Slashdot Mirror
Why Everyone Gets It Wrong About BYOD
snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.
BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.
Feed the need: Digitaladdiction.net
In case our good buddy Brian missed the past couple of decades, nothing is simple about 'ownership' in our delightful brave new world of digital devices...(even if we might want it to be)
"Licensed not sold", DRM in all its myriad permutations, encrypted bootloaders, SIM-locked cell modems, systems that phone home faster(and in much greater detail), than ET, activesync policies that give IT the ability to nuke your phone if you want to connect to your email, all the good stuff.
Even in his article, purporting to be all progressive and whatnot about recognizing 'ownership, he says "The good news is that plenty of tools allow you to isolate all your business data from employees' personal data. Those tools can let you wipe business data from their devices without touching their photos and private emails." This is, in effect, a polite way of saying that "There are plenty of tools that allow you to gain control over a slice of somebody else's device in a way sufficiently robust to keep them from messing with that slice'.
Above and beyond all the usual amusements of negotiations between dubiously equal parties, contemporary computers offer ample power to enforce restrictions of virtually arbitrary complexity over what we quaintly pretend that you 'own'.
It's your device, and you own it.
Not if it's running an Apple or Microsoft OS.
I'm pretty sure that's what a lot of people here on /. have been saying about "bring your own device". You know, "it's mine, and I don't want corp. IT to tell me how to use it, or what software to have on it, or to be able to remotely delete everything on it". And, "why should I have to pay for company equipment? If it's for work, they can pay".
Gee, who'd'a' thunk it?
In other news, a smug Linux user commented that Linux doesn't crash nearly as often as M$ Windoze does. And, moreover, the GIMP is a more than sufficient replacement for Photoshop for most casual users.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Great circular rant with no intelligent point. Thanks for the "simple take" Brian. Way to gloss over information security and system compatibility by repeating the same non-sensical bullshit for a whole page.
Or maybe it is because I work at place with SOX/HIPAA/DOD/etc requirements. Even though I am vendor I have to use the customer supplied device as I admin their servers and thats what security will allow for me to do my work. I don't have admin rights on the supplied laptop itself and everything is whitelisted to run.
Every time I hear about this at least from my side of the fence of IT support I just think of the support and security nightmares. Also if the company wants me to install their stuff on my personal pc. well they can buy me one. Same goes for a phone. They need to call me as an employee they can provide a cell phone too.
No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.
In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
And then there are the Chinese hackers who have infiltrated the network.
Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.
That's why businesses like it.
Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
Okay, let me make this simple; You're in IT security. Let's say you just threw open the doors and let anyone bring their own laptop in to work. Well, you know, and I know, that people are stupid. They're going to be infected with malware, viruses, APTs, and god only knows what. And that's the point: You don't know what's being brought in. You have no control now. And let's say as a result of someone doing this, they pass on a piece of malware, not to your super-secure corporate systems, but to another employee who's also brought in their own device.
Who's legally at fault here: The employee who accidentally (or neglegently!) brought in an infected laptop, the other employee who connected their own laptop and accidentally (or neglegently!) got it infected... or the company whose network policy facilitated this? And here's a better question: Who do you think both employees are going to sue, thus costing your company millions in unrecoverable legal fees (even if you win, you ain't going to see that money again).
Ownership here is indeed the issue; Just not device ownership. Specifically, the cost of ownership; which if you allow this stuff on your network, the cost of owning that network is going to rise due to incidental costs. How much, nobody knows for sure -- this is still a relatively new thing (in the business world anything less than 10 years old is 'new').
#fuckbeta #iamslashdot #dicemustdie
And not just with a link. No, this is not a well known acronym yet.
what about disasters from BYOD can you bill some for damage with little to no proof? can you make some go out buy some thing new right after they just go some due to change requirements and so no? What some who is not very technically informed goes and get's the best buy special POS and who fixes that mess?
and if they go the way of making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buying your uniform from only this supplier, but also ensuring it is kept clean and pressed and not only but based on the cost and labor laws that can pull some under min wage for that pay period and in other places it may fall under Business Expenses.
Also you can be hit with same laws even if not as locked down / you must use this system.
The problem with BYOD is that users often want access to corporate data. But companies have a right, no, make that a duty to protect their own data. The problem is that in order to do that, the company has to have some control of your hardware. Mainly with regards to encryption and holding the keys from you. Again, your device, their data. And that's often the point of contention between staff and IT personnel.
