Video Do the Risks of BYOD Outweigh the Benefits? (Video) 82
He says, "...it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that." In this interview, Steve talks about how (surprise!) the current BYOD trend is making things worse, but isn't necessarily responsible for the worst security holes, and offers benefits that might outweigh the increased security risks it brings.. (Note: The transcript contains material not included in the video.)
Slashdot: I am Robin Miller for Slashdot and with us today is Steve Hasselbach from Peak 10, and we are talking about the Internet of thingies, which, as you know, from having watched Slashdot, my friend Tom Henderson and I are somewhat obsessed with, including the time when we found the easily hacked internet coffee pot. And we thought that was amusing but stupid. Now Steve, of course, is talking about a little bit more enterprise and a little bit more useful things. So Steve, what are people getting, I mean corporately, out of allowing things on their network?
Steve: Well, what they are getting when they allow these things on the network is they are allowing that user to probably be a little bit more productive in their job. They might have found something that’s a little bit useful for them in their personal life and they want to bring that into the business life. Similar to the Smart Hub—to this thing right here. There were days when we would connect one of these things to a network and now you connect it to the network. Then there is the concept of bring –your-own-device.
Slashdot: Yes.
Steve: Now people or companies don’t want to necessarily pay for the laptops, well the users want to use their own laptops--there you go. Because we are controlling, right. We want to control all these things. I want to sit at my desk, I want to control that coffee pot. I want to control that refrigerator. I want the refrigerator to tell me when things are out of that refrigerator or when they are empty, ‘you need to do this’, or ‘you need to do that’. Well, that’s great. So we’ve got these connected things, righ?. And they all run, they have to run some sort of operating system, right, there’s something core there, they are not running something big and heavy like Windows. They are running something nice and lean like they are going to run like a version, some version of Android, a fork of Android or some lean and mean Linux, a meaner version of Linux or something like that. It can run on really small really inexpensive hardware. And now those are connected to your Wi-Fi. There are tools out there that allow IT shops to be able to enforce policies on your devices before they are able to connect to any type of secure corporate network.
Slashdot: Aha!
Steve: That’s one thing that they’ll do. The other thing that they’ll do is they’ll have their private secure corporate network where they can enforce everything on it, but then they’ll also add the guest network that’s there. So when somebody comes in to the conference room from outside and they need to get on to the Wi-Fi and they’ll say, “Look, you are not connecting that thing to our network, but you can connect it to this guest network,” where they have a lot more security restrictions on the network itself, where I don’t care what happens on that side of it, but that thing’s going to have to go through all the corporate firewalls and everything else just to be able to get to talk to any of our assets. So there are tools that allow them to control those things. And the first line of defense really is that wireless network. Because all these devices, the internet of things it is all about wireless. So you have to have your protections and control. Who can get on that secure wireless network, and then who can’t get on that with those things. So in my line of business, Peak 10 is in the data center business.
Slashdot: Yeah.
Steve: So I meet with prospects all the time who are looking to move into the cloud or they are looking to move in to one of our data centers and put their stuff in there, so I get to see all kinds of businesses. I get to see the finance businesses, and the healthcare businesses and all over the place, the ones where there is heavy regulation—it is out there. And it used to shock me, it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that. And it is not the big hospitals. The big hospitals that we have as customers they are doing a pretty good job at it.
Slashdot: Yeah.
Steve: It is a big task for them. They are doing a good job.
Slashdot: Yeah, well, they have IT departments and they have enough money they can hire smart people.
Steve: Exactly. It is those medium sized ones and small ones that can’t afford or don’t have the expertise. And so now thrown on top of this, is the fun IOT device that they want to bring in that makes their life easier.
Slashdot: Yeah.
Steve: They have no clue, they have zero clue whatsoever about how to secure that, and what’s involved in it. They just know that it is fun and that it works and that it is great. So what I really worry about is down the road, so what’s the lifespan? The lifespan of somebody’s IOT devices might be six months to a year. They might just get a gadget that’s just a disposable gadget, but then there is those couple of devices that you get that hang around for two or three or four or five years—it is something like a GPS tracking device that logistics companies use to track their trailers all around the country. Those things once again, are probably going to be in service for quite some time. After a while, after a year or two, they start putting out new versions of the product, and they stop patching the old ones.
Slashdot: Oh?
Steve: So we’ve got all these security vulnerabilities that get discovered or not discovered and there is no patching that is going to take place on there. And you cannot control that. There is nothing you can do except to say, “Look, you’ve got to upgrade these devices every year.” And so when you talk about, what is the impact to enterprise IT? Well, there is going to be potentially a big monetary cost. It is not just about bring-your-own-device. It is about the ones that businesses are buying and using to help support their organization.
Commentary by Cartoon (Score:1)
http://onthefastrack.com/comic... [onthefastrack.com]
"The transcript contains material not in the video (Score:2, Insightful)
Then it's not a transcript, is it?
No (Score:2)
With a company-owned device there is no question. If someone leaves and they still have your $800 phone... the cops will at least listen and there is no question as to whether you can brick it.
I'm all for freedom and stuff but I've seen this go south too many times.
Re:No (Score:5, Insightful)
good network security such as MAC registration
MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.
Re: (Score:2)
good network security such as MAC registration
MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.
A new security feature is randomizing the mac id, and insuring the randomised mac address is distinct from the hardware mac. Every relog in to a system will generate a new fake mac.
Re: (Score:2)
Then don't you mean "yes, the risks outweigh the benefits"?
BTW, I agree with you from the employee side of the matter. My company provides me a phone. It is theirs. I have my own phone. It is mine. This arrangement suits me very well. As long as the company wants me to have a phone to use on company business, they will need to continue to provide me with one.
Re: (Score:2)
I do not use my tablet or phone for company business (other than short phone calls). If the company really wants me to use such a device for company business, they will have to provide it. I've told them this when they've said "just use your tablet". And their response has, so far, been "Oh. Then don't worry about it." the customer liaison "engineers", "resident" engineers, their managers and department directors (and above) have company issued phones and tablets. The rest of us don't, despite the fact it w
Re: (Score:2)
I personally got 2 phones. One was an iPhone, which I use exclusively for personal use (i.e. facetimeing relatives), whose number I don't share w/ anybody outside family. The other is a Moto X, which I don't share w/ family, but which I use exclusively for work, assuming that they don't provide me anything. So if any office wanted to configure it for any official work, I'd let them, and reset the phone whenever I left that job. That way, I keep my work and personal lives completely separate.
One good
California BYOD laws - sigh (Score:2)
California law says that companies can only let you use BYOD if they're providing you with equipment and service plans. The assumption is that companies will try to rip off their employees by making them bring their own devices, so it should be forbidden. While I understand that, it means that I can;t just bring my own iPad/Android tablet to work to use as an alternative to the company laptop unless the company also buys me a work phone. (Sigh. Eventually they did that, but the IT department's support f
Re: (Score:2)
Yep, in fact, with the new European Court of Human Rights ruling that states employers can snoop on private data on a machine used at work I would refuse to ever bring my own device in to a work place now. It's too risky, there's not a chance I'm going to enter into a situation where my employer potentially has the legal right to look through all my personal e-mails, photos, communications and so forth ever.
For me BYOD is a big no no, I wouldn't touch it with a barge pole, the slightest chance that an emplo
Re: (Score:2)
A Story about BYOD (Score:5, Insightful)
I used to work at BlackBerry. Obviously a company serious about security for corporate customers with BES.
We would meet with those customers, and gather requirements about what features and security they needed. We'd review laws and industry rules, and we built software to meet those needs.
IT departments said:
- We need to be able to control what applications can run on devices
- We need to lock down the device and remove applications like messaging
- We need to prevent copy and paste. We need to turn off lots of features.
So we built these things. We let them lock down the device. That's what the laws said, and that's what our customers wanted.
Then some executive would ask, why am I carrying around two phones? And why are we buying people BlackBerry's when they have iPhones or Androids. Why can't I cut and paste?
And then execs started to realize how much money they could save by getting employees to use their own phones.
And security went out the window. BlackBerry, listening to their customers, dug their own grave.
Re:A Story about BYOD (Score:5, Insightful)
Re: (Score:1)
what they want... to get paid without doing any work... please implement now.
also your ceo just sent you an email to send me 18 million dollars
Re: (Score:1)
Actually this should be modded up. You should never implement what customers say they want. You should find out what they want.
They want it all. Oh, and fuck you if you don't bring it to them. Next question.
And definitely don't ask the IT people. They have a very narrow view of the world.
