Bring Your Own Device

Podcast: Is it time for IT to let users bring their own laptops and smartphones?

We've been talking about the consumerization of IT for years, but it's now reaching an inflection point. Is it time for IT to accept it and adapt?

Podcast

We've been talking about the consumerization of IT for years, but it's now reaching an inflection point. Is it time for IT to accept it and adapt?

The Big Question is a joint production from ZDNet and TechRepublic that I co-host with ZDNet Editor in Chief Larry Dignan. Larry is traveling on the west coast this week so he couldn't make it, but he'll be back next week. My colleague Bill Detwiler, TechRepublic's Head Technology Editor, pinch-hit for him this week.

You can play this 29-minute episode from the Flash-based player at the top of the page or:

If you enjoy this podcast, please go to to our iTunes page to rate it and leave a short review.

Stories discussed in this episode:

About

Jason Hiner is Editor in Chief of TechRepublic and Long Form Editor of ZDNet. He writes about the people, products, and ideas changing how we live and work in the 21st century. He's co-author of the upcoming book, Follow the Geeks (bit.ly/ftgeeks).

204 comments
l_creech
l_creech

The networks I run are setup in such a way that this is a non issue. Network access simply isn't allowed unless the equipment is part of the domain. The only exception to the rule is RDP, and even there policy allows nothing more than actually working remotely, no file transfer, no clipboard, no remote printing, etc... My job is (and will remain) keeping everybody working with as little downtime as possible. Seeing as I am not an employee per se of any company whose network I'm responsible for, it's in my best interest to keep things running smoothly. When people want to bring in devices of their own there are ways to deal with it. Company policy can either allow or disallow most anything in a working environment. Companies can (and should) setup a guest network that would allow employees and customers/partners to get Internet access without compromising the primary network.

dcolbert
dcolbert

OK... I listened to the PodCast, and oddly enough, when I first read the title and started responding to it, I thought of the controversy over rogue access points which was really a hot topic between 2001 and 2003. Maybe not so oddly, actually. As you point out, rogue APs were kind of the first wave of incoming consumer electronics that IT faced. I wanted to touch on this, but never found a relevant way to segue into this topic. In my opinion, consumers forced ITs hand on WiFi, when it was not yet ready for corporate networks. It was still full of holes, IT knew it, but demand forced IT to provide it. Additionally, users, still today, have unrealistic expectations of wireless. They're not tolerant or understanding of dropped connections and coverage dead-spots and decreasing performance with distance. Of course, the podcast was well thought out and touched on most of the points and objections I've voiced in my responses here. Near the end, Bill Detwiler says "if you're going to try to fight this tide, you need to come to the table with strong arguments". I also saw, without listening to the podcast, how this drive ties into VMs, Virtual desktops, and web based access to applications (specifically through Citrix.. "eating your own dogfood"). As I said, my goal is to push in this direction, and I'd like to see a day when my entire staff as well as my customers access all systems and services through web based apps. Right now my organization has custom web based apps hosted on traditional web pages (reporting), published citrix apps, and access to our main hosted apps via Citrix network neighborhood over software or hardware VPN, or via Citrix Web client. We also have some thin clients using RDP across point to point T1s. Obviously this model is complicated and harder to support than the ideal I would like to realize. A key driver in pushing in this direction is to divest my group of worrying about the client that is connecting. Ideally, Safari, Chrome, Firefox, IE... Win32, Win64, OS-X or Linux shouldn't matter. Getting rid of VPNs and point to point T1 WAN connections increases security, decreases complexity and reduces footprint of vulnerability exposure. And yes, if I could get to that point, I'd like to have less to do with supporting the end user machine connecting to me, and as a matter of fact, I'd like to be in a place where I could say, "I don't care where or how or on what you connect". But even right now, that isn't the case. OS X users are a pain. I had one remote user who we told she couldn't connect to our Citrix web apps via her Mac, so she ran Parallels, and then loaded up Safari on Windows and called with the same complaint. "You also can't connect via Safari". Of course, she was "very disappointed" that "we" didn't support Safari. I agree, a hybrid model is probably in the future for IT - and I am headed in that very direction myself, at this moment. But we're years away from fixing all the bugs and working out all the kinks - and there will be BIG setbacks along the path. There will be high profile failures of the cloud that support the arguments against this model of computing. Consultant services are another issue. I don't think this generally works out to the benefit of most organizations. Consulting is necessarily expensive. There is a very narrow window where it makes economic sense. Companies that find an economy of scale doing this do so by effectively "overbooking". The logic goes like this: Our customers need a response time of X. But they only need this every so often, and very rarely at the same time as our other customers. We'll oversell our support model and MOST of the time it will be fine. I mean, this is how broadband providers work right now, and the balance always works out to the provider's benefit, not the customer's. I'm trying to put my finger on this. Email. We have our own e-mail server. It is a pain to maintain and administer. SPAM is a huge concern. I'd love to outsource. I see the tremendous benefits we would gain by doing so. But, I also know that we'll end up in an Exchange farm, paying a monthly fee per megabyte, per user and sharing oversold resources with lots of other companies because it is the only way to make that model economical. I also know that when our OWN e-mail server has problems, and my own internal users come to me upset, I'm accountable and responsible and respond accordingly. On the other hand, I am dependent on AT&T, on Verizon, on a bunch of service providers, for necessary components of my business structure. When AT&T suffers a fiber cut, and it puts my business down - I'm one drop in the oversold bucket, complaining. Of course they'll try to satisfy me to a point, but ultimately, I don't have much control or influence and there isn't really any way for us to hold anyone accountable. We can leave, conceivably - but this may be easier said than done. Look at how many people put up with completely unsatisfactory service and support from companies like Verizon, just because there really isn't any choice. Companies outsourcing to IT service providers/consultants are (likely) going to find themselves in this same (or a very similar) situation. The waters the IT industry is venturing into, if we had a map, would say "here there be monsters". There are lots of pitfalls, traps and hidden dangers down this path. I know because I am sailing these waters now. This is not a path I would want to be the earliest adopter on. I think that the technologies are not fully mature. They're not ready for prime-time corporate adoption. The podcast mentioned the thin-client/network application craze of the mid 90s and how it has largely been a failure. At the same time, some companies rushed headlong to adopt these technologies, certain that it was the next big wave of computing. Other companies, pushing network technologies, ate their own dogfood. Quite a few of them choked on it. :) I suppose time will tell. I think that you guys are right in that a hybrid environment will evolve, but I think that traditional IT will remain largely the same, with the same controls, policies and processes in place as it has had for the last 30-some years.

rick.giles
rick.giles

We don't allow it for security reasons and HIPAA and privacy due to the nature of the business. It's bad enough that we can't keep them from getting a virus or spy/ad/scareware and Trojans on the equipment we do issue.

RechTepublic
RechTepublic

The less standard an environment is the more IT support it requires. Bring on the billable hours!!!

scoopboys
scoopboys

I'll happily lay out the multi-point case for not having a company support the use of employee-owned equipment. 1) Support issues. Regardless of whether the employee is using software installed on the device, a Citrix client accessed by the device, or a lightweight client (as mentioned earlier in the thread), if it doesn't work, IT needs to get it working. Citrix and a lightweight client make it much easier, but there is still a potential for some unknown conflict causing the application to not work correctly. The time it takes IT to resolve issues (particularly in the case of software natively installed to a device) can be significant. Eliminating the built-in standardization that makes support efficient would add time for support and increase resource needs. 2) Security relative to device disposition. Data disposal and security is a cornerstone of many organizations, primarily those that house Private Health Information (PHI) or other data that is sensitive. Distributing the responsibility for securely wiping disks is dangerous. Case in point - if an employee terminates employment, can my company ask him/her to securely wipe his/her device at that time? If your social security number and/or credit card information is on an employee's personally-owned device, would you feel comfortable with that? And relative to data not being "stored" on the local device when using Citrix, VPN solutions, etc., there are very few that ensure that data can't be recovered. Talk to a computer forensics expert and you'll learn that data has a nasty way of getting stored in places you wouldn't expect it. 3) Other forms of security. Patching, vulnerability management, endpoint security - all of these are the responsibility of the company. I don't trust the average employee to properly secure the company's data on a personally-managed device. 4) Ability to perform investigations. This may be a lesser point, but maybe not. If an employee needs to be investigated for some sort of wrongdoing, a company can demand that it get its property back immediately. If it's employee-owned, try to get a court order to examine the device? 5) Compliance. Software is a licensed entity, and if users start using their own licenses (quite likely educational licenses and possibly pirated licenses) to perform business functions, the company (by endorsing this) is breaking the law. 6) Liability. Yes, employees may choose to keep or process data on their own devices, against company policy. Let me say that again: AGAINST COMPANY POLICY. If that happens, the exposure is much less than if the policy allows employee-owned devices to be used, particularly if data is breached, improperly disposed of, etc. There are plenty of other reasons, but these are enough...

kyle
kyle

To record, many DAW interfaces, including apples own logic 9, can't connect because of a bug that began way back with the first 10.5 release. Apple are supposed to be the unchallenged champions of the techno-multimedia world. This problem is going on for over two years now. Why haven't they fixed it? It's turning musicians like myself away to windows. Never thought I would see the day and my windows friends won't let me live it down. If apple were half as embarrassed as I am, I'm sure they would have done something about this at least a couple years ago. Unbelievable, it seems so stupid. Such a shame.

melias
melias

I have been reading a lot of posts here about using personal resources. I have no problem with people using personal systems via RDP, EAS, OWA or other remote technologies. We are already doing so. What I DO have issues with are some of the other ideas in the 'cast. The one that caught my attention the most was the release of the 'command and control' mentality of IT in regards to server, network and desktop systems, both hardware and software. The ONLY thing keeping corporate networks running, as well as the data corporations need to live, are dedicated and security concious IT personal who control the flow of data, back it up, and scrutinize every request for data access that comes in. This IS the essence of command and control. Go ahead, turn your data's safety over to someone NOT trained and experienced in data security and availability. Also, replacing most of your staff with contractors ring danger bells in my head. For one thing, contractors tend to bounce around quite a bit, so keeping someone long enough for them to REALLY know your business can be difficult. After all, the life of a contractor depends on him/her knowing the latest and greatest technology. Staying in one place using last year's tech can be detrimental to their careers. One final observation. The CEOs, and all the other CxO's who believe all these pie in the sky schemes are wonderful to save money are usually the first SOBs to point the finger when shit happens because of their dumb-ass decisions. edited for grammar

mousejn
mousejn

I went to a seminar where a Forrester Researcher stated basically the same thing. About 90% of the IT attendees had a negative response. I think it will happen to a larger segment than IT would like but how we secure the critical infrastructure is going to be interesting.

dcolbert
dcolbert

My response from the ZDNet article: I can't listen to the podcast currently, but I've already got a strong opinion on this issue. My office not only allows, but encourages employees who wish to work from home to use their own equipment. My belief is that this opens up our organization to all kinds of additional liability and abuses that could be avoided by requiring corporate controlled assets for these kinds of needs. Employees should also realize the limits and restrictions on acceptable use that they implicitly agree to when mixing their personal and professional equipment. This is really the sticking point on any proposals of this nature. As an IT manager, if you have personal equipment, it isn't really reasonable for me to limit your use of your own equipment - where you visit, what you store on the device. But, I have a responsibility to make certain that devices that attach to my corporate network do not visit certain sites, do not have certain data stored on them. It is an irreconciliable catch-22 for IT. Who supports this equipment when it has problems? Is it the owner's issue to resolve independent on the IT organization? If the user gets a virus visiting MySpace on their personal device, and this impacts their ability to do work (not to mention, their ability to safely access my corporate network) is it my obligation to see the issue fixed? Can we bill the employee for this service? My staff has been exposed to countless vacation photographs and worse - and there are potential legal traps here. If I see something illegal on a personal device used for business while trying to resolve an issue, now my staff is complicit in whatever crime is being comitted and we're legally obligated to become involved. On a piece of corporate equipment such a decision is cut and dried. On a person's personal equipment, this becomes a far more complicated issue. Imagine working on an employee piece of equipment and inadvertently finding out private information about them. Maybe they're being unfaithful, maybe you discover their spouse is being unfaithful. Perhaps their teenager is having drug and legal problems. Imagine your IT staff having access to this information. If it is on a corporate owned machine, and the unthinkable happens and this confidential, private information leaks out, there is a strong argument that this information should never have found itself on that equipment in the first place and the user/employee is responsible for allowing that to happen. If if is a personal device, that defense quickly evaporates. In all ways, it is truly a quagmire to allow personal equipment to be used professionally. I would prefer that if a person needs a certain device in order to work effectively, that equipment be owned by the company, with well definied policies on acceptable use, and that this device be completely managed, administered, and supported solely by IT. The employee should understand that this device is intended solely for professional use. Do not let your spouse, kids, or friends use this device for non-work related duties. Do not use this device yourself for non-work related duties. This should cover connectivity, as well. If you need broadband, the company should provide you with an approved, corporate controlled, managed and paid method of connectivity used solely for work related duties. When I worked at Intel, I was supplied with a broadband line, a company laptop, a company cellular phone, and a company wired line at my house. Those were used solely for work related purposes. I did not use my company broadband to surf or play online games, I did not use the company phones to make personal calls. I maintained my own separate broadband line, my own separate cellular and wired phone, and had my own PCs. The only time I ever mixed my company IT assets with personal assets was hopping onto my LAN to print or to share files - and that happened very rarely. In turn, I never worried about Intel asking me why there were calls to personal numbers on my company phones. I never worried about a member of the TAC support staff browsing through my personal vacation photos. As an employee, you give up rights when you accept company equipment. As a company, you take on additional liability and opportunity for abuse of your IT resources when you allow non-company equipment into your organization. I can say, from personal experience, that once you muddy these waters, you can expect to become the front-line support for any issue an employee experiences with their equipment. If they're having problems with their ISP, they're going to come to your help desk first. If they're having issues with their equipment, they're going to come to your help-desk first. Would you rather deal with impersonal support with no pressing incentive to resolve your problem through a large vendor like Comcast, Apple or Dell, or directly with your company's IT staff who is driven to enable you to work effectively from remote locations? The former 3 examples have millions of customers suffering issues at any given time. The latter generally is going to have tens of thousands of users, total, only a percentage of which are having problems. Where are you going to get a quicker response, a more efficient and effective response? You'll effectively become your employee's first-stop alternative to "Geek Squad". The employees at my current organization require dual screen monitors. We provide second video cards and a a second monitor. We've experienced at least one case where an employee brought in their second machine to have a video card installed, and the installation did not go smoothly, there were conflicts between the installed driver and the driver for the second video card. We were unable to complete the installation and backed it out - but it left the system in an unstable state. The employee complained that her *mother* was upset that night because the machine was running so slow after *we* worked on it. What IT department wants to field complaints that an employee's *mother* couldn't play online Soduku because a video driver installation failed? In going above-and-beyond to try and empower an employee to work from home, IT became the villain that disrupted a family's ability to use their personal machine for recreational purposes. The answer is clear to me, Corporate IT should not support or work on personal electronics - ever, and they therefore should not be allowed to handle, transmit, or connect to any company data or systems. There is no place for the privately owned equipment of end-users on a corporate network. Corporate equipment should never be used for non-company oriented purposes. It just opens up a can of worms that results in unhappiness and dissatisfaction throughout the organization. The end-users are inevitably unhappy, and so are the IT staff. It is a mistake and should never be acceptable. Even a disclaimer that absolves corporate IT of all responsibility, obligation, and prohibits the support of personally owned eletronic devices does little to avoid the kind of frustrations and liabilities I discuss above. It is short sighted cost-cutting by executive management that doesn't understand the real world implications of allowing non-company equipment onto corporate networks. I understand that many technically adept workers who feel they are more qualified to support their systems, both personally and professionally, would object to these claims - but the fact is that there are many people who *think* this is the case but are mistaken. They do not have the specialized skills and training to actually support business use electronics as well as their IT staff. Even those who really do have those skills, present special risks and challenges when allowed to do so. Just because you grew up supporting your own personal electronics and setting up home LANs for Lan parties does not mean that you are better able to support business machines on your corporate network than your corporate IT staff. If you want to do this for a living, become a part of a corporate IT staff. Shortly after you do, I bet you'll find that your opinion then matches mine on this subject.