Life is not for the lazy.
That's it right there.. It's your device.... you control it..
Well since that is such a big issue for you, Since I control the network, I guess you WONT be bringing your own device and using it at work. ......
Chew on that
"It should be about enablement"
Spoken from the self-entitled end-user's perspective!
Sorry, but it IS about control. Control of company data. Security of company data. Compliance with various laws such as HIPAA, SOX, etc.
No sane company WILLINGLY bends over and spreads by giving unfettered access to their dearly bought client and company data.
I've dealt with numerous clients over the years who've been suing former employees for data theft. And they TOOK precautions!
And you're telling me I should let someone walk around with uncontrolled access to a multi-million dollar client list, documents, etc, in their pocket?
FUCK YOU!
Chas - The one, the only.
THANK GOD!!!
You have no rights if you connect to my network and i get to control your device 100%. Sorry, it has to be that way for all our security. If you don't like it ( hey, i don't either.. ), not a problem, just don't connect YOUR device to my network and accept a corporate device.
There are many things involved here:
- The fact that a discovery and hold data order may mean the company needs to grab the user's notebook (and depending on the jurisdiction possibly provide them with another one.
- The lack of a solid hardware break fix plan for "whatever crap" the user brings in. Is it depot instead of onsite? Is it even under an plan?
- How does the crap notebook from Best Buy work with existing docking solutions and provide dual monitor support and fit with the corporate ergonomics mandate?
- Heck, how can the user even load the coporate ergonomic software - let alone any other corporate software on the device. Many times the ownership issue is exactly the licensing boundary.
- How does IT support the failed app installs due to some crazy setup?
- How does that home system work with our Smart Card mandate for logon?
There are a lot more. In fact, most large companies IT departments will simply punt and force all corporate data access and applications to go through a VDI and use the user's BYOD device as a dumb display terminal when faced with BYOD.
It is about ownership. Please. If only it was just about that this would be easy.
I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.
Can You Say Linux? I Knew That You Could.
Companies like BYOD because they suddenly don't have to pay the bill for the hardware and the data plan (or whatever).
If there is company property on your device, they have every right to it. Not as good as it seems.
BYODs move between work and home thus transferring sensitive information out and moving viruses in.
When you use it on company property on company time for company work you are doing then you need to abide by their rules and when following those rules essentially it is not yours.
Its no different than having to buy your own clothes that meet your companies standards. Sure you can have mustard stains on them, if you are a business guy you have to tuck in your shirt, not wash them and spill coffee on them but when you are at work those things are not acceptable to company standards. Yes you bought the clothes but you are still required to keep them a certain way for work.
If they didn't control the device you bring in atleast somewhat then the offices would get flooded with Trojans from retards that cant maintain their device, or people just automatically assume they can take whatever company data home on their device.
So is it your device? Yes it is. Is it your device when using it on company time? No it is not because your ass belong to your employer when on their time body and device and if you don't like it then quit your job because there a ton of people out there who would love to have a job.
Think about the risk that has transferred over to your personal devices. You take ownership of a BYOD as your own, even if you receive a stipend for its purchase. So now a BYOD affects you personally, and not only the company. For example, if you work in an environment where your BYODs could be damaged. This could range from the basic (spilled coffee) to the extreme (working outside in a harsh environment). What if its cosmetic damage?
Obviously I have some personal experience in this. I took a BYOD (Macbook Retina) on a business trip, and we were making coax cables. My colleague dropped his end and the center conductor whipsawed onto my brand new screen, leaving a scratch. So now my supposedly best in class screen has a smiley face scratch on it. You could argue it is cosmetic. So how you handle this? I talked with my boss and it became clear that having a BYOD means accepting some liability. To be clear, my job is fairly office environment-esque, just general IT tasks for the most part. I use my laptop for email, programming, office suite etc. But I could see days where I need to bring it on a man-lift or in a harsh environment. Not a great prospect.
There are certainly extremes where you can expect some company liability, but it opens many questions about how determine if/when risk of BYOD damage is a customer issue.
I'm not going to spend this much money, stipend or not, and have it get all jacked up. I'm leaning towards letting the company carry the risk going forward...
K
I can see an argument that a person's device is effectively part of their brain or their body.
I own it, I control it.
Also. Both my device and my body can catch a virus.
Perhaps the problem with BYOD is sick days.
I am waiting on the host file rant, at least it would break the cycle of it's mine, no, it's mine!! GAWD!!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
I would never use my personnel devices at work. One, if work wants me to have device xyz they can pay for it. Two, I like to keep my private and work life separate. Three, I've never worked for a company so insane that they actually thought BYOD was a good idea.
Anarchists never rule
who is going to to replace it the same day when the device breaks, the screen gets damaged, the fan stops spinning, or it catches on fire? If its byod, and work needs to be done, the employee may not have the money on hand to deal with "fixing it" that day. if its not byod, it will replaced by the next morning. work can't stop because theres no funds available to fix your byod device.
Of COURSE the problem is ownership! That's the first question every worker in my IT department asked when we got offered BYOD!
"So, if I can have company data on my phone (email), what are y'all doing to my phone? Oh, you're putting it in an encrypted sandbox? Oh, you're reserving the right to wipe that sandbox remotely (and possibly my entire phone)? Oh, you're not taking any liability for accidental wipes? Oh, you're not issuing a phone number that hides my personal cell (ala Google Voice/giving me a SIP address)?"
Ya, fuck that noise. Give me my crappy work-iPhone 5 that, rather than using native apps like the Blackberry I had, gets to use "GOOD for Enterprise" apps that don't integrate with the rest of the phone.
By making people use hardware they own, the non-tech types break them dramatically less than when it is company owned.
We had an 80% reduction in sales people breaking laptops when we started making everyone use hardware they own (and have to replace when they break it).
Things don't get lost in airports, people don't carry them around by the screen like a jackass, etc ...
Look, where I am BYOD is totally OK. We are provided lots of options for secure OTG access and training to avoid breaches.
Here's my person opinion and what I advocate for in my work:
I support doing everything you can to isolate clients from servers- from data access to workflow/process. There is no reason this level of authentication cannot be implemented on BYOD as the next step. That said, BYOD is only sustainable long term if accompanied by a mature self-service support model. IT should provide the virtualized environment setup, but once it's on your device you are "on your own". Devices now are so homogeneous- soon it won't be an issue to support random/phones/tablets/PCs. Save money supporting on the front end, consolidate your back end and support the hell out of it. Companies should supply replacement and loaner hardware if they need to confiscate a user device, for say, legal reasons or company interests.
---Up Up Down Down Left Right Left Right B A START
The huge issue with BYOD is really simple. People are paid to work. This means that whatever device they're using has to work so they can do their jobs.
With BYOD, their device is potentially an unreliable piece of junk that the IT staff (who are responsible for keeping people working) has no control of, no experience with, and no idea how it's set up.
So when it fails, the IT staff are suddenly landed with a big turd that they have to get working RIGHT NOW because Joe Citizen needs to be able to work.
See the problem?
Proxy servers are relic of a time before NAT. Please, please, please stop using this old hack to "share" your office Internet connection. If you want to prevent SMTP/FTP/IRC/etc traffic on your network, set up a proper firewall that blocks those port ranges. As you pointed out, using a proxy server in 2013 is going to give grief to anybody that has to touch it.
Partition the phone into work/private.
The 'work' profile runs whatever your corporate masters inflict upon you. It's for work calls only.
The 'home' profile uses its own SIM and runs inside its own OS. You can load Android, FireFox OS, Ubuntu, whatever - it's you're personal space with your environment, private contacts, phone contract & data plan.
When an employee leaves, the personal profile could be easily exported to be transferred to another phone (the image is just carried across to the hypervisor running on the new phone).
Dual SIM tech exists. Hardware virtualization exists (arm v7a extensions).
and the shit rolls down hill from there
Here's the simple question...
Perhaps without knowing all of the risks associated with BYOD in a corporate environment, or any environment were information management is expected or required, how comfortable would you personally be if you knew that BYOD was implemented as a standard anyone-can-have-it end-user offering at:
- Your Doctor and/or health care provider
- The financial institutions you use (e.g. banks, brokerage, 401k, etc.)
- Any small/large company that is storing your personal information (SSN, DOB, name, address, salary info, etc.)
- Your attorney, accountant, etc.
- The networks of your government
Shoot. After typing this, I half wish there was a BYOD disclosure requirement to customers/citizens of the above organizations.
T-Mobile USA doesn't lock phones anymore because it's switched from a subsidy model to a more transparent loan model.
You can have:
* Company data that is not world readable
* Low cost (time and money) support.
