Why Everyone Gets It Wrong About BYOD

snydeq writes "Brian Katz offers a simple take on the buzz around BYOD in business organizations these days: 'BYOD is only an issue because people refuse to realize that it's just about ownership — nothing more and nothing less.' A 'hidden issue' hiding in plain view, BYOD's ownership issue boils down to money and control. 'BYOD is pretty clear: It's bringing your own device. It isn't the company's device or your best friend's device. It's your device, and you own it. Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"

BYOD means I/T loses some control over it

[Jailbrekr]

BYOD means you can no longer trust your own network because you no longer have the same level of control over the devices on it. And if you do not trust your own network, you need to increase your security costs substantially and provide other resources that you would otherwise not need to offer. So while you're saving around $1000 per year per user on hardware, you're spending more on licensing for NAC and VDI/RDP/ICA. You also need to amp up the local tier1/2 support because now without standards they're going to be spending more time dealing with more types of machines. Any gains made by standardization will be utterly destroyed.

BYOD is a short sighted, stupid idea thought up by someone who sure as hell has no experience with I/T support.

Re:BYOD means I/T loses some control over it

[guruevi]

You shouldn't trust your own network to begin with. How do you make sure no-one plugs in whatever they want? BYOD is not just about cell phones or property. It's about people taking work laptops home and home phones to work.

If you want to make sure everything is and remains standardized, you're going to need to implement NAC and have everything on your network be a dumb terminal.

BYOD is not just about someone saving money. It's about people expecting to have their devices work and IT in organizations being too slow or not having enough funding to give everybody their device of choice.

Re:BYOD means I/T loses some control over it

[Frobnicator]

From the IT side, it means a nasty festering pile of vulnerabilities. It means more vectors for the Chinese hackers, more attack vectors for competitors, more attack vectors for malware, more vectors for government and corporate spying, and more ways for information to accidentally leak.

From the personal side, it means being on the clock continuously without additional pay. It means additional personal liability. It means if something goes wrong at work the powers that be can brick your phone. It means that your boss or peers are always watching, sometimes expecting you to reply to emails at all hours or work on reports over the weekend.

From the bottom line perspective you may get a little more hours out of the worker, but at the cost of reduced total productivity from them never disengaging and the costs of supporting an alphabet soup of devices.

Nobody wins.

Re:BYOD means I/T loses some control over it

Not sure about you, but no one plugs in whatever they want to our network, all network ports are authenticated at the switch, you plug in a non authorized device the port simply shuts off. BYOD is a fucked up concept by people that simply have a poor understanding of IT that think what they do at home is "better" as the guys running the network can't possibly know more than them. I have seen BYOD in 3 places now and in all it has been 3 complete failures where it was rolled back due to the insane increases in support costs.

Re:BYOD means I/T loses some control over it

Then it sounds like you and the rest of the IT staff were incompetent. I work at a company right now that's been using a BYOD approach for nearly 5 years with no real issues. And with only 4 IT staff to support around 400 people.

Re:BYOD means I/T loses some control over it

[guruevi]

Maybe you should improve your licensing options or choose better products with less licensing. Throwing out high quality people because a 3rd party company bullies you is not really great business practice.

Re:BYOD means I/T loses some control over it

[FireFury03]

Both devices have plenty of support for HTTP proxies.

Android Gingerbread lets you set a single HTTP proxy which applies to all networks. That means device owners have to manually enter and clear the proxy settings as they move between the office network and their home network. Not that it matters - almost all apps ignore the proxy settings anyway.

Android ICS and Jellybean let you set an HTTP proxy per wifi network, which at least means the user isn't expected to reconfigure the phone all the time. Most apps still ignore the proxy settings. Most of the apps that do pay attention to the proxy settings don't support authenticated proxy servers.

All recent versions of iOS allow the proxy and authentication credentials to be set on a per wifi network basis. That's excellent. Except that most apps (including a good chunk of the stock iOS apps that Apple ship with the phone) either ignore the proxy settings entirely or fail to support authenticated proxy servers. (Yes, Apple is aware of these problems - there are bug reports in their bug tracking system that have been open for several years, they aren't interested in fixing them).

Even then, Squid has a transparent proxy option.

Transparent proxying only works for HTTP, not HTTPS unless you are going to MITM all the sessions (which involves installing certificates on all the clients). And even then, you can't authenticate the users if you're proxying transparently.

Re:BYOD means I/T loses some control over it

[chihowa]

Ah, but from upper management's side, it means costs are shifted from purchasing physical hardware (who's cost is hitting a floor) to employee hours (which can keep going down). It means next quarter's expenses will be lower (the difference of which they can collect as bonuses now) and when the following quarter's expenses are back up (from IT having to maintain the mess), the bonus has already been collected. Then they can start looking to cut costs again by shipping the (now fungible) labor overseas, and collect another bonus. When the whole house of cards collapses, they've already cashed out.

Somebody wins (just not you).

Re:BYOD means I/T loses some control over it

[Skuld-Chan]

1990 called - they want your manually set proxy server back.

We proxy everything, but the users are none the wiser and its a university where BYOD isn't even something we can control.

Re:BYOD means I/T loses some control over it

[ultranova]

I've found BYOD is actually a big PITA for large organisations because the devices people are bringing are almost universally Android or iOS, and in both cases the OS and apps have terrible support for HTTP proxies; and many large organisations use proxies to control web access from within their networks.

So maybe you shouldn't try to control web access from your network if you allow it at all, but rather deal with people browsing Slashdot or porn sites all day long when and if it becomes a problem?

Re:BYOD means I/T loses some control over it

[Lumpy]

Then tell management to stop being cheapskate morons and BUY the employees tablets and phones.

Honestly the one thing that screams that the management is a bunch of Douschebags is a BYOD policy. If a company is work working for they buy you a tablet and phone if you need it as well as a laptop if you need it. The only places I have ever seen a BYOD requirement has been either fly-by-night or swirling the drain. If a company can afford to pay you 6 figures they can spend $1600 on a laptop every 2 years and $50 a month to get you a smartphone.

Re:BYOD means I/T loses some control over it

[Lumpy]

Sounds like a plan. got a FOSS version of AVID? same quality and same abilities?

No? how about a FOSS version of AutoCad? no the two toys running around out there wont work.

Well then how about a FOSS version of my automotive computer tuning software? IT supports all the modern cars, so what FOSS program is out there that does that?

Lastly how about a nice FOSS large accounting software system? no?

There are three business types that can not use FOSS even if they wanted to, and that covers a hundred thousand of businesses in the USA alone. (car repair, car shops, engineering firms, accounting firms, TV stations and studios, etc...

FOSS is an impossible answer for a large number of businesses simply because the software does not exist.

Re:BYOD means I/T loses some control over it

[Lumpy]

I watched an IT guy try to tell a CEO that his apple TV was not allowed on the network. the CEO pointed at the door and asked the guy, "what does it say on the door?"

The IT guy was one of the brighter ones and got the hint quickly... and set it up on the corporate network.

Re:BYOD means I/T loses some control over it

[Anonymous+Psychopath]

Your company has no secure resources that you or your superiors are worried about then and you are not a candidate for NAC as the parent poster was. That or your company's IT staff, including you, is actually the incompetent group and if you ever get compromised by an outsider with malicious intent, you're fucked.

We have about 25,000 BYOD users and ferociously protect our IP. I wish you luck in your crusade against the customers you serve. It seems to be working out for the RIAA/MPAA.

Re:BYOD means I/T loses some control over it

[Benaiah]

Having worked on both sides of this fence I can say that IT are often lured into the belief that they are the core of an organisation and that they are constantly making things better for everyone by making things more uniform. Such as giving everyone the same desktop icons and refusing access to the desktop to allow users to add their own icons. They are hidden away from the rest of the workforce in artificially lit computer graveyards. The users in such a network ie, the accountants/journalists/engineers who are actually making the company money get more and more disillusioned with this system that gets less and less functional, ie submit a form signed in triplicate with a cost code attached in order to get Chrome installed. They bring their own 4G devices in and use them to do their work, or bring in windows hacking tools to give themselves local admin rights and all hell breaks loose.

Thus where I have seen IT actually play their support role is where they don't get put in the dungeon in the basement of the building but integrated into the workforce and forced to do their work in plain sight. Other staff members can see the work that they do and come and ask questions, and they can see the impact that their work has on their users. Their team meetings are infiltrated with key staff members who get to vet the plans moving forward, and key to all this, is an articulate manager who actually understands what his subordinates are doing and not just playing with dollars and cents.

Re: BYOD means I/T loses some control over it

[guruevi]

1 IT tech per 550 users is indeed a very unreal ratio unless you work at a place like Google where everybody is highly technically adept. Even with heavy handed standardization and lockdown, you simply cannot maintain even the most basic of communications. You would be manning 1500 users, ~2000 computers, ~50 servers, ~150-250 printers and ~100 switches, 50+ access points if you have wireless, miles of cabling you should be halfway upgrading to fiber pretty soon... with 3 people? Who is developing anything? Who is rolling anything out?

Unless you have everything outsourced to the cheapest bidder and a host of consultants that don't count towards your FTE. Even 1 of you guys falling sick or getting hit by a bus would be devastating. From my experience a typical IT person can handle ~100 desktop users, ~250 if you have a well-run tiered help desk system.

If your department truly believes you personally have a hand over 550-800 users, then simply go out there, most likely what has happened is every single department has one or more official or unofficial IT tech and a number of desktop-servers and wifi routers on the desks.

Re:BYOD means I/T loses some control over it

[Anonymous+Psychopath]

Could you tell a bit more, please? What are use cases for those BYOD devices, what kinds of data and applications they're used for?

The primary BYOD users are a global sales force and executive staff. The core applications are email and calendar, which is pretty typical. I'd guess something close to 100% use those two. Other deployed applications are VDI, IM/presence, VoIP, sales process, commissions visibility, and expenses. Android and iOS have the most support, and new stuff generally launches on iOS first and Android second. Blackberry is supported, but I don't know what the story is with the various flavors of mobile Microsoft platforms. Could be we support them, I've never been interested enough to look.

We publish white papers on our BYOD deployment and have detailed statistics about what kinds of devices are being used and their growth rates. It's interesting stuff. I don't want to get more specific than that because we also manufacture things that could be used in a BYOD solution, and I don't want anyone to think I'm shilling or astroturfing.

Re:BYOD means I/T loses some control over it

[beelsebob]

Sorry to tell you this, but you're not doing your job. As a network administrator, your job is to make sure that the people using the network are able to do the tasks they need for their job.

Yes BYOD means you need to be careful about what happens on the network, but it does not mean the network will instantly fall over if you, the network administrator, is even half competent. What it also means in many (most?) companies is significant productivity gains for the people using the network, and ultimately, that's why you're there – to facilitate their productivity, not to sit in your ivory tower with your pristine "perfect" network that actually doesn't do what the users need it to.

Re: BYOD means I/T loses some control over it

[dkf]

The technically adept people (read R&D dept) are the bane of our existence, as they constantly need changes made / make changes without consulting us.

Only because you insist on having control.

Re:BYOD means I/T loses some control over it

[Jane+Q.+Public]

"Not sure about you, but no one plugs in whatever they want to our network..."

I agree with you 100%. And I go further: if the company wants me to BMOD, then they can damned well pay me for the use of it. It's okay... I'll rent it to them at the going commercial rate.

Re:BYOD means I/T loses some control over it

[nojayuk]

AutoCAD is the basis of an entire ecology of add-ons and workflow tools, many of which can cost ten times the basic cost of the package itself and then some. Oil refinery piping layouts, dynamic flow analysis, bill of materials, finite element analysis tools, import and export to other engineering packages, 3DMax visualisation etc. etc. Unless and until the FOSS alternatives to AutoCAD can plug in as a one-for-one replacement to that ecology then they're not going to make big inroads in the multiseat engineering/architectural world.

Re:BYOD means I/T loses some control over it

[symbolset]

Could you tell a little bit more, please? What is the IPv4 address range for your routers?

Re:BYOD means I/T loses some control over it

[DarkOx]

I am sorry but people like you who have that attitude toward it are absolutely every bit as wrong as the it types who think the answer to everything should be "no".

When some gets a worm on your network and it takes the entire business offline for the better part of a day while everyone chases down and cleans the machines you will still say IT failed to do the job you refused to let them do.

When you customer list is published on wiki leaks, or near perfect copies of your flagship product trade secrets and all start coming off the boat from china you will say it did not do their, which you refused to let then do.

Yes, IT needs to help you be productive but they also need to protect you and the company, which means they can't just let you do *anyhing* any time. It's not that simple, you need to stop looking at IT as your bitch and start thinking of then as trusted advisors just like you do your legal department or your HR people.

BYOD means IT imagines less control over it

[crow]

No, BYOD means that IT still has no real control over the devices on the network, but now has to stop pretending that they ever did.

In an engineering environment, many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.

And then there are the Chinese hackers who have infiltrated the network.

Any company that relies on controlling the systems on their network for security is practicing security through imagination. A real security model has to assume that there will be issues at every level. BYOD may help force companies to recognize the need for comprehensive security, but it doesn't create the need.

Re:BYOD means IT imagines less control over it

[tepples]

Tier 1 tech: "You want us to allow you access to a site being blocked?" "OK; here, fill out this 3 page form, and sign here, here, and here, and have your supervisor sign here on page 2 and on page 3..."

Then watch requests to whitelist particular web sites take up half of everybody's time.

Re:BYOD means IT imagines less control over it

[jrumney]

many of the locked-down MSWindows systems that are deployed are wiped by the users to install Linux. Other systems may be mostly locked down, but users will run their own systems in virtual machines. The network may have a nice secure firewall, but lots of users set up backdoors through their home VPN connections to bypass the tight web filters.

These are all things that can more or less be prevented or detected.

Which is what is wrong with IT. You can't see past your own policies to the fact that users have genuine business needs to use Linux on their laptops or in VMs, and those web filters you install to stop anything with *p?rn* in the URL are preventing access to sites that people need to access to do their work.

Instead of "OMG, people are bypassing our restrictions! How do we stop them?", your first response should be "why do they feel the need to do this, and how can we accommodate their business needs?".

Point = missed

[girlintraining]

Because you own the device, you have certain rights to what is on the device and what you can do with the device. This is the crux of every issue that comes with BYOD programs.'"

Okay, let me make this simple; You're in IT security. Let's say you just threw open the doors and let anyone bring their own laptop in to work. Well, you know, and I know, that people are stupid. They're going to be infected with malware, viruses, APTs, and god only knows what. And that's the point: You don't know what's being brought in. You have no control now. And let's say as a result of someone doing this, they pass on a piece of malware, not to your super-secure corporate systems, but to another employee who's also brought in their own device.

Who's legally at fault here: The employee who accidentally (or neglegently!) brought in an infected laptop, the other employee who connected their own laptop and accidentally (or neglegently!) got it infected... or the company whose network policy facilitated this? And here's a better question: Who do you think both employees are going to sue, thus costing your company millions in unrecoverable legal fees (even if you win, you ain't going to see that money again).

Ownership here is indeed the issue; Just not device ownership. Specifically, the cost of ownership; which if you allow this stuff on your network, the cost of owning that network is going to rise due to incidental costs. How much, nobody knows for sure -- this is still a relatively new thing (in the business world anything less than 10 years old is 'new').

Re:Point = missed

[arth1]

ClamAV. Not because you need it to protect your own computer but because having installed and running kills two birds with the same stone.

Yep. RAM and CPU.

Your device, their data

[DigiShaman]

The problem with BYOD is that users often want access to corporate data. But companies have a right, no, make that a duty to protect their own data. The problem is that in order to do that, the company has to have some control of your hardware. Mainly with regards to encryption and holding the keys from you. Again, your device, their data. And that's often the point of contention between staff and IT personnel.

Taxes

[macemoneta]

I'm sure that eventually someone will realize that companies are deriving a benefit from an asset they don't own (not on their books), and thus should be paying tax and or compensation.

Too bad he wasn't fired .....

[King_TJ]

Having done I.T. for over 25 years and counting now, I'm *really* getting fed up with all the authoritarian sysadmin wanna-be's who impose all sorts of rules on what people CAN'T do on a network, instead of ENABLING people to do more with the resources available.

You want an AppleTV on the corporate network (most likely for the purpose of easily projecting things onto a conference room television instead of physically connecting a video cable between the PC and the TV)? Great! Why the hell NOT allow it? It's pretty much the same guts inside as an iPod touch, except with a locked-down version of iOS. Not exactly anything I'd be concerned about. (If your main objection is something along the lines of not liking the fact it lets people stream TV shows or music when that's not what they're hired to do? Guess what! It's not YOUR job or problem to concern yourself with that! Like the telephone on someone's desk, it's a TOOL. In I.T. you're paid to provide it and make sure it functions well. It's not YOUR problem to try to stop them from making personal calls instead of work-oriented ones. The person's direct supervisor can be concerned with all of that.)

As just one of the extreme examples .... my current boss just told me a story of his previous boss at a casino he did I.T. work for. The guy was SO intent on having 100% control and lockdown on things, he wouldn't even give the I.T. staff administrator rights to any of the boxes, except on an "as needed" basis. My boss was trying to install and configure SQL servers on a number of Microsoft servers, so each time he had to load the product, he was required to call or email and request admin access -- which was only granted JUST long enough to get the product installed! At least a couple times, this caused people to sit around and do absolutely nothing productive for the better part of a day, when he forgot they needed admin rights back for a project they were assigned to do and HE wasn't available to give it to them.

At the end of the day, when you work in I.T, or network/systems administration, it's your job to construct and maintain a computer environment that everyone finds as productive as possible. Yes, "computer security" has value ... but at the end of the day, it's just about having a documented process in place to show you tried/are trying. It's not actually some sort of goal you can achieve, and the more you try, the more difficult you make it for everyone to just USE the tools they're given.

I think this is why people make BYOD into a FAR bigger deal than it needs to be. Again, the cellphones and mobile devices are simply tools people can use to do their jobs. If you TRUST an employee enough to give them access to your digital information in the first place, then who really cares if your company has the legal right to wipe the device on demand or not? That's like issuing them a pad of paper and pencil and saying, "If you're terminated or quit, you must return the pad of paper to us." Never mind the person might have already torn out the pages where he or she scribbled down the proprietary information you were trying to protect. (Anyone with a smartphone could synchronize the contents to some personal device, off of the company-owned one, so they still possess the data you wished to wipe.)

What protects your DATA is the legal stuff.... non-compete clauses or signed agreements and documents promising you won't do certain things with the info. The BYOD or the company owned devices are just tools that can temporarily hold some of the data for people. Who buys the device is little more than a detail for accounting -- and shouldn't even matter much from the I.T. perspective.