Slashdot Mirror
Why Everyone Gets It Wrong About BYOD
snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.
BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.
Feed the need: Digitaladdiction.net
In case our good buddy Brian missed the past couple of decades, nothing is simple about 'ownership' in our delightful brave new world of digital devices...(even if we might want it to be)
"Licensed not sold", DRM in all its myriad permutations, encrypted bootloaders, SIM-locked cell modems, systems that phone home faster(and in much greater detail), than ET, activesync policies that give IT the ability to nuke your phone if you want to connect to your email, all the good stuff.
Even in his article, purporting to be all progressive and whatnot about recognizing 'ownership, he says "The good news is that plenty of tools allow you to isolate all your business data from employees' personal data. Those tools can let you wipe business data from their devices without touching their photos and private emails." This is, in effect, a polite way of saying that "There are plenty of tools that allow you to gain control over a slice of somebody else's device in a way sufficiently robust to keep them from messing with that slice'.
Above and beyond all the usual amusements of negotiations between dubiously equal parties, contemporary computers offer ample power to enforce restrictions of virtually arbitrary complexity over what we quaintly pretend that you 'own'.
It's your device, and you own it.
Not if it's running an Apple or Microsoft OS.
I'm pretty sure that's what a lot of people here on /. have been saying about "bring your own device". You know, "it's mine, and I don't want corp. IT to tell me how to use it, or what software to have on it, or to be able to remotely delete everything on it". And, "why should I have to pay for company equipment? If it's for work, they can pay".
Gee, who'd'a' thunk it?
In other news, a smug Linux user commented that Linux doesn't crash nearly as often as M$ Windoze does. And, moreover, the GIMP is a more than sufficient replacement for Photoshop for most casual users.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Or maybe it is because I work at place with SOX/HIPAA/DOD/etc requirements. Even though I am vendor I have to use the customer supplied device as I admin their servers and thats what security will allow for me to do my work. I don't have admin rights on the supplied laptop itself and everything is whitelisted to run.
Every time I hear about this at least from my side of the fence of IT support I just think of the support and security nightmares. Also if the company wants me to install their stuff on my personal pc. well they can buy me one. Same goes for a phone. They need to call me as an employee they can provide a cell phone too.
No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.
In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
And then there are the Chinese hackers who have infiltrated the network.
Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.
That's why businesses like it.
Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
Okay, let me make this simple; You're in IT security. Let's say you just threw open the doors and let anyone bring their own laptop in to work. Well, you know, and I know, that people are stupid. They're going to be infected with malware, viruses, APTs, and god only knows what. And that's the point: You don't know what's being brought in. You have no control now. And let's say as a result of someone doing this, they pass on a piece of malware, not to your super-secure corporate systems, but to another employee who's also brought in their own device.
Who's legally at fault here: The employee who accidentally (or neglegently!) brought in an infected laptop, the other employee who connected their own laptop and accidentally (or neglegently!) got it infected... or the company whose network policy facilitated this? And here's a better question: Who do you think both employees are going to sue, thus costing your company millions in unrecoverable legal fees (even if you win, you ain't going to see that money again).
Ownership here is indeed the issue; Just not device ownership. Specifically, the cost of ownership; which if you allow this stuff on your network, the cost of owning that network is going to rise due to incidental costs. How much, nobody knows for sure -- this is still a relatively new thing (in the business world anything less than 10 years old is 'new').
#fuckbeta #iamslashdot #dicemustdie
And not just with a link. No, this is not a well known acronym yet.
what about disasters from BYOD can you bill some for damage with little to no proof? can you make some go out buy some thing new right after they just go some due to change requirements and so no? What some who is not very technically informed goes and get's the best buy special POS and who fixes that mess?
and if they go the way of making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buying your uniform from only this supplier, but also ensuring it is kept clean and pressed and not only but based on the cost and labor laws that can pull some under min wage for that pay period and in other places it may fall under Business Expenses.
Also you can be hit with same laws even if not as locked down / you must use this system.
The problem with BYOD is that users often want access to corporate data. But companies have a right, no, make that a duty to protect their own data. The problem is that in order to do that, the company has to have some control of your hardware. Mainly with regards to encryption and holding the keys from you. Again, your device, their data. And that's often the point of contention between staff and IT personnel.
Life is not for the lazy.
"It should be about enablement"
Spoken from the self-entitled end-user's perspective!
Sorry, but it IS about control. Control of company data. Security of company data. Compliance with various laws such as HIPAA, SOX, etc.
No sane company WILLINGLY bends over and spreads by giving unfettered access to their dearly bought client and company data.
I've dealt with numerous clients over the years who've been suing former employees for data theft. And they TOOK precautions!
And you're telling me I should let someone walk around with uncontrolled access to a multi-million dollar client list, documents, etc, in their pocket?
FUCK YOU!
Chas - The one, the only.
THANK GOD!!!
I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.
Can You Say Linux? I Knew That You Could.
> - Heck, how can the user even load the coporate ergonomic software
That's not a bug. That's a feature. That kind of crap is why end users want to control their own devices to begin with. The employer provided devices are all crap. It's because of nonsense like "corporate ergonomic software".
The PCs they give you in "enterprise" environments are one of the biggest reasons to avoid "enterprise" environments in general.
A Pirate and a Puritan look the same on a balance sheet.
If there is company property on your device, they have every right to it. Not as good as it seems.
BYODs move between work and home thus transferring sensitive information out and moving viruses in.
Well,
Discovery: there's legal issues there, yes, but there's also the fact that it's not your property that the data's on anymore. With physical documents a discovery order for the company doesn't give the company the right to come in and search my home for documents that might relate. Why should it be any different for electronic documents? The pattern should be that of any other case: the company responds that some of those documents are not under their control and supplies the contact information of the people who do control the documents.
Break/fix plan: not the company's problem. It's my device, fixing it is my job. And frankly I build stuff so my break/fix plan is "Buy a replacement.". I try to design things so I can hit Fry's and get replacement parts if it's really an emergency, mostly that means I'm down for an hour or three depending on which one I have to go to.
Exising desks etc.: again not the company's problem. I shouldn't need a docking station just to plug in a power cord and Ethernet cable, and the monitors should be using standard VGA/DVI/HDMI connectors.
Corporate software: this should've been dealt with before you started a BYOD program. If you require software that's got complex licensing requirements, figure out how you're going to let users use it first.
Failed app installs: this mostly shouldn't be a problem unless your apps have some really hairy dependencies. Despite this being a common scare tactic, I've rarely run into situations where an app wouldn't install because of some complex interaction with a personal setup. Most often it's because of stupidity like "We designed it to only work with one specific patch level of Java 1.5, and the user's got current Java 7 installed.". Often it ends up being the corporate developers who created that problem. For example that Java app before would run just fine in current Java 7, the only problem was that the corporate developers deliberately set the configuration to refuse to run except with that one specific patchlevel of one specific version of Java. Take that restriction out and presto, app works perfectly.
Smart Card mandate: again this is something the company ought to be working out beforehand. Remember that when you want to use someone else's equipment you can't always mandate what it has to be capable of or how it must operate. You either deal with this up front, or you acknowledge that the company needs to own the equipment which means it's not going to be BYOD.
The big problem seems to be that companies want to have employees paying for and owning the equipment, but want to treat that equipment as if the company owned it. The company needs to change it's attitude if it wants to use BYOD, design things to not require the company to own and control the equipment. It's not like it's a big deal, it's not like Oracle or Adobe or Intuit or Blizzard or any other software publisher hasn't had to figure out how to make their software live and work on machines they have no control over. If they can do it, I'm positive the problem isn't insoluble.
Think about the risk that has transferred over to your personal devices. You take ownership of a BYOD as your own, even if you receive a stipend for its purchase. So now a BYOD affects you personally, and not only the company. For example, if you work in an environment where your BYODs could be damaged. This could range from the basic (spilled coffee) to the extreme (working outside in a harsh environment). What if its cosmetic damage?
Obviously I have some personal experience in this. I took a BYOD (Macbook Retina) on a business trip, and we were making coax cables. My colleague dropped his end and the center conductor whipsawed onto my brand new screen, leaving a scratch. So now my supposedly best in class screen has a smiley face scratch on it. You could argue it is cosmetic. So how you handle this? I talked with my boss and it became clear that having a BYOD means accepting some liability. To be clear, my job is fairly office environment-esque, just general IT tasks for the most part. I use my laptop for email, programming, office suite etc. But I could see days where I need to bring it on a man-lift or in a harsh environment. Not a great prospect.
There are certainly extremes where you can expect some company liability, but it opens many questions about how determine if/when risk of BYOD damage is a customer issue.
I'm not going to spend this much money, stipend or not, and have it get all jacked up. I'm leaning towards letting the company carry the risk going forward...
K
I can see an argument that a person's device is effectively part of their brain or their body.
I own it, I control it.
Also. Both my device and my body can catch a virus.
Perhaps the problem with BYOD is sick days.
I am waiting on the host file rant, at least it would break the cycle of it's mine, no, it's mine!! GAWD!!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
I would never use my personnel devices at work. One, if work wants me to have device xyz they can pay for it. Two, I like to keep my private and work life separate. Three, I've never worked for a company so insane that they actually thought BYOD was a good idea.
Anarchists never rule
Of COURSE the problem is ownership! That's the first question every worker in my IT department asked when we got offered BYOD!
"So, if I can have company data on my phone (email), what are y'all doing to my phone? Oh, you're putting it in an encrypted sandbox? Oh, you're reserving the right to wipe that sandbox remotely (and possibly my entire phone)? Oh, you're not taking any liability for accidental wipes? Oh, you're not issuing a phone number that hides my personal cell (ala Google Voice/giving me a SIP address)?"
Ya, fuck that noise. Give me my crappy work-iPhone 5 that, rather than using native apps like the Blackberry I had, gets to use "GOOD for Enterprise" apps that don't integrate with the rest of the phone.
Look, where I am BYOD is totally OK. We are provided lots of options for secure OTG access and training to avoid breaches.
Here's my person opinion and what I advocate for in my work:
I support doing everything you can to isolate clients from servers- from data access to workflow/process. There is no reason this level of authentication cannot be implemented on BYOD as the next step. That said, BYOD is only sustainable long term if accompanied by a mature self-service support model. IT should provide the virtualized environment setup, but once it's on your device you are "on your own". Devices now are so homogeneous- soon it won't be an issue to support random/phones/tablets/PCs. Save money supporting on the front end, consolidate your back end and support the hell out of it. Companies should supply replacement and loaner hardware if they need to confiscate a user device, for say, legal reasons or company interests.
---Up Up Down Down Left Right Left Right B A START
Partition the phone into work/private.
The 'work' profile runs whatever your corporate masters inflict upon you. It's for work calls only.
The 'home' profile uses its own SIM and runs inside its own OS. You can load Android, FireFox OS, Ubuntu, whatever - it's you're personal space with your environment, private contacts, phone contract & data plan.
When an employee leaves, the personal profile could be easily exported to be transferred to another phone (the image is just carried across to the hypervisor running on the new phone).
Dual SIM tech exists. Hardware virtualization exists (arm v7a extensions).
Discovery only applies to data you control. Once it's on an employee owned device the company has no obligation to produce the data. The court then needs to go after the user directly if they want that. Note that there are exceptions for company officers.
Here's the simple question...
Perhaps without knowing all of the risks associated with BYOD in a corporate environment, or any environment were information management is expected or required, how comfortable would you personally be if you knew that BYOD was implemented as a standard anyone-can-have-it end-user offering at:
- Your Doctor and/or health care provider
- The financial institutions you use (e.g. banks, brokerage, 401k, etc.)
- Any small/large company that is storing your personal information (SSN, DOB, name, address, salary info, etc.)
- Your attorney, accountant, etc.
- The networks of your government
Shoot. After typing this, I half wish there was a BYOD disclosure requirement to customers/citizens of the above organizations.
T-Mobile USA doesn't lock phones anymore because it's switched from a subsidy model to a more transparent loan model.
You can have:
* Company data that is not world readable
* Low cost (time and money) support.
* Users bringing in their own devices that are not editable by the company.
Attempts to have "all three" mean that the cost was underestimated.
Ack!
I have readen TFA and could not say what its point is. It seems just void thinking to me.
http://risky.biz/byodauscert
PRESENTATION: BYOD in government, a high level talk
Handy talk for CIOs and CSOs...
Start the discussion 0 Comments
May 23, 2013 --
The following is a recorded presentation from AusCERT. It's by Al Blake, the Chief Information Officer of the Department of Sustainability, Environment, Water, Population and Communities. In it he talks about BYOD, basically, from an Australian government perspective. It's not an overly technical talk, but it is a good overview of what a CIO like him has to consider when allowing staff to use their own devices in a heavily regulated environment.
bash$
In the history of people. It wasn't even complete sentences and thoughts. It was word salad bullshit. If that's what "CIO Magazine" calls 'best practices' and data security regulatory and privacy law compliance, then we're all doomed and we can burn down all the data centers and go back to the 18th century.
Well, you don't need BYOD to take the company's data home. You can use a portable hard drive, cd, use a cloud service, email, etc.
"Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.
You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)
As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.
At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.
I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)
What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.
Do you ask them to rekey your office door and the building access to match the doors at home?
I thought not.. you carry one key for home, and one key for work.
If they wanted me to buy my own lock then I would
The point here is your employer cannot demand to control your property. You want to control something you pay for it.
Whether or not I will agree to carry a second phone is orthogonal. I might if my job required it but not if it was just for being able to work off hours. But again, that's beside the point.
Well since that is such a big issue for you, Since I control the network, I guess you WONT be bringing your own device and using it at work. Chew on that ......
You're fired.
Signed, Your CEO
And not just with a link. No, this is not a well known acronym yet.
Bring Your Own Beverage. Context of the summery was clear that BYOD is Bring Your Own Device.
30 years a network and systems admin and such a thing has to now been hypothetical or mythical. I'd love to hear about this wonderful new thing and the miraculous science through which it was achieved. Does it involve quantum physics?
Help stamp out iliturcy.
Proxy servers are relic of a time before NAT. Please, please, please stop using this old hack to "share" your office Internet connection.
Thats not the purpose of a proxy server in a modern environment. A great many large organisations use web proxies to control web access; this involves stuff like anti-virus/anti-phishing (by examining the http traffic); accellerating a busy internet connection using a cache is also a big performance boost, especially in certain environmnet where you can expect a large number of people to simultaneously access some specific resources. You may consider them a relic, many organisations don't and have actual legitimate use for them beyond sharing a connection (just a look at the traffic on the Squid mailing list will show you that it is still extremely popular).
If you want to prevent SMTP/FTP/IRC/etc traffic on your network, set up a proper firewall that blocks those port ranges.
What on earth have SMTP/FTP/IRC got to do with a conversation about http proxy servers?
As you pointed out, using a proxy server in 2013 is going to give grief to anybody that has to touch it.
Its funny, Windows and OS-X, and the applications that run on them largely handle proxy servers without any problems. Its basically Android and iOS (mostly iOS) that causes problems - Apple's implementation is so utterly half-arsed and bugridden I'm often left wondering why they bothered implementing it at all.
http://blog.nexusuk.org
The BSA will have a field day slamming companies that migrate off site licensing windows and MS Office for using limited licenses or even worse pirated software on the BYOD equipment used to conduct the company's business. if you don't actually provide employee's with a licensing budget or depend s
To get around it means getting in t equally big trouble with labor laws banning the nonfree-freelancer loophole some companies have used to pretend they to not have obligations as an employer in the past.
The main problem with BYOD is the fact that you cant legally demand that your employee's bring the device you want them to without compensation, at least not in the civilized part of the wold. ie no matter what the company is going to wind up paying most of the HW bill, and all of the licensing bills. And you still need to support the equipment.
The problem here is not as much that you cant manage the security aspects but that you cant just slash your IT budget without breaking contract and employment law. And without the option of cutting IT budgets most BYOD business cases just fall a part.
Wouldn't the "owner" be entitled to claim the purchase cost, maintenatnce, and service charges as allowable cost-of-employment expenses, similar to a mechanic's hand tools or a salesman's unreimbursed automobile mileage?
IANAL, so I was just wondering.
Scruting the inscrutable for over 50 years.