* Users bringing in their own devices that are not editable by the company.
Attempts to have "all three" mean that the cost was underestimated.
Ack!
I have readen TFA and could not say what its point is. It seems just void thinking to me.
http://risky.biz/byodauscert
PRESENTATION: BYOD in government, a high level talk
Handy talk for CIOs and CSOs...
Start the discussion 0 Comments
May 23, 2013 --
The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has to consider when allowing staff to use their own devices in a heavily regulated environment.
bash$
In the history of people. It wasn't even complete sentences and thoughts. It was word salad bullshit. If that's what "CIO Magazine" calls 'best practices' and data security regulatory and privacy law compliance, then we're all doomed and we can burn down all the data centers and go back to the 18th century.
Well, you don't need BYOD to take the company's data home. You can use a portable hard drive, cd, use a cloud service, email, etc.
"Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
I am so sick of how slow the POS microsoft computers are they force us to use. By the time the Microsoft drone IT clowns put all their crippleware on them, they are so slow productivity slows to a crawl. Not to mention the constant reboots required when the AV kicks in or the machines randomly slow to a crawl. My home computer has half the specs of my work computer and runs dev tools, databases, servers, etc... probably about 100x faster.
If your job requires you to carry a phone, then you carry the phone, and if you don't want to share according to the rules, I guess you carry two phones.
Do you ask them to rekey your office door and the building access to match the doors at home?
I thought not.. you carry one key for home, and one key for work.
Do you demand that your drivers license be used as your corporate ID? Swipe the DL instead of your badge?
I thought not.
If your job doesn't require you to carry a phone, then don't carry the company phone, and nobody cares. If the job requires it, carry the darn phone and stop your whining.
Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.
You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)
As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.
At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.
I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)
What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.
Do you ask them to rekey your office door and the building access to match the doors at home?
I thought not.. you carry one key for home, and one key for work.
If they wanted me to buy my own lock then I would
The point here is your employer cannot demand to control your property. You want to control something you pay for it.
Whether or not I will agree to carry a second phone is orthogonal. I might if my job required it but not if it was just for being able to work off hours. But again, that's beside the point.
The spread of all the devices means that either us frontline support guys has to get trained up on all the devices operating systems and quirks or certain people support certain devices, which can be q royal pain in the ass if someone is away for whatever reason, especially if it is a long term absence.
It should be a case of "Here are the settings you need. Have fun as you won't get any more support than that". Of course, we know that all the PHBs that ruin a company... I mean run a company, will screw things up and require us frontline people to fix the utter ballsup they have made of the simple, fully illustrated guide they were given.
My laptop was stolen from our office during an after hours panel discussion we hosted. I used it from week 2 to untether from the desktop. It was locked down with a Kensignton Microsaver. My employer did not reimburse me for the machine.
And not just with a link. No, this is not a well known acronym yet.
Bring Your Own Beverage. Context of the summery was clear that BYOD is Bring Your Own Device.
30 years a network and systems admin and such a thing has to now been hypothetical or mythical. I'd love to hear about this wonderful new thing and the miraculous science through which it was achieved. Does it involve quantum physics?
Help stamp out iliturcy.
Reading these comments it is clear most commenting here are clueless. There is no nice way to put it. You are mostly tools... make decisions based on what is right not what is fashionable or be consumed by the tides of man.
The BSA will have a field day slamming companies that migrate off site licensing windows and MS Office for using limited licenses or even worse pirated software on the BYOD equipment used to conduct the company's business. if you don't actually provide employee's with a licensing budget or depend s
To get around it means getting in t equally big trouble with labor laws banning the nonfree-freelancer loophole some companies have used to pretend they to not have obligations as an employer in the past.
The main problem with BYOD is the fact that you cant legally demand that your employee's bring the device you want them to without compensation, at least not in the civilized part of the wold. ie no matter what the company is going to wind up paying most of the HW bill, and all of the licensing bills. And you still need to support the equipment.
The problem here is not as much that you cant manage the security aspects but that you cant just slash your IT budget without breaking contract and employment law. And without the option of cutting IT budgets most BYOD business cases just fall a part.
Wouldn't the "owner" be entitled to claim the purchase cost, maintenatnce, and service charges as allowable cost-of-employment expenses, similar to a mechanic's hand tools or a salesman's unreimbursed automobile mileage?
IANAL, so I was just wondering.