Yeah, can't imagine the highly trained technical staff corporations employ to keep them running would have a fucking clue as to why you would want to implement a secure solution on a highly portable device with internet access, bluetooth, wireless, and a microphone that can be hidden damn near anywhere.
Blackberry would still have a market niche, if corporations actually still gave a fuck about mobile security. They don't, an
My consultation algorithm: (Score:2)
1) Confer with the client. Find out what he wants. (He'll tell you what he wants ADDED to what he is replacing.)
2) Research the client's current operation: Consult his underlings, especially the front-line workers, who know what's REALLY going on. Make friends with them and try to help them out, too. Find out what he currently has. Figure out what (you think) he needs.
3) Propose to the client that he should want what you think he needs.
4) After he's had a chance to think about it, design and build wha
Re: (Score:2)
blackberry dug their grave by assuming their lead will never be taken over and to turn a blind eye towards innovation, convenience and just the plain old shiny.
they are trying to dig themselves out a bit now... ( i am a BB user) and users are realizing security may even be necessary.
lets see how it shakes out.
Re: (Score:2)
In the end their security may very well be crap, but have you seen the competition?
Re: (Score:2)
IT departments said:
Cover my ass, do these ridiculous things
Then some executive would ask
Why are you doing these ridiculous things? They are ridiculous, employees are in open revolt, are not reliably carrying their leashes or are compromising them or outright replacing them. Stop doing these things.
And security went out the window.
A false sense of very corporate bureaucrat version of security went out the window.
BlackBerry
was not listening to its customers, it was listening to their keepers. People
Re: (Score:1)
There should be a new slogan
"Attempting to secure everything will guarantee nothing is secure."
Re: (Score:2)
BlackBerry, listening to their customers, dug their own grave.
No. The market has spoken and the vast majority of customers clearly do not want what BlackBerry built.
Blackberry was listening to someone, but it obviously wasn't the people who made the ultimate purchasing decisions.
This is a very important business lesson. Understand who your customers really are. They are the people who will pay money for your product or services. This sounds simple, but there are often many entities that look like customers but aren't really. The IT department who claims to represent c
BYOD has been a fail boat since always (Score:2)
all of this because idiots want to play angry birds on the corporate network.
BYOD needs to be killed with fire
It's a scam. (Score:3)
Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.
Re: (Score:2)
Re: (Score:2)
So, because the execs are technical idiots who don't understand that they're handing over the keys to their personal life at their own expense, I should do the same?
Re: (Score:3)
Re: (Score:2)
Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.
I haven't worked for a job where I was not allowed to use my BYOD for personal use. It was a pain that they could remote wipe my phone, but with Android and root, it was pretty easy to block that ability.
My new job uses GOOD which sounds good in principle - a sandboxed corporate environment that doesn't interact with my personal stuff. Problem is that GOOD checks for root and I'd rather use adaway and lug my laptop around than get work emails/calender on my phone. There is an old version of GOOD that I c
Re: (Score:2)
It was a pain that they could remote wipe my phone, but with Android and root, it was pretty easy to block that ability.
Where I work, rooting an enrolled device, or otherwise taking steps to circumvent the device policy, is a violation of the terms you must agree to to enroll in the BYOD program. Devices which the employer cannot remote-wipe are not eligible for the program, regardless of the reason. It's probably the same at most other places. Is the cost and inconvenience of a separate work device worth losing your job over?
Re: (Score:2)
Um. No. You're doing it wrong. The only thing my employer gets to keep control of is the company email on my phone. He can remotely delete it at any time. The rest of the phone and my own email and all the apps, data, and media on it belong to me and my employer has no way to access it. He pays half the monthly bill and any work related extra costs like roaming when I travel for work. Seems fair.
Sigh (Score:3)
At the end of the day the users always win anyway. IT just has to suffer and endure
Ah, How about NOOOO?! (Score:1)
Now people or companies don’t want to necessarily pay for the laptops, well the users want to use their own laptops--there you go.
If I need a laptop for work then my employer needs to buy me one.
If I need a cell phone, my employer needs to buy me one AND the plan. Track what I do on their phone? No fucking problem from me.
We are NOT carpenters, plumbers, mechanics, or tradesmen (or are we now?) where we have to supply our own tools. But if an employer insists that I use my own phone for work and if gets hacked well, that's THEIR problem and THEIR fault.
Re: (Score:2)
Re: (Score:2)
Because they'll look pretty silly showing up at the work site without them, because then they won't have any tools to work with. This is the standard for any physical laborer or mechanic. This works for them, since there's no need for the worker to link his tools to anything of the employer, and the worker does better with tools he has selected and is familiar with. Doesn't work that well for IT, where the tools need to mesh closely with the employer's setup to work.
Re: (Score:2)
Re: (Score:2)
That is indeed a cogent argument in favor of BYOD. In fact, it's my opinion it's the best argument in favor of it. But to my mind, it fails because a computer needs to be more closely integrated to the employer's systems then a manual worker's tool--a fact which is only made worse by the fact that those systems aren't standardized the way building hardware is. Even if an IT worker is moving from job to job the way a manual laborer does--and admittedly some do--the different set ups from job to job means
Re: (Score:2)
My point--in the manual worker's world, there are industry standards he can rely on and will be followed. You mention a case where there are two different standards and you have to follow the right one. In IT you may never see the same standards twice.
Re: (Score:3)
The difference is between being an employee versus being self-employed.
Not even company mobile on the wifi (Score:3)
Heck, where are these people working with such lax security? Here at a health insurer, I can't get permission to put my company issued smart phone on the company wifi, never mind a personal device.
Which BYOD are we talking about? (Score:5, Funny)
Bring Your Own Device?
Build Your Own Dessert?
Bury Your Own Dead?
I think we could have had an expansion of this acronym in the summary, just for clarity...
Re: (Score:2)
Bite Your Own Dick, obviously.
Re: (Score:2)
Re: (Score:1)
Its a very common acronym for Bring Your Own Drinks around here, where you bring your own booze and a restaurant charges a corkage fee. I imagine it does adversely affect security.
Yes (Score:3)
Re: (Score:2)
People who use their work phone or laptop for personal use are stupid.
But the process for me works in reverse -- it's my damn phone, so I will decide how it will notify me of new messages (guess what, my VIP list includes no work addresses), when I will turn it off, what apps I will run on it, etc.
My wife got a new iPhone from work and was wondering if she should get rid of her personal one. I told her "do you want them to see your personal information? what happens when they fire you and you lose the num
Re: (Score:2)
employer has the ability to always contact you because you use that cell phone for personal purposes, it's not so convenient
At a certain level this is part of the job, and assumed with the salary and benefits. It's not that high, a developer or engineer may have no direct reports, but compared to someone that works in the factory or the sales floor has a significantly greater responsibility and is expected to at least answer a phone call outside of normal work hours. You can carry two phones and drive yo
Re: (Score:3)
Have people never heard of email/call forwarding? Leave your work phone in the office, forward the calls to your personal number. Is it that hard?
I've never carried a work phone or been on call without compensation and refuse to do so. The only reason it is "assumed with the salary" is because people refuse to ask: and what will I be being paid for those hours? Never got a huge amount of money but about 100-150 for a weekend or so + 1.5X time if I actually got a call for a minimum of 4 hours pay. Ie you cal
Re: (Score:2)
Those things are usually against company policy, but policy here can be effective because IT can easily trace this, and I'm not clever enough to figure out an excuse why it's a good idea to forward company email to personal accounts over insecure links. I suppose I should look to Hillary Clinton? I actually don't think that's a good idea, when I can do something better with VPN on my personal phone. Particularly since much of my email requires a "secure link" from/to our vendors (VPN has been determined to
Re: Wrong question. (Score:2)
They could use X
Yes (Score:2)
BYOD works for me. (Score:2)
BYOD works fine for me. I own the phone, I manage the voice and data plan and the company pays for half. This definitely works out in my favor. If I travel out of the country the company pays for the roaming plan. At work I use the company guest wifi to save on data use. I had to install some kind of app so they can wipe the company email if I lose the phone. My personal email is completely separate. The company has next to no issues supporting me. I don't have to carry two phones. Everybody wins.
I'm not going to carry two phones. (Score:1)
I'm not going to carry two phones. For some people that might be OK, but I've only got so much pocket space and room for chargers at home.
Since I will be using the sole phone I carry for personal use, I have some set-in-stone policies:
1. I get to choose the phone that suits me best.
2. I update the hardware according to my convenience and requirements.
3. The device is completely controlled by me for security and contractual reasons.
So long as a company complies with those policies, I am quite flexible about