One thing that many people overlook when they voluntary bring their own hardware to work is that when it breaks or is worn out, it's their own responsibility.
For instance, if you use your private laptop 8 hours a day at work and the fan or battery is worn out after a year, it's your own responsibility.
Or, if you bring your laptop to work and it breaks, it's also your own responsibility.
You'll have to pay for repairs or a new laptop yourself.
Unless, of course, if you have a contract with your employer about them taking responsibility for private equipment.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
Engineering and R & D would be trying to find coding examples and the sites they would end up trying to reach were flagged
I recommend that they used to block web traffic to pornography, overseas IP address space, Known VPN providers, and Cable/DSL/Dialup provider IP address ranges
This would interfere with essential duties of R&D in the way that Eristone and I described if the "coding examples" happen to be hosted on a web site in another country.
The approval requirements just go there, to demonstrate that the employee is not wasting business resources requesting a web site be opened up for personal or reasons not essential to the carrying out of the organization's mission.
When an engineer performs a Bing or Google search for information "essential to the carrying out of the organization's mission", but most of the results are blocked because they happen to redirect all HTTP traffic to HTTPS as an anti-Firesheep measure and are not one of a few "specific known destinations", this block interferes with "the carrying out of the organization's mission".
At the company I work for, the idea of BYOD for smartphones and laptops was tested and evaluated. The result was that the BYOD pilot programs were totally shut down and that BYOD was declared DOA. The reasons were many:
Problem #1: Our company requires a high level of security on our network, as we work with data from a wide variety of customers. US Government, Foreign governments and commercial customers all expect us to protect it. Any leak, any potential breach of data could be a disaster for both the company and the owner of the data. Yes, there are ways that the data can be protected, but that runs into problem #2.
Problem #2: People don't want to have the use of their personal equipment dictated to. A good example was the short-term availability of the iPhone within the company. The devices were locked down so that only approved applications could be installed, security measures needed to be used, passwords were required and that caused resentment by the users that they couldn't use the device in the manner they wanted to use it for: as a personal device, installing whatever software applications they wanted and no security requirements. The complaints were so many that the company decided instead of trying to get the users to treat the devices as company devices, that they would simply no longer offer the device and go back to Blackberry devices, since it was understood that they were more secure than the iPhone.
Many of these issues could probably be mitigated through training, but users have a habit of not wanting to follow the requirements put in place by Information Security. It's not IT driving these requirements, it's the need to secure the data and maintain network integrity with the devices that connect to it. Even with company equipment, we know the users won't do what's necessary which is why there's a lot of security scripts that run to ensure things like anti-virus is up to date, firewall is active and the latest rules are running, whitelisting software is running, etc. ad nauseum. And that means that IS and IT would have to control the personal device in order to make sure it's properly hardened... at which point it's not the user's device any more.
We had a VP that had his home locks changed to match the building front door because he only wanted to ever carry two keys. When I was going through his termination interview and asked for his key, the prospect of not being able to get into his house brought the flaw in his plan to light.
Smartphone and tablets means greater Wi-Fi and VPN needs. We have replaced our managed wireless system twice in the last 4 years, and the last one was exponentially more expensive than the previous. Good thing devices are going to 5ghz, because we have 2.4 ghz maxed out, meaning adding more access points will not add anymore capacity for 2.4 Ghz devices. We now have 8 times the access points that we did 4 years ago.We probably are not typical though, we have about 300 employees in a smaller city with mostly 2G cell service, Verizon has spotty 3G service here, so everyone uses the Wi-Fi.
I would love a job cleaning at a Google Data Center. But I only have a Bachelor's of Computer Science. I do not have time to get my Master's to qualify for the position. ;)
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
When it comes to BYOD, IT is often laying the groundwork for their own demise in the same way the MIS department did in the 80s when the PC upended their "glass house" model for keeping all enterprise data and services inside the data center. If it was up to MIS, the most important app on your PC would still be TN3270 and no business-critical data would EVER make it to permanent storage on your laptop.
You "BYOD over my dead body" IT guys amuse me - be careful what you wish for, lol.
MIS died for a good reason - PC's ushered in Computing 2.0 - that was the original "consumerization of IT" (how quickly we forget) and we're now at the threshold of Computing 3.0 - let me elaborate:
2.0 was all about client/server => 3.0 is all about cloud/mobile
2.0 was all about controlling the endpoint => 3.0 is all about controlling only the apps and data and letting go of the illusion of endpoint control
2.0 was all about the LAN - we bolted on the internet and tried to secure it by firewalling at the network layer => 3.0 assumes ubiquitous networking and secures the apps and data from layer 7 down using identity as the security anchor
2.0 was all about packaged software in a box that eventually became downloadable => 3.0 is about app stores and HTML5 apps with a complete cloud lifecycle
Was the PC ever as secure as a mainframe? Hell no. Didn't matter.
Was the PC ever as reliable as a mainframe? Hell no. Didn't matter.
So why the hell did PCs take over? Anything you did with them was faster and cheaper and people exposed to them could never go back to the old UX.
Any of this sound familiar?
Tell me again why you're never going to embrace BYOD, and I'll tell you why your IT department is going to be called something else 5 years from now and you'll be working for someone who doesn't give a shit about all your reasons why BYOD should never have been implemented.
So why are schools using them for "Duty of Care" to cover their arses from "my kid surfs porn during school days and it's your fault"?
So why are web companies putting reverse proxies in front of farms to speed up all those new cable and FTTN connections world wide?
So why are companies with offices in remote areas using them on their GPRS- or satellite-based internet connections?
While you have a nice 20Mb connection mum or work pays for, not every-one else has the luxury.
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
gd2shoe: Just for the record, it's not that I overlooked that aspect. It's more of a belief that it's not an aspect that should change much, in any properly run organization.
For example, concerns about BYOD devices causing security holes on the corporate network? Strongest case for this would generally be allowing older devices on the network that run older OS's. In our workplace, we simply gave a list of approved BYOD devices users could choose from that we'd allow and support. We also adopted a policy about rooting and jailbreaking. Basically, we acknowledge it's out there and is legal to do, but also note that MOST vulnerabilities come from rooted or jailbroken devices. So I.T. takes a stance of allowing it but not supporting it. If you opt to do it - you do so understanding that if you put in a support ticket with some issue with that device, we will revert it back to a non-rooted or jailbroken state as part of our troubleshooting process (and might remove you from our network until we have time to do that).
All in all, I don't even believe that I.T. is really so "expert" in handling outside threats and attacks. How can we be? We usually don't have access to the source code to the devices we implement and often aren't even good enough at coding to figure out what it meant if we were. Ever get caught in that "balancing act" where you want to apply all new updates to a system to ensure it's "as secure as possible" but some of those updates aren't supported by mission critical software also loaded on the box? Ever do the updates that are pushed out only to find they break a server? (I sure have, especially with some of Microsoft's "recommended updates" that they later recalled and revisited.) Eventually, it happens to most sysadmins that they cause real and immediate problems trying to prevent theoretical security-related ones.
in 95% of companies the CEO is just another employee
It sounds like you have spent some time and effort to address the situation on your network relative to your needs. I've seen shops where the policy was to bury their heads in the sand.
I didn't actually use the word "expert", but "professional" -- as in, it's part of the IT profession to understand and manage such risks.
Knit-picking aside, someone must determine various risks, attack vectors, and ways to deal with them. Like it or not, that's part of IT. That doesn't mean perfect security, releasing your own patches, or being omniscient. It does mean addressing the big three in a reasoned, balanced way: data confidentiality, integrity, availability. It does mean following industry guidelines and keeping your ear to the ground (metaphorically speaking) for changes in the field. It doesn't mean knowing each and every unpatched zero-day exploit, but it does mean knowing the broad types of exploits and how to avoid or recognize and recover from them.
Again, I largely agree with you, and think our stances aren't terribly different.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
And because I own the workplace, I define the range of what you can do:
1) You conform to corporate policy (i.e. you do what I say).
2) You leave it at home.
3) You shove it up your ass, sideways, and waddle by HR on your final journey to the door.
--
Your friendly neighborhood PHB
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
When people do finally "get" what BYOD actually is, they'll realise how stupid it is in nearly every business environment.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife