Do the Risks of BYOD Outweigh the Benefits?

Steve Hasselbach is a Senior Solutions Architect (AKA Marketing Guy -- but he's also a serious techie) for Peak 10, a datacenter company. In his work he deals with his clients' security problems, and often shakes his head at how security unconscious so many businesses are, even after endless publicity about corporate IT security holes costing companies millions of dollars.

He says, "...it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that." In this interview, Steve talks about how (surprise!) the current BYOD trend is making things worse, but isn't necessarily responsible for the worst security holes, and offers benefits that might outweigh the increased security risks it brings.. (Note: The transcript contains material not included in the video.)

Commentary by Cartoon

[sehlat]

http://onthefastrack.com/comic...

"The transcript contains material not in the video

Then it's not a transcript, is it?

No

[unencode200x]

No. As the old saying goes, possesion is nine tenths of the law. If data is on someone BYOD device then there can be questions as to who owns it. Even with contracts, etc. it's all a civil matter. The sheriff won't get involved.

With a company-owned device there is no question. If someone leaves and they still have your $800 phone... the cops will at least listen and there is no question as to whether you can brick it.

I'm all for freedom and stuff but I've seen this go south too many times.

Re:No

As with most things in life, you can make it work with a little effort and a lot of common sense. To begin it depends on the industry and the legalities around it and if its even feasible, then you need good policy around it that ensures favorable outcomes for the business if any issues arise, and lastly good network security such as MAC registration. Or, you can just switch to laptops and let employees take those home. Guest networks also allow things like mobile phones onto the internet without compromising business data on the main network.

Re:No

[Chris+Mattern]

Then don't you mean "yes, the risks outweigh the benefits"?

BTW, I agree with you from the employee side of the matter. My company provides me a phone. It is theirs. I have my own phone. It is mine. This arrangement suits me very well. As long as the company wants me to have a phone to use on company business, they will need to continue to provide me with one.

Re:No

[UnderCoverPenguin]

I do not use my tablet or phone for company business (other than short phone calls). If the company really wants me to use such a device for company business, they will have to provide it. I've told them this when they've said "just use your tablet". And their response has, so far, been "Oh. Then don't worry about it." the customer liaison "engineers", "resident" engineers, their managers and department directors (and above) have company issued phones and tablets. The rest of us don't, despite the fact it would benefit the company if we did.

Re:No

[NotInHere]

good network security such as MAC registration

MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.

Re:No

[unixisc]

I personally got 2 phones. One was an iPhone, which I use exclusively for personal use (i.e. facetimeing relatives), whose number I don't share w/ anybody outside family. The other is a Moto X, which I don't share w/ family, but which I use exclusively for work, assuming that they don't provide me anything. So if any office wanted to configure it for any official work, I'd let them, and reset the phone whenever I left that job. That way, I keep my work and personal lives completely separate.

One good way any employer could work w/ me on this, if it didn't want to provide a phone - pay my monthly bills for that work number.

Re:No

[Xest]

Yep, in fact, with the new European Court of Human Rights ruling that states employers can snoop on private data on a machine used at work I would refuse to ever bring my own device in to a work place now. It's too risky, there's not a chance I'm going to enter into a situation where my employer potentially has the legal right to look through all my personal e-mails, photos, communications and so forth ever.

For me BYOD is a big no no, I wouldn't touch it with a barge pole, the slightest chance that an employer might be allowed access to pillage data from my personal devices is enough to push me away.

Even outside of that with devices like phones, I like a separation between my personal phone and my work phone because I can turn my work phone off out of hours. I don't want to be pestered by work on my personal phone in my time, when I'm off sick, when I'm on holiday, perhaps even after I've quit the company. I made the mistake early in my career of allowing people at work my personal phone number as well as my work one as my work one didn't always get reception. After a shitty call on a day off from a user that shouldn't have even had the number but had obviously been handed it by someone, about a support issue that didn't even have anything to do with me, I demanded that my personal number be removed altogether and I always switched my work phone off the second I left work making it clear if they want me to answer in my own time they need to pay me on-call pay.

Frankly as I see it BYOD is basically just an attempt to merge personal life and work life so that exploitative companies can further entrench themselves in every aspect of your life to make sure that you're always on the clock.

Re:No

[unencode200x]

Interesting. It sort of sounds like a bit of irony here. People wanted to BYOD so they just started doing it for convenience or what have you. Then, employers figured out they could save money and snoop. So now, some employers require ("embrace" is the dumb ass buzzword I hear) and get the benefit of the employee always being available, save hundreds on a phone and a lot on a plan, and have control of the device.

Re:No

[lsatenstein]

good network security such as MAC registration

MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.

A new security feature is randomizing the mac id, and insuring the randomised mac address is distinct from the hardware mac. Every relog in to a system will generate a new fake mac.

BYOD ok if done right

I think BYOD is perfectly fine if its done right. A perfect example is colleges which have a melting pot full of devices and they manage to secure them. Mostly because they require security software and many times offer free security software. I know plenty of companies that also provide and require security software to access their network. On the flip side I know companies who do not even properly keep their own systems secure let alone BYOD. I myself have seen routers exposing business computers to visitors in retail places. Apparently someone did not know how to setup separate access points.

Re: BYOD ok if done right

Enjoy being subject to your employer's whim 24 hours a day, drone.

Do video articles outweigh anything?

Hint Dicedot, video articles suck. They're all about the presenter, not the topic.

A Story about BYOD

I used to work at BlackBerry. Obviously a company serious about security for corporate customers with BES.

We would meet with those customers, and gather requirements about what features and security they needed. We'd review laws and industry rules, and we built software to meet those needs.

IT departments said:
- We need to be able to control what applications can run on devices
- We need to lock down the device and remove applications like messaging
- We need to prevent copy and paste. We need to turn off lots of features.

So we built these things. We let them lock down the device. That's what the laws said, and that's what our customers wanted.

Then some executive would ask, why am I carrying around two phones? And why are we buying people BlackBerry's when they have iPhones or Androids. Why can't I cut and paste?

And then execs started to realize how much money they could save by getting employees to use their own phones.

And security went out the window. BlackBerry, listening to their customers, dug their own grave.

Re:A Story about BYOD

[110010001000]

Actually this should be modded up. You should never implement what customers say they want. You should find out what they want. And definitely don't ask the IT people. They have a very narrow view of the world.

Re: A Story about BYOD

Excellent post. The sad reality is that people like current will take the path of least resistance.

Re:A Story about BYOD

[zlives]

what they want... to get paid without doing any work... please implement now.

also your ceo just sent you an email to send me 18 million dollars

Re:A Story about BYOD

[zlives]

blackberry dug their grave by assuming their lead will never be taken over and to turn a blind eye towards innovation, convenience and just the plain old shiny.
they are trying to dig themselves out a bit now... ( i am a BB user) and users are realizing security may even be necessary.
lets see how it shakes out.

Re:A Story about BYOD

Actually this should be modded up. You should never implement what customers say they want. You should find out what they want.

They want it all. Oh, and fuck you if you don't bring it to them. Next question.

And definitely don't ask the IT people. They have a very narrow view of the world.

Yeah, can't imagine the highly trained technical staff corporations employ to keep them running would have a fucking clue as to why you would want to implement a secure solution on a highly portable device with internet access, bluetooth, wireless, and a microphone that can be hidden damn near anywhere.

Blackberry would still have a market niche, if corporations actually still gave a fuck about mobile security. They don't, and I'll never understand that bullshit given the obvious attack vectors on these devices.

Re:A Story about BYOD

I used to work at BlackBerry. Obviously a company serious about the appearance of security for corporate customers with BES.

Fixed that for you.

Re:A Story about BYOD

[Austerity+Empowers]

IT departments said:

Cover my ass, do these ridiculous things

Then some executive would ask

Why are you doing these ridiculous things? They are ridiculous, employees are in open revolt, are not reliably carrying their leashes or are compromising them or outright replacing them. Stop doing these things.

And security went out the window.

A false sense of very corporate bureaucrat version of security went out the window.

BlackBerry

was not listening to its customers, it was listening to their keepers. People who were both requiring employees to keep an electronic leash, but also putting 20kV through it and making sure the choker collar also had spikes. It's not really a wonder the keepers got shot down.

Now I ask, has there ever been a time when "the data" was secure, even before BYOD, before wifi, before the internet? Isn't this just some insane paranoid fantasy in most cases? I've talked with older coworkers about how certain things were done before the internet, and not surprisingly found that security was more lax then than it is now, but about as easy to get around if you wanted to. It ultimately relied on employees to exercise judgement, and sometimes some employees exercised poor judgement (intentionally or otherwise) and Bad Things Happened. Someone was blamed, someone got fired, new ineffective policies were created but never invalidated because it would be years before next major Bad Thing Happened. On the whole, employees don't knowingly shit in their own beds, and hackers don't normally bother with corporate dregs because they know Joe Bob in data analysis probably has a very limited and possibly misleading collection of valuable data. What they really want is SVP Joseph Bobertson, who carries very little data, but all of it of extreme utility. It is only by the power of paranoia and hyperbole do we believe that every note, and every spreadsheet Joe Bob creates must be 100% corporate value.

Re:A Story about BYOD

Cause you should be copying and pasting confidential information? Cause you should be installing third party apps on your phone which receives all your executive email? Cause you should be browsing the internet on the same laptop which connects to the VPN which could direct 10s of millions of dollar worth of machinery to turn itself into scrap?

BYOD didn't make things much worse, but that was because things have been completely and utterly insane ever since the internet hit it big.

Re:A Story about BYOD

[DeathSquid]

BlackBerry, listening to their customers, dug their own grave.

No. The market has spoken and the vast majority of customers clearly do not want what BlackBerry built.
Blackberry was listening to someone, but it obviously wasn't the people who made the ultimate purchasing decisions.

This is a very important business lesson. Understand who your customers really are. They are the people who will pay money for your product or services. This sounds simple, but there are often many entities that look like customers but aren't really. The IT department who claims to represent customers may or may not be aligned with them. How will you find find? Talk to the customers.

Re:A Story about BYOD

Interesting I work with a guy that "used" to work at blackberry. He said he left because blackberry had stopped taking security seriously and he couldn't get basic customer requests implemented as feature creep to compete was more important than security so he left.

Re:A Story about BYOD

[jgtg32a]

In the end their security may very well be crap, but have you seen the competition?

Re:A Story about BYOD

And security went out the window. BlackBerry, listening to their customers, dug their own grave.

Bullshit. Blackberry didn't listen to customers - customers overwhelmingly didn't want hardware keyboards, trackballs, and tiny little screens. And that's what you found on 2007-era Blackberries. And that's what you found in 2012 era Blackberries, even when it became obvious to everybody that Blackberry was collapsing. They still insist on wasting surface space on hardware keyboards in 2015, which means smaller screens, or much, much larger devices.

To say that Blackberry collapsed because of "BYOD" programs is fucking stupid. Blackberry didn't create devices people wanted, and so they stopped buying them. Blackberry not listening to its customers probably *accelerated* the adoption of BYOD plans, because people said "I've got this nice Droid, Nexus, iPhone... why can't my company device work like this? Why do I have to have a 2004-quality interface on a phone in 2015?"

Blackberry was stuck in the past, and STOPPED listening to its customers. That's how they dug their own grave.

Re:A Story about BYOD

[jonhorvath]

There should be a new slogan

"Attempting to secure everything will guarantee nothing is secure."

Re:A Story about BYOD

And definitely don't ask the IT people. They have a very narrow view of the world.

Sure IT has a very narrow view after all they ARE THE ONE THAT FULLY UNDERSTAND THE TECHNOLOGY AND THE RISKS! AND THEY ARE THE ONES HELD RESPONSIBLE WHEN THINGS GO WRONG. So hell no don't ask them ask the Business Manager that wouldn't know a server if they tripped over it. Yes ask the Business Manager that wants fairies and unicorns and wants to monintor the internal network from his iPhone.

Yes I carry TWO laptops, one for work and one for me. Its the SAFE way to work. Of course you could give two shits about security and want convenience instead.

BYOD has been a fail boat since always

[Karmashock]

all of this because idiots want to play angry birds on the corporate network.

BYOD needs to be killed with fire

Re:BYOD has been a fail boat since always

No, that was never the main aspiration of corporate in passing down BYOD. Corporate believed that BYOD would reduce IT costs because then the employees all became responsible for their own upkeep and the IT department would have less to do (which make it ripe for downsizing or outsourcing). Of course, like most of the dogbert-esque stupidity that comes from above, it doesn't work out that way.

It's a scam.

[SuricouRaven]

Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.

Re:It's a scam.

[JaredOfEuropa]

Not this argument again. In most places I've seen implement BYOD, it always started as an optional scheme. Get a company Blackberry if you're eligible (same rules as before), or get your corporate mail, calendar, contacts and certain documents on your own phone. Or you can have both. And when such a scheme launched, pretty much all the execs dropped their company BB and started using the Android or iPhone they already owned. In some companies the Blackberries all but disappeared in a few short monts.

Re:It's a scam.

[Chris+Mattern]

And when such a scheme launched, pretty much all the execs dropped their company BB and started using the Android or iPhone they already owned. In some companies the Blackberries all but disappeared in a few short monts.

So, because the execs are technical idiots who don't understand that they're handing over the keys to their personal life at their own expense, I should do the same?

Re:It's a scam.

[Locke2005]

Buy Your Own Device doesn't save money because it is unsupportable; supporting every possible piece of hardware costs more than just giving every employee a cheap smart phone.

Re:It's a scam.

Buy Your Own Device doesn't save money because it is unsupportable; supporting every possible piece of hardware costs more than just giving every employee a cheap smart phone.

That's why our BYOD policy was: We do not support it, it's YOUR device. We put some simple HowTo guides on the intranet to show people how to connect to their company email with their iPhone/iPad/Android and left it at that.

Re:It's a scam.

[JackieBrown]

Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.

I haven't worked for a job where I was not allowed to use my BYOD for personal use. It was a pain that they could remote wipe my phone, but with Android and root, it was pretty easy to block that ability.

My new job uses GOOD which sounds good in principle - a sandboxed corporate environment that doesn't interact with my personal stuff. Problem is that GOOD checks for root and I'd rather use adaway and lug my laptop around than get work emails/calender on my phone. There is an old version of GOOD that I can use along with a xposed module but that version no longer works very well with my phone (it freezes allot).

Re:It's a scam.

[germansausage]

Um. No. You're doing it wrong. The only thing my employer gets to keep control of is the company email on my phone. He can remotely delete it at any time. The rest of the phone and my own email and all the apps, data, and media on it belong to me and my employer has no way to access it. He pays half the monthly bill and any work related extra costs like roaming when I travel for work. Seems fair.

Re:It's a scam.

[JesseMcDonald]

It was a pain that they could remote wipe my phone, but with Android and root, it was pretty easy to block that ability.

Where I work, rooting an enrolled device, or otherwise taking steps to circumvent the device policy, is a violation of the terms you must agree to to enroll in the BYOD program. Devices which the employer cannot remote-wipe are not eligible for the program, regardless of the reason. It's probably the same at most other places. Is the cost and inconvenience of a separate work device worth losing your job over?

Sigh

[Billly+Gates]

At the end of the day the users always win anyway. IT just has to suffer and endure

Ah, How about NOOOO?!

Now people or companies don’t want to necessarily pay for the laptops, well the users want to use their own laptops--there you go.

If I need a laptop for work then my employer needs to buy me one.

If I need a cell phone, my employer needs to buy me one AND the plan. Track what I do on their phone? No fucking problem from me.

We are NOT carpenters, plumbers, mechanics, or tradesmen (or are we now?) where we have to supply our own tools. But if an employer insists that I use my own phone for work and if gets hacked well, that's THEIR problem and THEIR fault.

Re:Ah, How about NOOOO?!

[Architect_sasyr]

Why should a plumber or any of the others need to supply their own tools anyway?

Re:Ah, How about NOOOO?!

[Chris+Mattern]

Because they'll look pretty silly showing up at the work site without them, because then they won't have any tools to work with. This is the standard for any physical laborer or mechanic. This works for them, since there's no need for the worker to link his tools to anything of the employer, and the worker does better with tools he has selected and is familiar with. Doesn't work that well for IT, where the tools need to mesh closely with the employer's setup to work.

Re:Ah, How about NOOOO?!

For one thing, plumbers can go work on other jobs with their tools as they see fit. Should IT/software people start supplying their own desks and chairs too? They're every bit as vital as a computer and phone.

Re:Ah, How about NOOOO?!

[Architect_sasyr]

Except surely the argument then is that my laptop, which has been configured to my tastes with my installed programs etc. etc. is a more viable tool for use than a work supplied laptop - pro BYOD.

Re:Ah, How about NOOOO?!

[Chris+Mattern]

That is indeed a cogent argument in favor of BYOD. In fact, it's my opinion it's the best argument in favor of it. But to my mind, it fails because a computer needs to be more closely integrated to the employer's systems then a manual worker's tool--a fact which is only made worse by the fact that those systems aren't standardized the way building hardware is. Even if an IT worker is moving from job to job the way a manual laborer does--and admittedly some do--the different set ups from job to job means he can't use the same tools the way the laborer does. And a worker's tools don't involve his personal information.

Re:Ah, How about NOOOO?!

[BradMajors]

The difference is between being an employee versus being self-employed.

Re:Ah, How about NOOOO?!

This works for the plumber who is a pro with his tools. It also works for IT professionals who indeed can set up their machines so they're secure, conforms with whatever sw the company runs - as well as conforming to how they want a computer to be set up. It doesn't work for people who merely uses the pc as a word processor/spreadsheet gizmo. They are only pro at word processing (and whatever business function they have), they don't know how to set up a computer properly. So they shouldn't bring their own device.

Re:Ah, How about NOOOO?!

a computer needs to be more closely integrated to the employer's systems then a manual worker's tool

You've obviously never used a tool more sophisticated than a claw hammer if you think that there are not a wide variety of tools available on the market, which often require you to adhere quite strictly to the set of standards and measures used by your employer, or the general industry you're working in.

"We work on engines measured in metric units here."
"That's okay, I got these English measurement wrenches, that oughta be good enough."

Re:Ah, How about NOOOO?!

Sure - why not? My employer can pay me an equipment stipend, and then leave it up to me to determine what tools and materials I need to do my job properly. For instance, I'd love to get an adjustable sit/stand desk, and a better chair for the times I'm sitting. My employer issues standard fixed-height desks and chairs which aren't - to me - comfortable.

I'd be happy to fix that if they had, instead of issuing me a furnished cubicle, they had simply said, "here's a 8x8 cube you can set up to your heart's content, and a $5000 signing bonus - buy a desk and a chair that you like with it. If you search for good deals, any extra is yours to keep; if you want to buy something expensive, your choice. Alternately, you can choose the standard setup, which we'll provide for you, but there's no extra bonus for tools & materials."

Of course, as a contractor, I do that for myself anyway in my home office. But I see no reason why the company has to take the role of "daddy" and provide you with all that stuff. Even if they offered a handful of relatively price-equivalent options, more choice is better than less, in my estimation.

Re:Ah, How about NOOOO?!

[Chris+Mattern]

My point--in the manual worker's world, there are industry standards he can rely on and will be followed. You mention a case where there are two different standards and you have to follow the right one. In IT you may never see the same standards twice.

Shilling Cloud Databases Again

More slashvertisments, a new buzzword acronym, concept denigrated, followed by comment shills and FUD.

For decades, companies have been running their own datacentres without the privilege of paying Oracle & Co. millions per annum. Screwups happened, but then again these happen under Oracle as well, and boy do they happen under "Cloud" based databases too. Yet we're all bad techies for daring to "BYOD", making it sound like we're running an informal barbecue in our server rooms instead of, you know, the operations we've been running all this time.

What's next Slashdot? Will LAMP be labelled sexist? Init pronounced dead and buried? What new slashvertisment propaganda can we look forward too from the tireless editors as we are synergistically going forward dynamically?

Not even company mobile on the wifi

[magarity]

Heck, where are these people working with such lax security? Here at a health insurer, I can't get permission to put my company issued smart phone on the company wifi, never mind a personal device.

Which BYOD are we talking about?

[damn_registrars]

Build Your Own Datacenter?

Bring Your Own Device?

Build Your Own Dessert?

Bury Your Own Dead?

I think we could have had an expansion of this acronym in the summary, just for clarity...

Re: Which BYOD are we talking about?

It's bury your own dead. Pretty obvious to me.

Re:Which BYOD are we talking about?

[cHiphead]

Bite Your Own Dick, obviously.

Re:Which BYOD are we talking about?

[Locke2005]

Bring Your Own Dope -- the Santa Cruz Operation official corporate policy. Actually, BYOD obviously refers to Bring Your Own Device for the purposes of this article.

Re:Which BYOD are we talking about?

I thought "be your own doctor"

Re: Which BYOD are we talking about?

Thanks to WebMD, everyone already does that.

Re:Which BYOD are we talking about?

[stub667]

Its a very common acronym for Bring Your Own Drinks around here, where you bring your own booze and a restaurant charges a corkage fee. I imagine it does adversely affect security.

Yes

[countach44]

If it is a needed tool for work, the company should provide it. I have many coworkers whose only phone number is their work phone, only laptop work laptop, etc... It may seem like a convenience, but when your employer has the ability to always contact you because you use that cell phone for personal purposes, it's not so convenient.

Re:Yes

[swb]

People who use their work phone or laptop for personal use are stupid.

But the process for me works in reverse -- it's my damn phone, so I will decide how it will notify me of new messages (guess what, my VIP list includes no work addresses), when I will turn it off, what apps I will run on it, etc.

My wife got a new iPhone from work and was wondering if she should get rid of her personal one. I told her "do you want them to see your personal information? what happens when they fire you and you lose the number?" It was pretty hard to convince her to keep her personal phone.

Re:Yes

Why would you lose the number when they fire you? Its your personal account. All BYOD does is give your company control over the device, so yes they could spy on you or wipe your phone when you leave. But they cannot steal your phone number unless you sign over your account to them which nobody does.

Re:Yes

Its actually pretty hard for the company to see any personal information at all on an iPhone, even if its managed by Mobile Device Management.

They can't see iMessages/SMS, call history, notes, personal email account messages, or user installed App content.

The caveat is if the company pushes an App for work use to the device , and you put personal stuff in that App, then there's a chance it might be accessible to the company (depending on how the App is written).

Completely agree on the lose the number issue.

Re:Yes

[Austerity+Empowers]

employer has the ability to always contact you because you use that cell phone for personal purposes, it's not so convenient

At a certain level this is part of the job, and assumed with the salary and benefits. It's not that high, a developer or engineer may have no direct reports, but compared to someone that works in the factory or the sales floor has a significantly greater responsibility and is expected to at least answer a phone call outside of normal work hours. You can carry two phones and drive yourself nuts, or carry one. If the cost becomes significant, you can expense it, I've never been shot down for that. But why deal with multiple devices, isn't that more complexity to deal with?

The one reason i can think of is because I don't trust my IT department, I know they have spyware/malware installed and are busy dicking with my machine. If that is not an issue (as it is in most sensible places), then it's really just more of a headache to deal with dedicated machines and saves me no actual time, and beyond faux ideological principles, does not give me anything back.

Re:Yes

[ILongForDarkness]

Have people never heard of email/call forwarding? Leave your work phone in the office, forward the calls to your personal number. Is it that hard?

I've never carried a work phone or been on call without compensation and refuse to do so. The only reason it is "assumed with the salary" is because people refuse to ask: and what will I be being paid for those hours? Never got a huge amount of money but about 100-150 for a weekend or so + 1.5X time if I actually got a call for a minimum of 4 hours pay. Ie you call me and it takes 10 min to fix I get my $100 oncall + 6hrs pay. You have to make your personal time expensive so your employer doesn't feel free to waste it.

Re:Yes

[Austerity+Empowers]

Those things are usually against company policy, but policy here can be effective because IT can easily trace this, and I'm not clever enough to figure out an excuse why it's a good idea to forward company email to personal accounts over insecure links. I suppose I should look to Hillary Clinton? I actually don't think that's a good idea, when I can do something better with VPN on my personal phone. Particularly since much of my email requires a "secure link" from/to our vendors (VPN has been determined to be secure, in 3 out of 4 past employers, and we simply ignored that fourth one's policy since we COULD plausibly defend it).

By contrast BYOD (legally or no) and installing shit on company property is much less traceable and easily defensible. IT is a CYA organization, they have neither the skillset nor background to evaluate "business need" for any set of applications employees have, and rely on user teams to elaborate such a list. User teams have little concern for IT's CYA policies, time to deal with the process, and do not keep active lists, nor are rigorous with vetting it although such lists exists for our own CYA. So basically unless the app is called "hooters&poon" it's pretty easy to ignore policy. Sensible companies stopped managing employee laptops 5 years ago, my current one doesn't even try, other than an asset tag no one has any code or backdoor access to my mbp, and I have my own image installed on it to be very sure. This of course requires users who aren't abject morons and who have used a computer, but somehow my past two employers managed to do this just fine, it still boggles my mind when my IT friends insist that without all of Windows' big brother nonsense their job would be unmanageable. I haven't had a windows machine at work in 8 years, but we somehow manage to make money.

As for salary for hours, it is a constant negotiation. I benefit strongly from flexible hours and the ability to commute outside of rush hour (and to be able to take kids to/from school), so it's not a major hardship for me to answer calls, get on conference calls, do occasional travel or even to work at other hours. I put in what I feel is appropriate and performance reviews decide if it's acceptable. If it's more than I can give and what I think I can get elsewhere, then it's time to move on. I've found that all companies expect 100% of your time, so generally you find the one that pays the best and try to be reasonable. If a company wastes my time with a lot of overseas nonsense and conference calls, then I am generally less willing to put in extra hours: you waste my time, I will get it back. If a company wants to give me a contract and outlines every last job detail, it tells me that's a job I probably do not want anyway, it's going to be a lot of administration and policing and not a lot of profitable work for either party.

Wrong question.

BYOD is here weather you like it or not. Right now smartphones are pretty much a fixture of the mid-to-upper middle class working person.

A pretty good mobile computer that fits in your hand and has pretty quick and affordable access to the internet. And essentially free access at short range. Of-fucking-course everyone has one. It's way too useful.

Seriously if I told you about smartphones in 1995 you'd have ruined your parachute pants. We're in the fucking future and we didn't even know we arrived.

So everyone has a smartphone. Nobody is going to carry around two phones. That's fucking dumb. This isn't 2002 and this isn't your shitty blackberry. Of course you're going to get you work data on your phone.

The question now is how to make it secure. A sensible option is a secure, isolated, standardized, encrypted virtual machine partition. Your biz data lives in the partition running whatever OS your biz needs. You leave your job? They revoke the key and your biz partition goes blank leaving your data and apps and music and snapchats with sweetyluvr69 intact.

Completely plausible and easy to implement in 2016.. But we'll never see it because we'll never see competing manufactures cooperate to make it a reality.

Re: Wrong question.

A slight correction on the parachute pants. That would have been 1985 and not 1995.

I do forsee a future where a device has multiple profiles that run in isolation. One for work and one for home with an OS that segments them

Re: Wrong question.

"Nobody is going to carry around two cell phones."

  Tin foil hatters probably carry at least two.

Re: Wrong question.

[ShieldW0lf]

They could use X

Re: Wrong question.

A slight correction on the parachute pants. That would have been 1985 and not 1995.

In fairness, he might be Canadian. The 80's came late up there, eh?

Does MPX sound over hyped?

It is the responsibility of the caller is responsible for allocating space for parameters to the callee, ...(sick)

Setup required:
  o A machine with hardware enabled with Intel MPX.
  o Microsoft Windows 10 November 2015 Update or greater. Verify the presence of the Intel MPX runtime driver in the Device Manager under System devices (Figure 12). If it is absent, please download and install the driver from the Intel Memory Protection Extensions Enabling Guide.

o Installing Visual Studio 2015 Update 1 with device emulators based on Microsoft Hyper-V* may mask the Intel MPX state, causing Intel MPX instructions to be treated as NOPs. To verify this, after installing Visual Studio, the user should check the hypervisor settings. To do this, type bcdedit in an administrative cmd prompt. Make sure that the hypervisorlaunchtype setting is off. If it is set to auto- do bcdedit /set hypervisorlaunchtype off and reboot the machine. This issue will be addressed in future.

We don't need no stinkin' VMs anymore, says Intel to us.

MPX? Wasn't that a mid-80s Microsoft thing.

Yes

[Locke2005]

I worked for a company whose official policy was that email accounts could be left logged into on company owned laptops (which would require a password on bootup) but not on employee owned devices. They used corporate gmail, and when I pointed out that gmail had to be logged into in order for google calendar to remind me of the meetings I was scheduled for, the CIO told me (via email) that that was a violation of company policy. So I stopped doing it, but all my coworkers continued to leave their phones logged in to gmail -- they had positive deniability, but I no longer did.

Good riddance to BYOD

We just migrated out 300 user subsidiary into the parent companies email system. They have a policy of no BYOD.

As a desktop support dude, that has to support all that BYOD crap when it has weird problems and wont work, I'm glad to see it all go.

If you need mobile email for work, company buys you a phone, done and done.

Transcript?

What transcript?

BYOD works for me.

[onkelonkel]

BYOD works fine for me. I own the phone, I manage the voice and data plan and the company pays for half. This definitely works out in my favor. If I travel out of the country the company pays for the roaming plan. At work I use the company guest wifi to save on data use. I had to install some kind of app so they can wipe the company email if I lose the phone. My personal email is completely separate. The company has next to no issues supporting me. I don't have to carry two phones. Everybody wins.

I'm not going to carry two phones.

[DeathSquid]

I'm not going to carry two phones. For some people that might be OK, but I've only got so much pocket space and room for chargers at home.

Since I will be using the sole phone I carry for personal use, I have some set-in-stone policies:
1. I get to choose the phone that suits me best.
2. I update the hardware according to my convenience and requirements.
3. The device is completely controlled by me for security and contractual reasons.

So long as a company complies with those policies, I am quite flexible about everything else. I'm happy to be non-contactable out of hours, if the company wants. I'm happy to BYOD so long as I am properly recompensed. I'm happy to have the company supply the phone.

My consultation algorithm:

[Ungrounded+Lightning]

1) Confer with the client. Find out what he wants. (He'll tell you what he wants ADDED to what he is replacing.)
2) Research the client's current operation: Consult his underlings, especially the front-line workers, who know what's REALLY going on. Make friends with them and try to help them out, too. Find out what he currently has. Figure out what (you think) he needs.
3) Propose to the client that he should want what you think he needs.
4) After he's had a chance to think about it, design and build what he NOW wants (which may be what he wanted before, what you think he needs, some mix, or something off in never-never land that he thought up after seeing what you came up with).

  * Maybe he'll come around to your design and think you're the best and brightest consultant to ever come along. Build the spiffy thing and everybody's happy.
  * Maybe he'll want something other than you think he needs. If so:
          * Maybe he's right and you're wrong, because he understood something about his operation that you didn't. Doing it his way might turn out to be better than doing it your way.
          * Maybe you're right and he's wrong, but it's his company and he's paying the bill. He had his chance and rejected your suggestions, so it's on his head. Build the goofy thing and laugh, or sigh, all the way to the bank.

two seperate networks

Run two seperate networks. One for potentially unsecured devices(wifi), one for secure devices(cables and part of the domain control). A simple router for the wifi and a commercial class router for the wired devices. then tell the users that they should treat the WiFi like a coffee shop WiFi and don't let the laptops being plugged in by cable connect to the network unless they are under domain control.

with out getting into the political reasons of BYOD, that's how most small businesses should be doing BYOD. Some businesses cant afford to provide phones for their employees, so this is just a reality that hes to be dealt with through education of the people in the office. I run lunch and learn sessions for the people at my work, if anything it helps to reduce the number of simple problems i have to deal with day to day. It wont eliminate all of them, but i can definitely say that people are becoming more security conscious in my office. I would argue that it is the responsibility of the IT department to educate their users and quite often an ounce of prevention can limit the pounds of pain.

in the end, the average user has no idea of the security implications of any of their choices, we as a social group (peoples with highly technical knowledge) owe it to our society to help educate those with less knowledge... maybe if people took that responsibility properly there would be more push back on the prospect of breakable encryption. its the clipper chip argument all over again except technology is more of a black box to more people now than it was then... and thats why they are trying this crap again

California BYOD laws - sigh

[billstewart]

California law says that companies can only let you use BYOD if they're providing you with equipment and service plans. The assumption is that companies will try to rip off their employees by making them bring their own devices, so it should be forbidden. While I understand that, it means that I can;t just bring my own iPad/Android tablet to work to use as an alternative to the company laptop unless the company also buys me a work phone. (Sigh. Eventually they did that, but the IT department's support for Android has never been as good as their iPad support... So I've occasionally had to haul the laptop on a trip instead of just the tablet.)