Slashdot Mirror
Why Everyone Gets It Wrong About BYOD
snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.
BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.
Feed the need: Digitaladdiction.net
In case our good buddy Brian missed the past couple of decades, nothing is simple about 'ownership' in our delightful brave new world of digital devices...(even if we might want it to be)
"Licensed not sold", DRM in all its myriad permutations, encrypted bootloaders, SIM-locked cell modems, systems that phone home faster(and in much greater detail), than ET, activesync policies that give IT the ability to nuke your phone if you want to connect to your email, all the good stuff.
Even in his article, purporting to be all progressive and whatnot about recognizing 'ownership, he says "The good news is that plenty of tools allow you to isolate all your business data from employees' personal data. Those tools can let you wipe business data from their devices without touching their photos and private emails." This is, in effect, a polite way of saying that "There are plenty of tools that allow you to gain control over a slice of somebody else's device in a way sufficiently robust to keep them from messing with that slice'.
Above and beyond all the usual amusements of negotiations between dubiously equal parties, contemporary computers offer ample power to enforce restrictions of virtually arbitrary complexity over what we quaintly pretend that you 'own'.
I'm pretty sure that's what a lot of people here on /. have been saying about "bring your own device". You know, "it's mine, and I don't want corp. IT to tell me how to use it, or what software to have on it, or to be able to remotely delete everything on it". And, "why should I have to pay for company equipment? If it's for work, they can pay".
Gee, who'd'a' thunk it?
In other news, a smug Linux user commented that Linux doesn't crash nearly as often as M$ Windoze does. And, moreover, the GIMP is a more than sufficient replacement for Photoshop for most casual users.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Or maybe it is because I work at place with SOX/HIPAA/DOD/etc requirements. Even though I am vendor I have to use the customer supplied device as I admin their servers and thats what security will allow for me to do my work. I don't have admin rights on the supplied laptop itself and everything is whitelisted to run.
Every time I hear about this at least from my side of the fence of IT support I just think of the support and security nightmares. Also if the company wants me to install their stuff on my personal pc. well they can buy me one. Same goes for a phone. They need to call me as an employee they can provide a cell phone too.
No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.
In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.
And then there are the Chinese hackers who have infiltrated the network.
Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.
Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"
Okay, let me make this simple; You're in IT security. Let's say you just threw open the doors and let anyone bring their own laptop in to work. Well, you know, and I know, that people are stupid. They're going to be infected with malware, viruses, APTs, and god only knows what. And that's the point: You don't know what's being brought in. You have no control now. And let's say as a result of someone doing this, they pass on a piece of malware, not to your super-secure corporate systems, but to another employee who's also brought in their own device.
Who's legally at fault here: The employee who accidentally (or neglegently!) brought in an infected laptop, the other employee who connected their own laptop and accidentally (or neglegently!) got it infected... or the company whose network policy facilitated this? And here's a better question: Who do you think both employees are going to sue, thus costing your company millions in unrecoverable legal fees (even if you win, you ain't going to see that money again).
Ownership here is indeed the issue; Just not device ownership. Specifically, the cost of ownership; which if you allow this stuff on your network, the cost of owning that network is going to rise due to incidental costs. How much, nobody knows for sure -- this is still a relatively new thing (in the business world anything less than 10 years old is 'new').
#fuckbeta #iamslashdot #dicemustdie
what about disasters from BYOD can you bill some for damage with little to no proof? can you make some go out buy some thing new right after they just go some due to change requirements and so no? What some who is not very technically informed goes and get's the best buy special POS and who fixes that mess?
and if they go the way of making employees pay out of pocket for a specific device and subject it to complete IT control so that no personal apps or data could be used on it. This is akin to not only buying your uniform from only this supplier, but also ensuring it is kept clean and pressed and not only but based on the cost and labor laws that can pull some under min wage for that pay period and in other places it may fall under Business Expenses.
Also you can be hit with same laws even if not as locked down / you must use this system.
The problem with BYOD is that users often want access to corporate data. But companies have a right, no, make that a duty to protect their own data. The problem is that in order to do that, the company has to have some control of your hardware. Mainly with regards to encryption and holding the keys from you. Again, your device, their data. And that's often the point of contention between staff and IT personnel.
Life is not for the lazy.
"It should be about enablement"
Spoken from the self-entitled end-user's perspective!
Sorry, but it IS about control. Control of company data. Security of company data. Compliance with various laws such as HIPAA, SOX, etc.
No sane company WILLINGLY bends over and spreads by giving unfettered access to their dearly bought client and company data.
I've dealt with numerous clients over the years who've been suing former employees for data theft. And they TOOK precautions!
And you're telling me I should let someone walk around with uncontrolled access to a multi-million dollar client list, documents, etc, in their pocket?
FUCK YOU!
Chas - The one, the only.
THANK GOD!!!
I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.
Can You Say Linux? I Knew That You Could.
Well,
Discovery: there's legal issues there, yes, but there's also the fact that it's not your property that the data's on anymore. With physical documents a discovery order for the company doesn't give the company the right to come in and search my home for documents that might relate. Why should it be any different for electronic documents? The pattern should be that of any other case: the company responds that some of those documents are not under their control and supplies the contact information of the people who do control the documents.
Break/fix plan: not the company's problem. It's my device, fixing it is my job. And frankly I build stuff so my break/fix plan is "Buy a replacement.". I try to design things so I can hit Fry's and get replacement parts if it's really an emergency, mostly that means I'm down for an hour or three depending on which one I have to go to.
Exising desks etc.: again not the company's problem. I shouldn't need a docking station just to plug in a power cord and Ethernet cable, and the monitors should be using standard VGA/DVI/HDMI connectors.
Corporate software: this should've been dealt with before you started a BYOD program. If you require software that's got complex licensing requirements, figure out how you're going to let users use it first.
Failed app installs: this mostly shouldn't be a problem unless your apps have some really hairy dependencies. Despite this being a common scare tactic, I've rarely run into situations where an app wouldn't install because of some complex interaction with a personal setup. Most often it's because of stupidity like "We designed it to only work with one specific patch level of Java 1.5, and the user's got current Java 7 installed.". Often it ends up being the corporate developers who created that problem. For example that Java app before would run just fine in current Java 7, the only problem was that the corporate developers deliberately set the configuration to refuse to run except with that one specific patchlevel of one specific version of Java. Take that restriction out and presto, app works perfectly.
Smart Card mandate: again this is something the company ought to be working out beforehand. Remember that when you want to use someone else's equipment you can't always mandate what it has to be capable of or how it must operate. You either deal with this up front, or you acknowledge that the company needs to own the equipment which means it's not going to be BYOD.
The big problem seems to be that companies want to have employees paying for and owning the equipment, but want to treat that equipment as if the company owned it. The company needs to change it's attitude if it wants to use BYOD, design things to not require the company to own and control the equipment. It's not like it's a big deal, it's not like Oracle or Adobe or Intuit or Blizzard or any other software publisher hasn't had to figure out how to make their software live and work on machines they have no control over. If they can do it, I'm positive the problem isn't insoluble.
I would never use my personnel devices at work. One, if work wants me to have device xyz they can pay for it. Two, I like to keep my private and work life separate. Three, I've never worked for a company so insane that they actually thought BYOD was a good idea.
Anarchists never rule
Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.
You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)
As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.
At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.
I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)
What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.
Do you ask them to rekey your office door and the building access to match the doors at home?
I thought not.. you carry one key for home, and one key for work.
If they wanted me to buy my own lock then I would
The point here is your employer cannot demand to control your property. You want to control something you pay for it.
Whether or not I will agree to carry a second phone is orthogonal. I might if my job required it but not if it was just for being able to work off hours. But again, that's beside the point.
30 years a network and systems admin and such a thing has to now been hypothetical or mythical. I'd love to hear about this wonderful new thing and the miraculous science through which it was achieved. Does it involve quantum physics?
Help stamp out iliturcy.
Proxy servers are relic of a time before NAT. Please, please, please stop using this old hack to "share" your office Internet connection.
Thats not the purpose of a proxy server in a modern environment. A great many large organisations use web proxies to control web access; this involves stuff like anti-virus/anti-phishing (by examining the http traffic); accellerating a busy internet connection using a cache is also a big performance boost, especially in certain environmnet where you can expect a large number of people to simultaneously access some specific resources. You may consider them a relic, many organisations don't and have actual legitimate use for them beyond sharing a connection (just a look at the traffic on the Squid mailing list will show you that it is still extremely popular).
If you want to prevent SMTP/FTP/IRC/etc traffic on your network, set up a proper firewall that blocks those port ranges.
What on earth have SMTP/FTP/IRC got to do with a conversation about http proxy servers?
As you pointed out, using a proxy server in 2013 is going to give grief to anybody that has to touch it.
Its funny, Windows and OS-X, and the applications that run on them largely handle proxy servers without any problems. Its basically Android and iOS (mostly iOS) that causes problems - Apple's implementation is so utterly half-arsed and bugridden I'm often left wondering why they bothered implementing it at all.
http://blog.nexusuk.org