Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Cellphones Handhelds Portables IT Technology

Why Everyone Gets It Wrong About BYOD 377

snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
This discussion has been archived. No new comments can be posted.

Why Everyone Gets It Wrong About BYOD

Comments Filter:
  • BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.

    BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.

    • by guruevi ( 827432 ) on Wednesday May 29, 2013 @06:18PM (#43855517)

      You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want? BYOD is not just about cell phones or property. It's about people taking work laptops home and home phones to work.

      If you want to make sure everything is and remains standardized, you're going to need to implement NAC and have everything on your network be a dumb terminal.

      BYOD is not just about someone saving money. It's about people expecting to have their devices work and IT in organizations being too slow or not having enough funding to give everybody their device of choice.

      • by Anonymous Coward on Wednesday May 29, 2013 @06:21PM (#43855545)

        Not sure about you, but no one plugs in whatever they want to our network, all network ports are authenticated at the switch, you plug in a non authorized device the port simply shuts off. BYOD is a fucked up concept by people that simply have a poor understanding of IT that think what they do at home is "better" as the guys running the network can't possibly know more than them. I have seen BYOD in 3 places now and in all it has been 3 complete failures where it was rolled back due to the insane increases in support costs.

        • by Anonymous Coward on Wednesday May 29, 2013 @06:29PM (#43855607)

          Then it sounds like you and the rest of the IT staff were incompetent. I work at a company right now that's been using a BYOD approach for nearly 5 years with no real issues. And with only 4 IT staff to support around 400 people.

        • by guruevi ( 827432 )

          So you have implemented NAC, you therefore have already sunk an insane amount of money and resources into getting this to work. And now you're protected until a home device with malware has authenticated itself...

          • by bdwebb ( 985489 )
            There is a definite cost to implementing NAC but I'm confused as to how you believe a home device with malware is going to authenticate itself. There are many complex malware programs out there that can attempt a variety of attack vectors but none complex enough to bypass a NAC solution worth its' salt with anything but the baddest 0-day exploits.

            There was a BlackHat presentation made in relation to NAC that presents some of these potential attack vectors (http://www.blackhat.com/presentations/bh-dc-07/
            • by guruevi ( 827432 )

              I meant the "security" a NAC gives is defeated as soon as a device authenticates itself. Whether it's your company's laptop or a home device, as soon as the user authenticates the device it has free reign over the network and any malware on the computer gains access as well while you think the network is "secure". Typical malware is installed on devices that are still used by actual users.

        • by swalve ( 1980968 )
          That seems like a lot of hassle for not a lot of payoff. Every time something breaks or gets moved, they have to call IT to reenable the port? Just so you can imagine that you have security? I guess nobody ever heard of MAC address spoofing.
          • by bdwebb ( 985489 )
            MAC address spoofing doesn't help vs a well implemented NAC solution as the MAC address of the connecting device is not the only authentication factor. Many NAC solutions even require agents to be installed on the connected machine so that an analysis of installed software and hardware can be performed as an additional authenticator and many will pre-scan connecting devices for offending/unsecure software and quarantine them in a segregated network with no routing abilities.

            Once implemented, a NAC isn't
            • by guruevi ( 827432 )

              NAC isn't actually all that costly. There are free (as in beer and as in speech) solutions that top the expensive, vendor-centric NAC solutions.

              The problem is that NAC is not a security tool, it's a network access control tool. It gives you some control as to what devices can connect to which portions of the network and typically you bump other devices to a VLAN that goes directly to the Internet (like a guest network on WiFi).

              Once a device is authenticated (either by a malicious user or more likely, shared

        • by dbIII ( 701233 )
          I disagree with the first point - only because accepting BYOD means you have to give up on that and have ways available for people to plug their stuff in or connect wirelessly without contacting IT or their own management, using nothing more than a password circulated by word of mouth. Once a BYOD policy is there you the good idea expressed above (you plug in a non authorized device the port simply shuts off) is just abandoned.

          It means you have to have staff available and plans in place to deal with viru
        • by beelsebob ( 529313 ) on Wednesday May 29, 2013 @10:13PM (#43857079)

          Sorry to tell you this, but you're not doing your job. As a network administrator, your job is to make sure that the people using the network are able to do the tasks they need for their job.

          Yes BYOD means you need to be careful about what happens on the network, but it does not mean the network will instantly fall over if you, the network administrator, is even half competent. What it also means in many (most?) companies is significant productivity gains for the people using the network, and ultimately, that's why you're there – to facilitate their productivity, not to sit in your ivory tower with your pristine "perfect" network that actually doesn't do what the users need it to.

          • by DarkOx ( 621550 ) on Thursday May 30, 2013 @05:06AM (#43858563) Journal

            I am sorry but people like you who have that attitude toward it are absolutely every bit as wrong as the it types who think the answer to everything should be "no".

            When some gets a worm on your network and it takes the entire business offline for the better part of a day while everyone chases down and cleans the machines you will still say IT failed to do the job you refused to let them do.

            When you customer list is published on wiki leaks, or near perfect copies of your flagship product trade secrets and all start coming off the boat from china you will say it did not do their, which you refused to let then do.

            Yes, IT needs to help you be productive but they also need to protect you and the company, which means they can't just let you do *anyhing* any time. It's not that simple, you need to stop looking at IT as your bitch and start thinking of then as trusted advisors just like you do your legal department or your HR people.

        • by Jane Q. Public ( 1010737 ) on Thursday May 30, 2013 @01:08AM (#43857743)

          "Not sure about you, but no one plugs in whatever they want to our network..."

          I agree with you 100%. And I go further: if the company wants me to BMOD, then they can damned well pay me for the use of it. It's okay... I'll rent it to them at the going commercial rate.

      • You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want?

        Yep, I've had customers insist they don't need to worry about antivirus, etc. on their workstations because they have a company policy that no one plugs unauthorised kit into the network. A few weeks later they invariably get an infection because one of the directors ignored policy and plugged his personal laptop in - afterall, who's going to tell the director off?

        BYOD is not just about someone saving money. It's about people expecting to have their devices work and IT in organizations being too slow or not having enough funding to give everybody their device of choice.

        I've found BYOD is actually a big PITA for large organisations because the devices people are bringing are almost universally Android or iOS, an

        • by guruevi ( 827432 )

          Both devices have plenty of support for HTTP proxies. Even then, Squid has a transparent proxy option. Or you could filter at the DNS level... options, options.

          • Both devices have plenty of support for HTTP proxies.

            Android Gingerbread lets you set a single HTTP proxy which applies to all networks. That means device owners have to manually enter and clear the proxy settings as they move between the office network and their home network. Not that it matters - almost all apps ignore the proxy settings anyway.

            Android ICS and Jellybean let you set an HTTP proxy per wifi network, which at least means the user isn't expected to reconfigure the phone all the time. Most apps still ignore the proxy settings. Most of the apps that do pay attention to the proxy settings don't support authenticated proxy servers.

            All recent versions of iOS allow the proxy and authentication credentials to be set on a per wifi network basis. That's excellent. Except that most apps (including a good chunk of the stock iOS apps that Apple ship with the phone) either ignore the proxy settings entirely or fail to support authenticated proxy servers. (Yes, Apple is aware of these problems - there are bug reports in their bug tracking system that have been open for several years, they aren't interested in fixing them).

            Even then, Squid has a transparent proxy option.

            Transparent proxying only works for HTTP, not HTTPS unless you are going to MITM all the sessions (which involves installing certificates on all the clients). And even then, you can't authenticate the users if you're proxying transparently.

        • by mysidia ( 191772 )

          afterall, who's going to tell the director off?

          I would... in private of course. The director must be coached, and warned, in a firm and positive way order to give them an opportunity to avoid misbehaving in the future.

          This is why it's important to have security policies and IT governance rules and the consequences in writing, and signed off on by multiple members of upper management, and the board.

          If you commit a violation, the disciplinary action procedure has to be initiated, no matter who you a

          • The problem is that unless you can make a strong legal and/or business case for it, having the top management in a mid-size or large company held to the same standards as everyone else just isn't going to happen. For that matter, you probably can't force the company's best salesman to follow IT rules either – they outrank the IT department.

            You might be able to rein in upper management if you can convince them and their peers that bad IT security practices are a violation of PCI standards (which can re

        • by Skuld-Chan ( 302449 ) on Wednesday May 29, 2013 @07:02PM (#43855921)

          1990 called - they want your manually set proxy server back.

          We proxy everything, but the users are none the wiser and its a university where BYOD isn't even something we can control.

        • by ultranova ( 717540 ) on Wednesday May 29, 2013 @07:32PM (#43856129)

          I've found BYOD is actually a big PITA for large organisations because the devices people are bringing are almost universally Android or iOS, and in both cases the OS and apps have terrible support for HTTP proxies; and many large organisations use proxies to control web access from within their networks.

          So maybe you shouldn't try to control web access from your network if you allow it at all, but rather deal with people browsing Slashdot or porn sites all day long when and if it becomes a problem?

      • BYOD is not just about cell phones or property. It's about people taking work laptops home and home phones to work.

        We were recently stung by this little feature.

        License true-ups and program audits are fun.

        People install the products on their laptops with the corporate keys, and pass it around to their co-workers saying the installs are business related. For us, a two-week network scan found nearly two million dollars in improperly-licensed and unexpectedly-installed software on all those BYOD laptops.

        A whole lot of people got one-on-one meetings with management, a few lost their jobs.

        • by guruevi ( 827432 ) on Wednesday May 29, 2013 @06:40PM (#43855727)

          Maybe you should improve your licensing options or choose better products with less licensing. Throwing out high quality people because a 3rd party company bullies you is not really great business practice.

          • Re:Throwing out high quality people because a 3rd party company bullies you is not really great business practice.

            Excellent point. Licensing is key. Go FOSS.

            • by Lumpy ( 12016 ) on Wednesday May 29, 2013 @07:51PM (#43856247) Homepage

              Sounds like a plan. got a FOSS version of AVID? same quality and same abilities?

              No? how about a FOSS version of AutoCad? no the two toys running around out there wont work.

              Well then how about a FOSS version of my automotive computer tuning software? IT supports all the modern cars, so what FOSS program is out there that does that?

              Lastly how about a nice FOSS large accounting software system? no?

              There are three business types that can not use FOSS even if they wanted to, and that covers a hundred thousand of businesses in the USA alone. (car repair, car shops, engineering firms, accounting firms, TV stations and studios, etc...

              FOSS is an impossible answer for a large number of businesses simply because the software does not exist.

              • Well, hey, if you can't get FOSS for what you want, at least have the ethics to realize that you have to pay fo rthe software you use. Don't use unlicensed software. FOSS software is licensed too, even if it is or is not free of cost. Freedom in FOSS is the freedom to share and the lack of a bullshit-filled license. Or at least don't keep hiring idiots who think that it's okay to steal. It's not okay to steal in either case, and your employees ought to be aware of that: a - proprietary software copied
              • by dbIII ( 701233 )
                With respect, as an AutoCAD user from 1989 onwards, AutoCAD is a toy. For the entire length of it's existence there's always been something better and the open alternatives to it are functionally just as useful, they just have a different way of getting to the same endpoint.
                • by nojayuk ( 567177 ) on Thursday May 30, 2013 @01:08AM (#43857745)

                  AutoCAD is the basis of an entire ecology of add-ons and workflow tools, many of which can cost ten times the basic cost of the package itself and then some. Oil refinery piping layouts, dynamic flow analysis, bill of materials, finite element analysis tools, import and export to other engineering packages, 3DMax visualisation etc. etc. Unless and until the FOSS alternatives to AutoCAD can plug in as a one-for-one replacement to that ecology then they're not going to make big inroads in the multiseat engineering/architectural world.

        • by mjwx ( 966435 )

          People install the products on their laptops with the corporate keys,

          Why were you giving end users corporate license keys?

      • Re: (Score:3, Insightful)

        by mjwx ( 966435 )

        You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want?

        Managed switches.

        No unauthorised devices get plugged in. Every device has to authenticate with the switch (so not simply MAC address blocking).

        From the fine summary:

        Because you own the device, you have certain rights to what is on the device and what you can do with the device.

        Yeah right, feck off.

        When you BYOD onto my network, we control it, we can wipe it, we can install and uninstall apps and if you dont agree to our terms, dont bother complaining that you cant BYOD. BYOD is not open slather, if yo

        • by Lumpy ( 12016 ) on Wednesday May 29, 2013 @07:54PM (#43856257) Homepage

          I watched an IT guy try to tell a CEO that his apple TV was not allowed on the network. the CEO pointed at the door and asked the guy, "what does it say on the door?"

          The IT guy was one of the brighter ones and got the hint quickly... and set it up on the corporate network.

          • by mjwx ( 966435 )

            I watched an IT guy try to tell a CEO that his apple TV was not allowed on the network. the CEO pointed at the door and asked the guy, "what does it say on the door?"

            The IT guy was one of the brighter ones and got the hint quickly... and set it up on the corporate network.

            These CEO's often wonder why they end up with crappy IT departments.

            Yes men tend to make very poor security decisions.

          • by King_TJ ( 85913 ) on Wednesday May 29, 2013 @10:14PM (#43857085) Journal

            Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.

            You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)

            As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.

            At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.

            I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)

            What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.

        • You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want?

          Managed switches.

          No unauthorised devices get plugged in. Every device has to authenticate with the switch (so not simply MAC address blocking).

          From the fine summary:

          Because you own the device, you have certain rights to what is on the device and what you can do with the device.

          Yeah right, feck off.

          When you BYOD onto my network, we control it, we can wipe it, we can install and uninstall apps and if you dont agree to our terms, dont bother complaining that you cant BYOD. BYOD is not open slather, if you want to bring your own device, fine, we welcome that but you will be registering it with our MDM (Mobile Device Management) system before you're even so much as able to put mail on there, that means our policies get enforced on your device (and your administrative privileges for that device get taken away). Sorry, but this part isn't negotiable.

          Well, if it was my choice to B[M]YOD, I'd let IT get admin privileges on my devices. But if its at the company's insistence, then hell no!
          Here's the deal:
          - I can do off-hours work if I get email on my phone.
          - I won't carry a second phone for work
          - I am willing to add my work email on my phone PROVIDED:
          -- I am not required to register my device for monitoring
          -- I and ONLY I have admin rights on my phone
          -- No remote monitoring of my phone allowed

          I will, however, a

      • Usability is the antithesis of security. With that in mind. BYOD can work for Some apps. Anything that stores sensitive data locally, no. Anything that requires much more stuffing around that opening up a web port, then no.

        If PHB needs more than that to get $HisFaveApp working on his Pear uPad then he may find out there are some days when he must use the tools provided by the workplace. Diddums.

        Having said this, the 80 20 rule will apply.

    • by Frobnicator ( 565869 ) on Wednesday May 29, 2013 @06:18PM (#43855519) Journal

      From the IT side, it means a nasty festering pile of vulnerabilities. It means more vectors for the Chinese hackers, more attack vectors for competitors, more attack vectors for malware, more vectors for government and corporate spying, and more ways for information to accidentally leak.

      From the personal side, it means being on the clock continuously without additional pay. It means additional personal liability. It means if something goes wrong at work the powers that be can brick your phone. It means that your boss or peers are always watching, sometimes expecting you to reply to emails at all hours or work on reports over the weekend.

      From the bottom line perspective you may get a little more hours out of the worker, but at the cost of reduced total productivity from them never disengaging and the costs of supporting an alphabet soup of devices.

      Nobody wins.

      • by chihowa ( 366380 ) on Wednesday May 29, 2013 @06:54PM (#43855861)

        Ah, but from upper management's side, it means costs are shifted from purchasing physical hardware (who's cost is hitting a floor) to employee hours (which can keep going down). It means next quarter's expenses will be lower (the difference of which they can collect as bonuses now) and when the following quarter's expenses are back up (from IT having to maintain the mess), the bonus has already been collected. Then they can start looking to cut costs again by shipping the (now fungible) labor overseas, and collect another bonus. When the whole house of cards collapses, they've already cashed out.

        Somebody wins (just not you).

        • by Benaiah ( 851593 ) on Wednesday May 29, 2013 @08:29PM (#43856469)
          Having worked on both sides of this fence I can say that IT are often lured into the belief that they are the core of an organisation and that they are constantly making things better for everyone by making things more uniform. Such as giving everyone the same desktop icons and refusing access to the desktop to allow users to add their own icons. They are hidden away from the rest of the workforce in artificially lit computer graveyards. The users in such a network ie, the accountants/journalists/engineers who are actually making the company money get more and more disillusioned with this system that gets less and less functional, ie submit a form signed in triplicate with a cost code attached in order to get Chrome installed. They bring their own 4G devices in and use them to do their work, or bring in windows hacking tools to give themselves local admin rights and all hell breaks loose.

          Thus where I have seen IT actually play their support role is where they don't get put in the dungeon in the basement of the building but integrated into the workforce and forced to do their work in plain sight. Other staff members can see the work that they do and come and ask questions, and they can see the impact that their work has on their users. Their team meetings are infiltrated with key staff members who get to vet the plans moving forward, and key to all this, is an articulate manager who actually understands what his subordinates are doing and not just playing with dollars and cents.

    • by crow ( 16139 ) on Wednesday May 29, 2013 @06:20PM (#43855533) Homepage Journal

      No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.

      In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.

      And then there are the Chinese hackers who have infiltrated the network.

      Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.

      • Re: (Score:3, Insightful)

        by mysidia ( 191772 )

        many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.

        These are all things that can more or less be prevented or detected.

        For starters... the implementation of 802.1X authentication of Windows computers, Network

        • by tepples ( 727027 )
          Then watch requests to whitelist particular web sites take up half the IT department's time.
          • by mysidia ( 191772 )

            Then watch requests to whitelist particular web sites take up half the IT department's time.

            Legitimate web sites would still generally get through, because they'd be categorized by a decent filter.

            For those that don't.... require sufficient paperwork, that the user is doing most of the work, before a whitelisting request can be made.

            Tier 1 tech: "You want us to allow you access to a site being blocked?" "OK; here, fill out this 3 page form, and sign here, here, and here, and have your supe

        • by jrumney ( 197329 ) on Wednesday May 29, 2013 @09:56PM (#43856997)

          many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.

          These are all things that can more or less be prevented or detected.

          Which is what is wrong with IT. You can't see past your own policies to the fact that users have genuine business needs to use Linux on their laptops or in VMs, and those web filters you install to stop anything with *p?rn* in the URL are preventing access to sites that people need to access to do their work.

          Instead of "OMG, people are bypassing our restrictions! How do we stop them?", your first response should be "why do they feel the need to do this, and how can we accommodate their business needs?".

    • what about disasters from BYOD can you bill some for damage with little to no proof? can you make some go out buy some thing new right after they just go some due to change requirements and so no? What some who is not very technically informed goes and get's the best buy special POS and who fixes that mess?

      and if they go the way of making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buyi

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA.

      That's the point though. BYOD isn't about enabling jack shit. It's about shifting the cost to your employee. If it breaks the employee pays. If the employee doesn't like it they had other options so it's their fault. Well here's the thing the employer wants to do that THEN lock down the device so that the end user can't use their own hardware. It's just petty and cheap. Petty and cheap is not going to facilitate security.

    • BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer.

      Right. Because corporate owned devices could never ever ever become quietly compromised. Sounds safe to me.

    • by Lumpy ( 12016 ) on Wednesday May 29, 2013 @07:46PM (#43856213) Homepage

      Then tell management to stop being cheapskate morons and BUY the employees tablets and phones.

      Honestly the one thing that screams that the management is a bunch of Douschebags is a BYOD policy. If a company is work working for they buy you a tablet and phone if you need it as well as a laptop if you need it. The only places I have ever seen a BYOD requirement has been either fly-by-night or swirling the drain. If a company can afford to pay you 6 figures they can spend $1600 on a laptop every 2 years and $50 a month to get you a smartphone.

    • by vux984 ( 928602 )

      you're spending more on licensing for NAC and VDI/RDP/ICA.

      Unless you aren't.

      Many companies have an outbound sales force. The use a VPN + virtual infrastructure for laptops to access email email, access to the CRM, point of sale/sales quote system, and intranet resources. BYOD vs company hardware is a wash for licensing here.

      You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardiz

    • 30 years a network and systems admin and such a thing has to now been hypothetical or mythical. I'd love to hear about this wonderful new thing and the miraculous science through which it was achieved. Does it involve quantum physics?
  • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday May 29, 2013 @06:10PM (#43855445) Journal

    In case our good buddy Brian missed the past couple of decades, nothing is simple about 'ownership' in our delightful brave new world of digital devices...(even if we might want it to be)

    "Licensed not sold", DRM in all its myriad permutations, encrypted bootloaders, SIM-locked cell modems, systems that phone home faster(and in much greater detail), than ET, activesync policies that give IT the ability to nuke your phone if you want to connect to your email, all the good stuff.

    Even in his article, purporting to be all progressive and whatnot about recognizing 'ownership, he says "The good news is that plenty of tools allow you to isolate all your business data from employees' personal data. Those tools can let you wipe business data from their devices without touching their photos and private emails." This is, in effect, a polite way of saying that "There are plenty of tools that allow you to gain control over a slice of somebody else's device in a way sufficiently robust to keep them from messing with that slice'.

    Above and beyond all the usual amusements of negotiations between dubiously equal parties, contemporary computers offer ample power to enforce restrictions of virtually arbitrary complexity over what we quaintly pretend that you 'own'.

  • I'm pretty sure that's what a lot of people here on /. have been saying about "bring your own device". You know, "it's mine, and I don't want corp. IT to tell me how to use it, or what software to have on it, or to be able to remotely delete everything on it". And, "why should I have to pay for company equipment? If it's for work, they can pay".

    Gee, who'd'a' thunk it?

    In other news, a smug Linux user commented that Linux doesn't crash nearly as often as M$ Windoze does. And, moreover, the GIMP is a more than

    • I would mod this up if I had points. This came home to roost with me just this week. I started a contract gig for one of the O&G supermajors whose new contractor policy is BYOD and they use a vmware/mokafive VM to give you access. So here I am, doing the same work their employees are doing with powerful dedicated machines and multiple displays on my laptop running a Win7 VM on top of Win7 (see: splitting resources) because said company is too tight to provide tools to do the job. I guess it's not a prob
  • Or maybe it is because I work at place with SOX/HIPAA/DOD/etc requirements. Even though I am vendor I have to use the customer supplied device as I admin their servers and thats what security will allow for me to do my work. I don't have admin rights on the supplied laptop itself and everything is whitelisted to run.
    Every time I hear about this at least from my side of the fence of IT support I just think of the support and security nightmares. Also if the company wants me to install their stuff on my perso

  • Point = missed (Score:3, Interesting)

    by girlintraining ( 1395911 ) on Wednesday May 29, 2013 @06:23PM (#43855565)

    Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"

    Okay, let me make this simple; You're in IT security. Let's say you just threw open the doors and let anyone bring their own laptop in to work. Well, you know, and I know, that people are stupid. They're going to be infected with malware, viruses, APTs, and god only knows what. And that's the point: You don't know what's being brought in. You have no control now. And let's say as a result of someone doing this, they pass on a piece of malware, not to your super-secure corporate systems, but to another employee who's also brought in their own device.

    Who's legally at fault here: The employee who accidentally (or neglegently!) brought in an infected laptop, the other employee who connected their own laptop and accidentally (or neglegently!) got it infected... or the company whose network policy facilitated this? And here's a better question: Who do you think both employees are going to sue, thus costing your company millions in unrecoverable legal fees (even if you win, you ain't going to see that money again).

    Ownership here is indeed the issue; Just not device ownership. Specifically, the cost of ownership; which if you allow this stuff on your network, the cost of owning that network is going to rise due to incidental costs. How much, nobody knows for sure -- this is still a relatively new thing (in the business world anything less than 10 years old is 'new').

    • How about you set some standards?

      I $user in connecting my device you your $companies network, do swear and aver that
      * My antivirus software is paid for and up to date.
      * My device (to the best of my knowledge) is patched and up to date.
      * Assume all risks to the IT system that are traced to me to a value of $20 M
      * Will follow IT policies and procedures (and not look at porn at work) while device is connected.
      * (insert whatever you want here)

      Risk of infected laptop has now been transferred to the device owner

      • by tepples ( 727027 )

        My antivirus software is paid for

        Are you referring specifically to the fact that Microsoft Security Essentials runs only on the first ten PCs in an organization and that a lot of the freeware Windows AVs likewise have policies against business use? And what antivirus do you recommend for an Ubuntu installation that I keep patched?

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday May 29, 2013 @06:28PM (#43855599)
    Comment removed based on user account deletion
    • by fermion ( 181285 )
      And the solution is to go back to the good old days when corporate controlled data and user only had terminal access. This with todays technology this is not so hard to do. User devices are display only. All storage and processing is done on IT controlled servers. The average worker bee does not need a high end PC, and has not needed one for years. At least not for work. It has been a perk that companies supplied a PC that could also be used for entertainment purposes.

      The real downside, to me, is sup

  • by Chas ( 5144 ) on Wednesday May 29, 2013 @06:30PM (#43855613) Homepage Journal

    "It should be about enablement"

    Spoken from the self-entitled end-user's perspective!

    Sorry, but it IS about control. Control of company data. Security of company data. Compliance with various laws such as HIPAA, SOX, etc.

    No sane company WILLINGLY bends over and spreads by giving unfettered access to their dearly bought client and company data.

    I've dealt with numerous clients over the years who've been suing former employees for data theft. And they TOOK precautions!

    And you're telling me I should let someone walk around with uncontrolled access to a multi-million dollar client list, documents, etc, in their pocket?

    FUCK YOU!

    • you have some misconceptions. Enterprise software can manage the access of data on the device: requiring device have password lock, separation of client and company data, wiping of the device by the company if stolen (yes, employees made to sign agreement). All this can be done on Android, iPhone, Blackberrry

      • also should mention my employer actually will buy the device for the employee, it is the employee's property and yet they pay the bill each month, HOWEVER note the agreement the company can wipe the device upon termination, theft of device or any other reason.

  • Taxes (Score:4, Insightful)

    by macemoneta ( 154740 ) on Wednesday May 29, 2013 @06:34PM (#43855651) Homepage

    I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.

  • BYODs move between work and home thus transferring sensitive information out and moving viruses in.

  • I can see an argument that a person's device is effectively part of their brain or their body.
    I own it, I control it.
    Also. Both my device and my body can catch a virus.

    Perhaps the problem with BYOD is sick days.

  • I am waiting on the host file rant, at least it would break the cycle of it's mine, no, it's mine!! GAWD!!
  • I would never use my personnel devices at work. One, if work wants me to have device xyz they can pay for it. Two, I like to keep my private and work life separate. Three, I've never worked for a company so insane that they actually thought BYOD was a good idea.

  • Of COURSE the problem is ownership! That's the first question every worker in my IT department asked when we got offered BYOD!

    "So, if I can have company data on my phone (email), what are y'all doing to my phone? Oh, you're putting it in an encrypted sandbox? Oh, you're reserving the right to wipe that sandbox remotely (and possibly my entire phone)? Oh, you're not taking any liability for accidental wipes? Oh, you're not issuing a phone number that hides my personal cell (ala Google Voice/giving me a SIP a

  • Look, where I am BYOD is totally OK. We are provided lots of options for secure OTG access and training to avoid breaches.

    Here's my person opinion and what I advocate for in my work:
    I support doing everything you can to isolate clients from servers- from data access to workflow/process. There is no reason this level of authentication cannot be implemented on BYOD as the next step. That said, BYOD is only sustainable long term if accompanied by a mature self-service support model. IT should provide the v

  • Partition the phone into work/private.

    The 'work' profile runs whatever your corporate masters inflict upon you. It's for work calls only.

    The 'home' profile uses its own SIM and runs inside its own OS. You can load Android, FireFox OS, Ubuntu, whatever - it's you're personal space with your environment, private contacts, phone contract & data plan.

    When an employee leaves, the personal profile could be easily exported to be transferred to another phone (the image is just carried across to the hypervisor r

    • Hardware virtualization exists

      the problem is that support for it needs to be built into the mobile operating system. you can't have virtualization provided by a mobile app simply because of the restrictions put upon mobile apps. so now the problem is getting google or apple to implement virtualization support. that doesn't exist.

      vmware has an android vritualization solution on the market,
      http://www.youtube.com/watch?v=HX_Kmc2n82k [youtube.com]

      it's pretty slick. a true android virtual machine that runs an "enterprise" guest android gingerbread under y

  • I have readen TFA and could not say what its point is. It seems just void thinking to me.
  • http://risky.biz/byodauscert [risky.biz]

    PRESENTATION: BYOD in government, a high level talk
    Handy talk for CIOs and CSOs...

    Start the discussion 0 Comments
    May 23, 2013 --

    The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has

  • In the history of people. It wasn't even complete sentences and thoughts. It was word salad bullshit. If that's what "CIO Magazine" calls 'best practices' and data security regulatory and privacy law compliance, then we're all doomed and we can burn down all the data centers and go back to the 18th century.

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie

Working...