Scruting the inscrutable for over 50 years.
You do realize that it ends up costing more. The reason why Australian Government Departments like this is that you can better fiddle the books to say you have a higher ratio of teachers/doctors/lawyers than before (because you can outsource support to those off the books as regular employees).
One thing that many people overlook when they voluntary bring their own hardware to work is that when it breaks or is worn out, it's their own responsibility.
For instance, if you use your private laptop 8 hours a day at work and the fan or battery is worn out after a year, it's your own responsibility.
Or, if you bring your laptop to work and it breaks, it's also your own responsibility.
You'll have to pay for repairs or a new laptop yourself.
Unless, of course, if you have a contract with your employer about them taking responsibility for private equipment.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
Engineering and R & D would be trying to find coding examples and the sites they would end up trying to reach were flagged
I recommend that they used to block web traffic to pornography, overseas IP address space, Known VPN providers, and Cable/DSL/Dialup provider IP address ranges
This would interfere with essential duties of R&D in the way that Eristone and I described if the "coding examples" happen to be hosted on a web site in another country.
The approval requirements just go there, to demonstrate that the employee is not wasting business resources requesting a web site be opened up for personal or reasons not essential to the carrying out of the organization's mission.
When an engineer performs a Bing or Google search for information "essential to the carrying out of the organization's mission", but most of the results are blocked because they happen to redirect all HTTP traffic to HTTPS as an anti-Firesheep measure and are not one of a few "specific known destinations", this block interferes with "the carrying out of the organization's mission".
If you are in IT and the higher ups want BYOD then Citrix is the way to do it. You still have tight control about what they can do with data. Use access gateway for remote access and give everyone with their own device a port on the switch that is considered to be public. Citrix is the only way I would ever do BYOD.
At the company I work for, the idea of BYOD for smartphones and laptops was tested and evaluated. The result was that the BYOD pilot programs were totally shut down and that BYOD was declared DOA. The reasons were many:
Problem #1: Our company requires a high level of security on our network, as we work with data from a wide variety of customers. US Government, Foreign governments and commercial customers all expect us to protect it. Any leak, any potential breach of data could be a disaster for both the company and the owner of the data. Yes, there are ways that the data can be protected, but that runs into problem #2.
Problem #2: People don't want to have the use of their personal equipment dictated to. A good example was the short-term availability of the iPhone within the company. The devices were locked down so that only approved applications could be installed, security measures needed to be used, passwords were required and that caused resentment by the users that they couldn't use the device in the manner they wanted to use it for: as a personal device, installing whatever software applications they wanted and no security requirements. The complaints were so many that the company decided instead of trying to get the users to treat the devices as company devices, that they would simply no longer offer the device and go back to Blackberry devices, since it was understood that they were more secure than the iPhone.
Many of these issues could probably be mitigated through training, but users have a habit of not wanting to follow the requirements put in place by Information Security. It's not IT driving these requirements, it's the need to secure the data and maintain network integrity with the devices that connect to it. Even with company equipment, we know the users won't do what's necessary which is why there's a lot of security scripts that run to ensure things like anti-virus is up to date, firewall is active and the latest rules are running, whitelisting software is running, etc. ad nauseum. And that means that IS and IT would have to control the personal device in order to make sure it's properly hardened... at which point it's not the user's device any more.
This is "News for Nerds" - I think you're looking for eonline.com
We had a VP that had his home locks changed to match the building front door because he only wanted to ever carry two keys. When I was going through his termination interview and asked for his key, the prospect of not being able to get into his house brought the flaw in his plan to light.
Smartphone and tablets means greater Wi-Fi and VPN needs. We have replaced our managed wireless system twice in the last 4 years, and the last one was exponentially more expensive than the previous. Good thing devices are going to 5ghz, because we have 2.4 ghz maxed out, meaning adding more access points will not add anymore capacity for 2.4 Ghz devices. We now have 8 times the access points that we did 4 years ago.We probably are not typical though, we have about 300 employees in a smaller city with mostly 2G cell service, Verizon has spotty 3G service here, so everyone uses the Wi-Fi.
I would love a job cleaning at a Google Data Center. But I only have a Bachelor's of Computer Science. I do not have time to get my Master's to qualify for the position. ;)
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
People forget, what does a company care about? It's their data, nothing more.
BYOD is about data classification, control, loss prevention, etc.
You need to forget about trying to secure a device that isn't yours, monitoring your employees facebook traffic, or wiping devices or data that aren't yours wipe.
Push vendors for solutions to protect the data. DRM for business data, may unfortunately be the best way.
When it comes to BYOD, IT is often laying the groundwork for their own demise in the same way the MIS department did in the 80s when the PC upended their "glass house" model for keeping all enterprise data and services inside the data center. If it was up to MIS, the most important app on your PC would still be TN3270 and no business-critical data would EVER make it to permanent storage on your laptop.
You "BYOD over my dead body" IT guys amuse me - be careful what you wish for, lol.
MIS died for a good reason - PC's ushered in Computing 2.0 - that was the original "consumerization of IT" (how quickly we forget) and we're now at the threshold of Computing 3.0 - let me elaborate:
2.0 was all about client/server => 3.0 is all about cloud/mobile
2.0 was all about controlling the endpoint => 3.0 is all about controlling only the apps and data and letting go of the illusion of endpoint control
2.0 was all about the LAN - we bolted on the internet and tried to secure it by firewalling at the network layer => 3.0 assumes ubiquitous networking and secures the apps and data from layer 7 down using identity as the security anchor
2.0 was all about packaged software in a box that eventually became downloadable => 3.0 is about app stores and HTML5 apps with a complete cloud lifecycle
Was the PC ever as secure as a mainframe? Hell no. Didn't matter.
Was the PC ever as reliable as a mainframe? Hell no. Didn't matter.
So why the hell did PCs take over? Anything you did with them was faster and cheaper and people exposed to them could never go back to the old UX.
Any of this sound familiar?
Tell me again why you're never going to embrace BYOD, and I'll tell you why your IT department is going to be called something else 5 years from now and you'll be working for someone who doesn't give a shit about all your reasons why BYOD should never have been implemented.
gd2shoe: Just for the record, it's not that I overlooked that aspect. It's more of a belief that it's not an aspect that should change much, in any properly run organization.
For example, concerns about BYOD devices causing security holes on the corporate network? Strongest case for this would generally be allowing older devices on the network that run older OS's. In our workplace, we simply gave a list of approved BYOD devices users could choose from that we'd allow and support. We also adopted a policy about rooting and jailbreaking. Basically, we acknowledge it's out there and is legal to do, but also note that MOST vulnerabilities come from rooted or jailbroken devices. So I.T. takes a stance of allowing it but not supporting it. If you opt to do it - you do so understanding that if you put in a support ticket with some issue with that device, we will revert it back to a non-rooted or jailbroken state as part of our troubleshooting process (and might remove you from our network until we have time to do that).
All in all, I don't even believe that I.T. is really so "expert" in handling outside threats and attacks. How can we be? We usually don't have access to the source code to the devices we implement and often aren't even good enough at coding to figure out what it meant if we were. Ever get caught in that "balancing act" where you want to apply all new updates to a system to ensure it's "as secure as possible" but some of those updates aren't supported by mission critical software also loaded on the box? Ever do the updates that are pushed out only to find they break a server? (I sure have, especially with some of Microsoft's "recommended updates" that they later recalled and revisited.) Eventually, it happens to most sysadmins that they cause real and immediate problems trying to prevent theoretical security-related ones.
It sounds like you have spent some time and effort to address the situation on your network relative to your needs. I've seen shops where the policy was to bury their heads in the sand.
I didn't actually use the word "expert", but "professional" -- as in, it's part of the IT profession to understand and manage such risks.
Knit-picking aside, someone must determine various risks, attack vectors, and ways to deal with them. Like it or not, that's part of IT. That doesn't mean perfect security, releasing your own patches, or being omniscient. It does mean addressing the big three in a reasoned, balanced way: data confidentiality, integrity, availability. It does mean following industry guidelines and keeping your ear to the ground (metaphorically speaking) for changes in the field. It doesn't mean knowing each and every unpatched zero-day exploit, but it does mean knowing the broad types of exploits and how to avoid or recognize and recover from them.
Again, I largely agree with you, and think our stances aren't terribly different.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
And because I own the workplace, I define the range of what you can do:
1) You conform to corporate policy (i.e. you do what I say).
2) You leave it at home.
3) You shove it up your ass, sideways, and waddle by HR on your final journey to the door.
--
Your friendly neighborhood PHB
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
When people do finally "get" what BYOD actually is, they'll realise how stupid it is in nearly every business environment.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife