productivity from them never disengaging and the costs of supporting an alphabet soup of devices.
Nobody wins.
Re:BYOD means I/T loses some control over it (Score:4, Insightful)
Ah, but from upper management's side, it means costs are shifted from purchasing physical hardware (who's cost is hitting a floor) to employee hours (which can keep going down). It means next quarter's expenses will be lower (the difference of which they can collect as bonuses now) and when the following quarter's expenses are back up (from IT having to maintain the mess), the bonus has already been collected. Then they can start looking to cut costs again by shipping the (now fungible) labor overseas, and collect another bonus. When the whole house of cards collapses, they've already cashed out.
Somebody wins (just not you).
Re:BYOD means I/T loses some control over it (Score:5, Insightful)
Thus where I have seen IT actually play their support role is where they don't get put in the dungeon in the basement of the building but integrated into the workforce and forced to do their work in plain sight. Other staff members can see the work that they do and come and ask questions, and they can see the impact that their work has on their users. Their team meetings are infiltrated with key staff members who get to vet the plans moving forward, and key to all this, is an articulate manager who actually understands what his subordinates are doing and not just playing with dollars and cents.
BYOD means IT imagines less control over it (Score:5, Insightful)
No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.
In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
And then there are the Chinese hackers who have infiltrated the network.
Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.
Re: (Score:3, Insightful)
many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
These are all things that can more or less be prevented or detected.
For starters... the implementation of 802.1X authentication of Windows computers, Network
Re: (Score:3)
Re: (Score:2)
Then watch requests to whitelist particular web sites take up half the IT department's time.
Legitimate web sites would still generally get through, because they'd be categorized by a decent filter.
For those that don't.... require sufficient paperwork, that the user is doing most of the work, before a whitelisting request can be made.
Tier 1 tech: "You want us to allow you access to a site being blocked?" "OK; here, fill out this 3 page form, and sign here, here, and here, and have your supe
Re:BYOD means IT imagines less control over it (Score:4, Funny)
Tier 1 tech: "You want us to allow you access to a site being blocked?" "OK; here, fill out this 3 page form, and sign here, here, and here, and have your supervisor sign here on page 2 and on page 3..."
Then watch requests to whitelist particular web sites take up half of everybody's time.
Re: (Score:3)
So your whole company is a giant bureaucratic clusterfuck. Got it.
Re:BYOD means IT imagines less control over it (Score:4, Insightful)
Which is what is wrong with IT. You can't see past your own policies to the fact that users have genuine business needs to use Linux on their laptops or in VMs, and those web filters you install to stop anything with *p?rn* in the URL are preventing access to sites that people need to access to do their work.
Instead of "OMG, people are bypassing our restrictions! How do we stop them?", your first response should be "why do they feel the need to do this, and how can we accommodate their business needs?".
what about disasters from BYOD (Score:3)
what about disasters from BYOD can you bill some for damage with little to no proof? can you make some go out buy some thing new right after they just go some due to change requirements and so no? What some who is not very technically informed goes and get's the best buy special POS and who fixes that mess?
and if they go the way of making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buyi
Re: (Score:2)
what about disasters from BYOD?
Can you bill some for damage with little to no proof? Can you make some go out buy a new system new right after they just got one due to changes in requirements ? What some who is not very technically informed goes and get's the best buy special POS and who fixes that mess?
and if they go the way of making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buying
Re: (Score:2, Insightful)
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA.
That's the point though. BYOD isn't about enabling jack shit. It's about shifting the cost to your employee. If it breaks the employee pays. If the employee doesn't like it they had other options so it's their fault. Well here's the thing the employer wants to do that THEN lock down the device so that the end user can't use their own hardware. It's just petty and cheap. Petty and cheap is not going to facilitate security.
Re: (Score:2)
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer.
Right. Because corporate owned devices could never ever ever become quietly compromised. Sounds safe to me.
Re:BYOD means I/T loses some control over it (Score:5, Interesting)
Then tell management to stop being cheapskate morons and BUY the employees tablets and phones.
Honestly the one thing that screams that the management is a bunch of Douschebags is a BYOD policy. If a company is work working for they buy you a tablet and phone if you need it as well as a laptop if you need it. The only places I have ever seen a BYOD requirement has been either fly-by-night or swirling the drain. If a company can afford to pay you 6 figures they can spend $1600 on a laptop every 2 years and $50 a month to get you a smartphone.
Re: (Score:2)
you're spending more on licensing for NAC and VDI/RDP/ICA.
Unless you aren't.
Many companies have an outbound sales force. The use a VPN + virtual infrastructure for laptops to access email email, access to the CRM, point of sale/sales quote system, and intranet resources. BYOD vs company hardware is a wash for licensing here.
You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardiz
WTF is a trusted network or network device? (Score:3)
News flash... (Score:3)
In case our good buddy Brian missed the past couple of decades, nothing is simple about 'ownership' in our delightful brave new world of digital devices...(even if we might want it to be)
"Licensed not sold", DRM in all its myriad permutations, encrypted bootloaders, SIM-locked cell modems, systems that phone home faster(and in much greater detail), than ET, activesync policies that give IT the ability to nuke your phone if you want to connect to your email, all the good stuff.
Even in his article, purporting to be all progressive and whatnot about recognizing 'ownership, he says "The good news is that plenty of tools allow you to isolate all your business data from employees' personal data. Those tools can let you wipe business data from their devices without touching their photos and private emails." This is, in effect, a polite way of saying that "There are plenty of tools that allow you to gain control over a slice of somebody else's device in a way sufficiently robust to keep them from messing with that slice'.
Above and beyond all the usual amusements of negotiations between dubiously equal parties, contemporary computers offer ample power to enforce restrictions of virtually arbitrary complexity over what we quaintly pretend that you 'own'.
Yeah? Hidden? (Score:2)
I'm pretty sure that's what a lot of people here on /. have been saying about "bring your own device". You know, "it's mine, and I don't want corp. IT to tell me how to use it, or what software to have on it, or to be able to remotely delete everything on it". And, "why should I have to pay for company equipment? If it's for work, they can pay".
Gee, who'd'a' thunk it?
In other news, a smug Linux user commented that Linux doesn't crash nearly as often as M$ Windoze does. And, moreover, the GIMP is a more than
Re: (Score:2)
Umm no. (Score:2)
Or maybe it is because I work at place with SOX/HIPAA/DOD/etc requirements. Even though I am vendor I have to use the customer supplied device as I admin their servers and thats what security will allow for me to do my work. I don't have admin rights on the supplied laptop itself and everything is whitelisted to run.
Every time I hear about this at least from my side of the fence of IT support I just think of the support and security nightmares. Also if the company wants me to install their stuff on my perso
Point = missed (Score:3, Interesting)
Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
Okay, let me make this simple; You're in IT security. Let's say you just threw open the doors and let anyone bring their own laptop in to work. Well, you know, and I know, that people are stupid. They're going to be infected with malware, viruses, APTs, and god only knows what. And that's the point: You don't know what's being brought in. You have no control now. And let's say as a result of someone doing this, they pass on a piece of malware, not to your super-secure corporate systems, but to another employee who's also brought in their own device.
Who's legally at fault here: The employee who accidentally (or neglegently!) brought in an infected laptop, the other employee who connected their own laptop and accidentally (or neglegently!) got it infected... or the company whose network policy facilitated this? And here's a better question: Who do you think both employees are going to sue, thus costing your company millions in unrecoverable legal fees (even if you win, you ain't going to see that money again).
Ownership here is indeed the issue; Just not device ownership. Specifically, the cost of ownership; which if you allow this stuff on your network, the cost of owning that network is going to rise due to incidental costs. How much, nobody knows for sure -- this is still a relatively new thing (in the business world anything less than 10 years old is 'new').
Re: (Score:2)
How about you set some standards?
I $user in connecting my device you your $companies network, do swear and aver that
* My antivirus software is paid for and up to date.
* My device (to the best of my knowledge) is patched and up to date.
* Assume all risks to the IT system that are traced to me to a value of $20 M
* Will follow IT policies and procedures (and not look at porn at work) while device is connected.
* (insert whatever you want here)
Risk of infected laptop has now been transferred to the device owner
Re: (Score:2)
My antivirus software is paid for
Are you referring specifically to the fact that Microsoft Security Essentials runs only on the first ten PCs in an organization and that a lot of the freeware Windows AVs likewise have policies against business use? And what antivirus do you recommend for an Ubuntu installation that I keep patched?
Re: (Score:3)
Last I checked Avira had a Linux client
Re:Point = missed (Score:4, Funny)
ClamAV. Not because you need it to protect your own computer but because having installed and running kills two birds with the same stone.
Yep. RAM and CPU.
Comment removed (Score:5, Insightful)
Re: (Score:2)
The real downside, to me, is sup
Re: (Score:2)
Almost every BYOD policy I've seen implemented
Brian doesn't have a fricking clue. (Score:3)
"It should be about enablement"
Spoken from the self-entitled end-user's perspective!
Sorry, but it IS about control. Control of company data. Security of company data. Compliance with various laws such as HIPAA, SOX, etc.
No sane company WILLINGLY bends over and spreads by giving unfettered access to their dearly bought client and company data.
I've dealt with numerous clients over the years who've been suing former employees for data theft. And they TOOK precautions!
And you're telling me I should let someone walk around with uncontrolled access to a multi-million dollar client list, documents, etc, in their pocket?
FUCK YOU!
Re: (Score:3)
you have some misconceptions. Enterprise software can manage the access of data on the device: requiring device have password lock, separation of client and company data, wiping of the device by the company if stolen (yes, employees made to sign agreement). All this can be done on Android, iPhone, Blackberrry
Re: (Score:2)
also should mention my employer actually will buy the device for the employee, it is the employee's property and yet they pay the bill each month, HOWEVER note the agreement the company can wipe the device upon termination, theft of device or any other reason.
Taxes (Score:4, Insightful)
I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.
BYOD moves between work and home (Score:2)
BYODs move between work and home thus transferring sensitive information out and moving viruses in.
BYO(Body) (Score:2)
I can see an argument that a person's device is effectively part of their brain or their body.
I own it, I control it.
Also. Both my device and my body can catch a virus.
Perhaps the problem with BYOD is sick days.
UGGG! (Score:2)
Just say NO to BYOD (Score:3)
I would never use my personnel devices at work. One, if work wants me to have device xyz they can pay for it. Two, I like to keep my private and work life separate. Three, I've never worked for a company so insane that they actually thought BYOD was a good idea.
Didn't read article, summary is ridiculous (Score:2)
Of COURSE the problem is ownership! That's the first question every worker in my IT department asked when we got offered BYOD!
"So, if I can have company data on my phone (email), what are y'all doing to my phone? Oh, you're putting it in an encrypted sandbox? Oh, you're reserving the right to wipe that sandbox remotely (and possibly my entire phone)? Oh, you're not taking any liability for accidental wipes? Oh, you're not issuing a phone number that hides my personal cell (ala Google Voice/giving me a SIP a
Let's have our cake (Score:2)
Look, where I am BYOD is totally OK. We are provided lots of options for secure OTG access and training to avoid breaches.
Here's my person opinion and what I advocate for in my work:
I support doing everything you can to isolate clients from servers- from data access to workflow/process. There is no reason this level of authentication cannot be implemented on BYOD as the next step. That said, BYOD is only sustainable long term if accompanied by a mature self-service support model. IT should provide the v
Dual SIM, Dual OS (Score:2)
Partition the phone into work/private.
The 'work' profile runs whatever your corporate masters inflict upon you. It's for work calls only.
The 'home' profile uses its own SIM and runs inside its own OS. You can load Android, FireFox OS, Ubuntu, whatever - it's you're personal space with your environment, private contacts, phone contract & data plan.
When an employee leaves, the personal profile could be easily exported to be transferred to another phone (the image is just carried across to the hypervisor r
Re: (Score:2)
Hardware virtualization exists
the problem is that support for it needs to be built into the mobile operating system. you can't have virtualization provided by a mobile app simply because of the restrictions put upon mobile apps. so now the problem is getting google or apple to implement virtualization support. that doesn't exist.
vmware has an android vritualization solution on the market,
http://www.youtube.com/watch?v=HX_Kmc2n82k [youtube.com]
it's pretty slick. a true android virtual machine that runs an "enterprise" guest android gingerbread under y
TFA point? (Score:2)
Done properly in Australian government departments (Score:2)
http://risky.biz/byodauscert [risky.biz]
PRESENTATION: BYOD in government, a high level talk
Handy talk for CIOs and CSOs...
Start the discussion 0 Comments
May 23, 2013 --
The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has
That was one of the stupidest things ever written (Score:2)
In the history of people. It wasn't even complete sentences and thoughts. It was word salad bullshit. If that's what "CIO Magazine" calls 'best practices' and data security regulatory and privacy law compliance, then we're all doomed and we can burn down all the data centers and go back to the 18th century.
Re: (Score:2)
> - Heck, how can the user even load the coporate ergonomic software
That's not a bug. That's a feature. That kind of crap is why end users want to control their own devices to begin with. The employer provided devices are all crap. It's because of nonsense like "corporate ergonomic software".
The PCs they give you in "enterprise" environments are one of the biggest reasons to avoid "enterprise" environments in general.
Re: (Score:3)
Well,
Discovery: there's legal issues there, yes, but there's also the fact that it's not your property that the data's on anymore. With physical documents a discovery order for the company doesn't give the company the right to come in and search my home for documents that might relate. Why should it be any different for electronic documents? The pattern should be that of any other case: the company responds that some of those documents are not under their control and supplies the contact information of the
Re: (Score:2)
Discovery only applies to data you control. Once it's on an employee owned device the company has no obligation to produce the data. The court then needs to go after the user directly if they want that. Note that there are exceptions for company officers.
Financed (Score:2)