jasonhiner
jasonhiner

that most of you who are responding to this thread didn't even listen to the program. This is an important and complicated issue and we discussed multiple scenarios, implications, and possibilities. How can we expect to have an intelligent discussion about this topic if you haven't even listened to the program?

Sensor Guy
Sensor Guy

This idea, although it's a great and valid generalized IT operational concept, is highly dependent on situational realities to be even implemented and accepted. This goes along hand in hand with the "Run IT as a Business" and "Everyone is a Customer" concepts. Great press, good generator of web site discussion blog traffic, but essentially BS from pundits who drop these intellectual turds on the heads of already over worked IT staff. Very similar to vendors like IBM selling management on the cloud concept but "forgetting or overlooking the details and headaches of making it happen". Like American cars, final assembly is left to the sucker at the bottom of the hill where the s__t rolls down. The concept is feasible and has been done, but it requires all of the following, and this is not the full all inclusive list: 1. Complete awareness and unlimited, unfettered support of the CEO and all other top executives of the business, as well as key customers. 2. A complete set of goals and objectives that is shared to all. 3. Boundaries and trade-offs, including "lower" and "preferred" classes of end users. 4. A tacit understanding in writing from the top management that there will be political and technological nightmares during the implementation. 5. A complete psychological understanding of all humans who use the IT systems in question. This is where ITIL and many "best practices" often fall apart in practice. They say they are "best" but one never can prove or quantify the details of what's "best" about them, except that some poor slob in support gets to pay the price of glory for some vendor, consultant or press executive. Business is about people, and if you don't understand the nuances about the people, no process improvement or technological "insight" will ever be successful. The majority, if not all of the above posts are examples of where very experienced people are accurately telling us in this forum that standards and innovation as well as process failed because we never appreciated the people aspect and individuality of the business. Having said that, the best IT model for implementing this concept is called "the benevolent despot". This means a CIO dictates the standard, yet is benevolent enough to consider additions, changes and bypass, provided they make business sense, are supported by the top of the business and are funded/staffed in advance. The money and support part is key or it'll all come crashing down. It is possible. In the military, it's been done. That's because the IT dictatorship model really works there and you can really punish users that abuse the standard. In retail, it's commonly done with Point-Of-Sale systems. In manufacturing, you see it sometimes down on the manufacturing floor as well. On the other hand, in the case of a sales force, it's rare. The more data is located in the end device, the less chance it'll work. The user must also legally relinquish all their legal ownership of the box they brought to the firm if this is to succeed. They also have to accept, in writing all liability for any damage to the box they own as well. You want support? You have no ownership rights. You accept that fixing your problem may prove fatal to your data and device! Oh, and BTW, the CIO and the rest of the IT staff washes his or her hands from any legal liabilities like license exposures, FERPA, HIPAA, HR, fraud, and intellectual property law violations on the end user devices. From a support point of view, you have to have an end user class society, even implementing "preferred" and "independent" (i.e. not preferred) classes of users. It has to be culturally accepted that if an user monkeys around with their box, and they need help from IT, that's a case of charity and that the user has lost their right to demand support like those who haven't made changes. They also must go to the back of the line or go through another funding support mechanism. Technologically platform speaking, the chances are better with "culturally accepted closed platforms" like the iPhone and not in open source smart phones and laptops. The more the end users have accepted the "closed" box concept, the better the chances of success.

bblackmoor
bblackmoor

I have been saying for years that skilled experts should be responsible for their own tools. You don't hire an electrician and then dictate to her which voltmeter she may use. You don't hire a plumber and then restrict her choice of wrenches. You don't hire an architect and tell them they may only use a certain brand of pencil. You expect them to own -- and care for -- their own tools. Computers are no different. The attempt to micromanage every piece of hardware and every piece of software (not to mention every web site) that every employee uses to do her job is a huge waste of time and money. Today as never before, we simply can't afford this level of ridiculous micromanagement. Computers are tools. By all means, set requirements for what tools the employee needs -- preferably by mandating standards, such as "Must be able to read and write the following file formats: OpenDocument, etc.)". And of the employee does not provide her own tools, treat it as you would any other skilled worker who showed up to work without the tools necessary to do her job.

dpajalic
dpajalic

1. there shall be a written agreement between employee and employer about use of privately owned equipment at work. Areas to regulate: - insurance - compensation for use of tool - administrtive rights - application of company policy on computer etc. However, it will be better to enable secure remote access to internal network and consolidate all private computers and other gadgets in DMZ. That way you are creating clear boundaries of company's assets and "guests".

NickNielsen
NickNielsen

This is being done so as to reduce billable hours from internal IT. After all, if you don't have all the equipment to maintain, we won't need as many of you... Bring on the OT. I don't need a life!

dcolbert
dcolbert

Now this isn't something I had considered - and having some experience with the stand-alone Thumb-drive Ubuntu that runs as an app under Windows - I can see how this is potentially feasible. I still see a lot of concerns. You're running the "pristine" host, almost as a VM, under a non-managed, non-pristine host OS. It is still a potential vector of infection or bridge for attack, in particular if the host OS is compromised. Support seems steep, too. You've got to have the expertise to configure and secure the pristine OS, and to support it, and because the host OS is still the bridge, you may end up having to extend support beyond the pristine, secure OS or risk having disgruntled end-users who feel that you've provided insufficient support. "You should support my device so that it is able to connect with your pristine OS - it shouldn't matter if the problem lies within your pristine OS or my host OS, I need to rely on you to make it work so that I can be productive", so to speak. Not to mention, it isn't going to be a universal thing, you're going to have a very narrow range of user owned consumer devices that can leverage it. It is *better* though, then direct native connections by non-managed, user-owned, consumer grade equipment. I still wonder if it isn't just better for the company to buy the employee a notebook and/or a cellular phone if they need it to get work done.

dcolbert
dcolbert

We know that footprint already has a tremendous impact on network systems vunerability on carefully managed and administered, secure networks. Corporate 500 and 100 companies with inexhaustable IT budgets and resources are still routinely compromised despite having staffs dedicated to responding to and avoiding these situations. Allowing countless, unamanged, personal devices increases the vectors for attack exponentially. The Android/Droid issues with the pattern unlock vunerabilities are two recent, vivid examples that illustrate that consumer electronics devices are likely to be far less secure than well-thought-out enterprise ready and managed devices. I can think of pages and pages of immediate, medium and long term concerns and objections to letting personal electronic devices onto company networks. I can only think of one, single advantage, short-term cost savings to the company in purchasing equipment. Are there any advantages I am missing? I forgot to listen to the darned podcast last night, again.

carlsf
carlsf

The Worker/User purchases (with help, repaid to the company) for his her job. As she/he had input (certian guidelines/specificatiions)they are also responsiable for its upkeep/maintainence. IT/Admin are there to upkeep the cloud/server comapnies centre intact and operationl. It is NOT hard to ensure security of this equiptment, on logging in a check is done by the server/portal back to the workers/users system before allowing connection (AV.Spyware/status of updates).

handyman1972
handyman1972

You have addressed this issue brilliantly, and your post alone stands well by itself to argue against such practices. With the costs of everything from office space to electricity to employee insurance going up, many companies are looking for ways to cut costs and some see the use of personal devices as a way to do so. This is short-sighted at best, and illustrates what I often run across and refer to as the "Cost vs. Value" argument. I often find that many of the managers I work with are only capable of seeing the surface issues of a subject, and either lack the ability or have not taken the time to mentaly analyze their proposed scenarios out to the extent needed. This issue is purely driven by the attempt to save money, but most often an open policy would prove to be a mirage in that regard. After constantly being told that there was no more budget for new equipment, I recently asked other managers in my company to literally stand and watch a couple of people in our AR department work on their computers. I asked them to notice how much time they spent waiting for their 6 year old PCs to perform tasks and the effect it had on their productivity. It was the first time they viewed the computer/user issue from a productivity/cost standpoint. Long story short, I finally got approval to spend $2200 on new PCs for that department. The end result was that productivity improved so much that we were able to reduce staff by one, thus "paying" for the computers in less than a month and saving that much more money each month indefinitely, and our customer billing processes dropped from a 5 day backlog to 3 days, which helps improve cashflow. Perhaps it is in the nature of we "technies" to be more "system" minded and be more aware and better able to see the connections and interrelations between things, and the benefits, detriments, and costs to possible scenarios. Management supporting a open policy on this issue are setting themselves up for disaster.

CharlieSpencer
CharlieSpencer

I confess to the crime of not listening to the content, for the same reason I don't look at any of the videos. The format doesn't fit the way I assimilate information. I don't have an uninterrupted half-hour. If I pause due to an interruption, it's more cumbersome to remember the last points made than it is with easily-scanned text. It's also more difficult to locate an exact point, position, or statement. It's impossible to copy and paste a quotation to reference and address an individual point. Finally, I just have a harder time following serious discussions and retaining the content in an audio-only format. It's fine for 'Car Talk' or other entertainment, but it doesn't work for me for hard information. Comments here and over on the TROLOV discussion indicate I'm not the only one, although we may be in the minority. Yes, this is a complicated subject and I'm shooting my mouth off without hearing all the nuances. I refrained from replying the first day the podcast was up, since I had no intention of listening to it. This is also why I've limited my posts to replies to others and not direct responses to the original article itself. However, some have posted comments I feel compelled to respond to. Besides, since when has being informed ever been a requirement for expressing an opinion here?

dcolbert
dcolbert

A lot of us browse TechNet during breaks during the day, Jason - and TR is a valuable professional asset when seeking information, feedback and discussion on IT issues - so visiting here during the work day makes sense for IT professionals. On the other hand, streaming large media files from a workplace, for most IT professionals, is unacceptable. If there were a transcript, I bet there would be more discussion relevant to the original post, as opposed to wildly speculative responses based solely on the title of the podcast. Not that this is what *I* did... I'm just sayin'... :) If I recall, when I considered listening to the podcast, it was 10 minutes or more long, which ruled out downloading the file, but also probably makes a full transcript unreasonable, too. Kind of a catch-22 for a tech oriented site that appeals to tech professionals when using content rich media formats. I saw this on ZDNet, too. Now that I see it is published here, I'll follow up tonight and listen to the podcast when I get home.

darpoke
darpoke

this analogy fails because the computer is not treated as a tool in most hiring policies. A secretary or researcher or marketer is not hired contingent upon their ability to use this 'tool' as you call it. If computer or IT skills are referred to at all in the requirements for applicants to a vacancy, this is generally limited to the ability to use Office or the relevant software needed to perform the role. That is it. They don't need to know how to troubleshoot what happens if their machine fails to boot, or to attain network access. They don't need to know how to install, upgrade or patch their software. The care of the machine is farmed out to a central department paid to specialise in just that. And this is just how it ought to be. The alternative is that each new vacancy advertised would require individuals qualified in network security, hardware and software maintenance and all the other myriad IT skills *in addition* to the skills required by a PA or any other post. This would (a) render IT staff redundant and add them to the pool of unemployed, and (b) make a great swathe of currently working people unemployable, as these skills escape their ability or interest. Like many IT workers, I will occasionally bemoan the general ignorance of computing displayed by my colleagues. However I would never consider the solution to be to make these people responsible for their machines, any more than I would charge them with their own healthcare or vehicle maintenance. This approach ignores the very precepts of a 'society' and dooms us all to lonely islands of failure.

CharlieSpencer
CharlieSpencer

don't have to interact with other electrician's voltmeters and other plumber's wrenches. Voltmeters and wrenches aren't capable of infecting my wiring and pipes. Voltmeters and wrenches can be quickly replaced from the local hardware store. Voltmeters and wrenches don't go obsolete in five or six years. Voltmeters and wrenches are relatively inexpensive. When the voltmeter breaks, the plumber isn't going to finish the job or get paid. His boss isn't going to call me and expect me to repair his meter or provide him a replacement. In the meantime, my shower still isn't working. When an employee's privately owned system stops working, what do I tell his boss about a replacement system? What do we do about the income lost while he couldn't do his job?

jkit001
jkit001

When was the last time that someone had to patched or update their voltmeter?

blarman
blarman

You can't change the way a voltmeter, screwdriver, hacksaw, wrench, or power tool works, however. That's a huge difference. A computer is a _programmable_ tool, meaning that by installing a new program, the tool MORPHS into something else. The computer isn't a SINGLE tool, it's a toolbox in and of itself. And even the very elite specialize in using one section of the many sets of tools in the toolbox. This is an area where the common user is woefully inadequate. If you have a company of computer programmers and admins, you MIGHT be able to get away with this. I haven't seen too many corporations that hire software programmers as marketing analysts, HR specialists, executives, or line operators, however.

george.flecknell
george.flecknell

this is absolute rubbish. What about employing a forklift truck driver. Should he have his own forklift truck. No- there will be a safety and security checked one available at the company. Additionaly if there is a problem with it, the foklift driver should never touch it because lo and behold, there is a department at the oompany looking out for precisely these problems.

mbuford
mbuford

It's the "skilled experts" that are the concern. As it is, gone are the days of having to pass tests to prove qualification to use the corporate computer in the first place (a can of worms for another discussion). Computers, devices which can be controlled remotely without the user's knowledge and capable of shutting down networks of systems or exposing corporate assets, are a bit different than a voltometer, or pencil.

dcolbert
dcolbert

It increases them. You're constantly relearning the wheel on multiple, non-standard, consumer devices you've never encountered - but you'll be expected to provide expert level support for those machines. It reduces equipment costs, immediately. It is the "a mechanic should have his own tools, not expect them to be provided by the shop he works at" mentallity. Wow, as usual - the automotive industry gives the closest analogy I've managed to hit on yet. Not an art, a science, and this *is* a popular approach to automotive workers. But as a company, if your mechanic doesn't have the part he needs to work on a customer's car, what are the options? You require the mechanic to go out and purchase the expensive part for a rare occurance? That isn't going to sit well with the mechanic. You turn the customer away, "we can't work on that car, we don't have the part". I'm also uncomfortable with the industry starting to regard us like mechanics and craftsmen - that we need to bring our own tools to be able to perform jobs for them. That brings to mind an experience. I transferred groups once, and the old group was well equipped, but the new group wasn't. I was supposed to rack some servers, and didn't have the right screwdriver. I told my boss, and he said, "Go buy one, expense it, and I'll reimburse you". Really? A multi-BILLION dollar company can't get me a tool, it needs me to run down to Wally World and put it on my credit card (I'm living in California and I'm a wage slave, I don't have any cash in the bank)? There isn't something fundamentally *wrong* with this request? I borrowed the tools from my old group. When my manager found out, he prohibited me from doing so. "You're not in that group anymore, you can't use their tools". Maybe he was right - but I wasn't going to buy this company tools and pay the interest and give up my personal time to do so and have them reimburse me for only the cost. I didn't last much longer there. They kept a young, eager, green, and compliant IT engineer who was smart, but didn't know a lot of things, and lost an older, wiser, but less compliant engineer who took a tremendous amount of "tribal knowledge" with him when he left. I don't know if it was a win for them, or a loss. Guess it depends on your perspective.

dcolbert
dcolbert

He is clearly talking about some sort of issue with Apple's Firewire connecting to some sort of music oriented gear. I don't see how that could relate to this thread at all.

NickNielsen
NickNielsen

[i]You're running the "pristine" host, almost as a VM, under a non-managed, non-pristine host OS. It is still a potential vector of infection or bridge for attack, in particular if the host OS is compromised.[/i] As I understand the documentation, the LPS is not a VM. It is designed to boot a cold system from a CD-ROM or thumbdrive and use a controlled-access card with PIN to verify log-in credentials. It is specifically configured to not allow local saves and does not mount any local devices beyond those necessary to connect to the network. I don't know if it will run in a VM, but strongly suspect that, if at all possible, it is specifically configured to prevent such. Keep in mind, as well, that each unit ("company") using this software has a custom version specifically configured to the unit and its server, and, if I'm reading right, in some cases to the specific individual. From the outside looking in, it appears to be very IT-intensive to set up, but then requires minimal IT involvement after that except to perhaps replace a lost CD, CAC reader or CAC.

dcolbert
dcolbert

At a former employer, I saw managers aggressively outsourcing, offshoring, and right-sizing their domestic IT force across the United States. I made a few predictions during this time. 1: They would cut too deep with the increasing focus on security and attack and intrusion response, patch and update management, and other security issues that had grown from being a secondary role of IT organizations to a primary focus. I claimed that in 2 to 5 years, they would be swamped, behind, and suffering so many intrusions and compromises they would be scrambling to back-fill the "right-sized" positions that it would be a mad-house, and that employees who stayed on would be burning out and leaving in record numbers. 2: That IT workers were a core market for the products that this manufacturer made, and that domestic IT workers represented their most lucrative core markets, early adopters willing to purchase the most expensive, highest margin products produced by this company. Additionally, that this reduction was not just limited to this one particular company, but to countless similar companies employing domestic IT workers. I predicted that the short term gains in profit would lead to a crash in sales of their most lucrative technology products - because they were putting their most high profit target demographic out of work. There argument in turn was that their domestic market was saturated, and that their biggest growth markets were overseas. Even at that time, before the arrival of the Netbook, I could see that the Asian markets were interested in low-end, low-margin devices like Cell Phones, not high end gaming PCs and other expensive, high-margin electronics. Now despite a rather dubious, record profit-margin call rather recently (which I full expect will eventually be followed up by some kind of SEC investigation, unless it was due to a one time event that I am unaware of,) almost all of my predictions took place, and this company suffered tremendous pain and suffering over the last several years. They scrambled to back-fill positions to respond to increasing security compromises and an inability to keep basic system maintenence met, and their sales plummeted at the same time. Most of their re-hires were temporary, more expensive positions, and employee morale plummeted. The thing is that at the highest levels, the decision making levels, no one was really held accountable for these horribly short-sighted decisions (and this is not all-inclusive of the bad choices this company made through a period of time). In fact, there is an incentive at certain department level and above management to make short-sighted decisions that have an immediate perceivable benefit. By the time the negative consequences happen, the person who made these poor decisions has often been promoted, and someone else is in his position trying to clean up the mess he (or she) left behind. Corporate memory is very short term on holding people accountable for long term outcome, but quick to reward for short term achievements. It could be argued that the key decision makers who make these decisions see the long term outcome very well, but they understand that from a personal gain perspective, these choices are the wisest choices for their own career paths. For me, it is like playing chess, and how many people are any good at that game? Thinking that far ahead and considering multiple possible outcomes overwhelms most people. As frustrating as that is, I think this is another example of this in action. People see the immediate benefits without considering, or while actively ignoring, the long term consequences.

Sensor Guy
Sensor Guy

Audio and video are such an inefficient mediums to send a message for most working IT folks.... Maybe as a follow-up and for education they are good, but the printed word and drawings are what make the quickest and most effective impact.

NickNielsen
NickNielsen

I'd rather read for assimilation than use any other method.

jasonhiner
jasonhiner

Thanks for bringing this up. Wanted to let everyone know that I'm working on integrating transcripts for the The Big Question podcast that will publish when we post the audio file.

mbuford
mbuford

But, I did listen, and, after listening, and re-reading the responses, I have a feeling that, like me, whether the other respondents listen to it ten times or not, the responses will remain largely unchanged. We *will* go there, we always do, in the end, have to do what the users bid. But it will be kicking and screaming, and with many server-room whispers of "I told them so . . . ". But . . . would we have it any other way? Is this not part of the IT charm? Always, we are the stalwart knights defending the castle against the onslaught of ogres? Or the crew protecting the grain stores from tribbles, if you prefer ;)

NickNielsen
NickNielsen

In the case of the SPI, it appears the USAF is willing to accept the limitations, primarily because it's intended as a stopgap measure until personnel can report to their unit and go hands-on. You are correct about tethering, but the cell providers kind of have us over a barrel as far as data plans are concerned. (I seem to remember a hotly-discussed thread about this very subject. ;) )

dcolbert
dcolbert

Well... it depends on how specialized your environment is, and what you're trying to get done. A solution like this is great for *simple* connectivity - especially to cloud based solutions. Jason's podcast doesn't ever really say it outright, but the thesis of his article really relies on a widespread adoption of hosted and SaaS cloud based solutions in order to be broadly feasible. The podcast also discusses that very specific industries will always be limited in applying these technologies - and I may be biased because I work in one of those industries. If you're trying to access a web-based solution - then you can count on a few things. The minimum resolution that the app supports is likely to be 1024x768 (and most machines will be able to find and support this minimum resolution on a GPU and display). Fancy features like dual screen monitors probably aren't going to be necessary. But I can already see challenges, even with this solution. Web plugins (like the Citrix ICA connector) or other plugins that add enhanced web connecitivty (eBridge scanning is a great example) - introduce the probability of a couple of things: 1 - These disks are static. If you're using plug-ins, when a new plug-in for your web app is released, you're not going to be able to "install" it on a boot-disk system. At the most if it runs in volatile memory - you may be able to download the update every time you boot the system. That is a less than ideal solution. 2 - When updates are released, you may be forced to rewrite and redistribute all of your bootable system disks with the new module already installed. Again, for static cloud-based apps that don't change a lot - it makes a lot of sense, especially for extraordinary circumstances. But for day-to-day use by a remote workforce, it sounds like a limited and potentially labor and resources intensive method of providing remote access on any machine. Broadband access in a situation like you mention isn't such a challenge. Jason, after all, is talking about a world where an increasing number of employees carry smart-phones with data connectivity. In some examples, if an employer is small and has a business DSL or Cable, or even a single T1 shared, then many employees may carry a device on their hips that gives them more dedicated bandwidth than they can get at their actual office on their shared internet connection. While we have a 10mb fiber connection to our office, it is shared between 140 internal employees and is the incoming pipe for 400+ external customers. We have strict policies about streaming media, because of the impact that even a few streams can have on performance. In a case where I need to download a large patch during the business day, or would like to listen to a TR podcast during a break, I've got two options. I can connect to our very basic, public, DSL connection, or I can use my phone, which is capable of speeds exceeding 1.5mb/sec (that is a T1, or a basic cable connection - but it goes everywhere with me). I think that is the argument where Jason would launch off on saying, "*exactly*! This is *why* consumers want to be able to use their personal electronics in the corporate environment." That is one of the drivers here. Remote users may have limited access to broadband, but at the same time, may carry a device that can tether and provide broadband nearly anywhere - and IT is seen as an artificial boundary to using that equipment to connect to corporate networks. I think if employees truly need this, then companies should provide the equipment, pay for the service, and it should only be available for work related purposes. Otherwise, the logistics of working out the costs are muddy. People are using their personal device to surf facebook while they're at camp, but they're also using their personal device to access the corporate network. I know that employees will make limited use of these kind of work resources for personal purposes - it is often seen as a "perk" of the position to have a company cell-phone that is occasionally used for personal calls. I'm OK with that and think that if there is a pattern of abuse, they'll get caught. If someone is using their mobile broadband to constantly stream Pandora on their smart phone, it'll show up eventually. If they occasionally send a personal SMS, there is no real harm done. But if the employee truly needs this kind of feature, these tools, then the company needs to supply them, manage them, and own them. I've talked about smart-phones becoming modular, component devices more like a traditional PC tower, must micro-sized. In these descriptions, I talk about the PC core interfacing with various devices in a home (TV, fridge, news service, car, keyboard, mouse and display) - leveraging the cloud - giving access to data while mobile, say commuting on a train while wearing a pair of HUD glasses, then interfacing with a workstation area once the employee arrives in the office. That is the utopian ideal of what Jason is talking about. A single device, instead of a bat-man geek utility belt of devices - that melds to the situation, personal or professional. But not just with the technology, there are all kinds of logistical hurdles to achieving that dream. There is security and personal privacy, there is access to data, there is the muddying of personal and private. I suppose applying my argument we could suggest that most modern workers need an automobile to get to work - it is a "necessary tool" to get your job done. But we don't expect employers to provide us automobiles from a determined and limited scope of "approved automobiles". And while automobiles are primarily used for personal use, they're also used professionally, informally (getting your butt to and from work) and formally - often with some sort of reimbursement from the company for doing so, in the latter case. I don't know. I could talk myself out of my position, given enough time. I think it is a tough question. I think Jason and Bill may be right - there may be some hybrid model that becomes prevalent. I think in that regard, it is already there. But I'm not sure that I agree that it will have such a tremendous impact on how IT operates in a business. I think there will still be company managed desktops, laptops, and cellular devices for the foreseeable future. I think there will still be traditional IT teams supporting most medium and larger businesses. Smaller businesses may find it more economical to move most of their IT outsourced, and not necessarily outsourced OFFshore, but to IT clearninghouses like the GE Data center, the Microsoft data center, the Apple Data Center. If you let your mind run with this, you can see a future where a lot of small businesses don't have offices, and ads say, "Work from home opportunity, must have own PC" and they're *legitimate*. But I don't know. A big part of the inertia here is that people do not like significant change. We still do things ineffectively, the way they've been done for DECADES, broadly speaking. This is talking about a fundamental, revolutionary shift in business practice. I don't think it will happen quickly.

NickNielsen
NickNielsen

From the Introduction: [i]Lightweight Portable Security (LPS), Public Edition (LPS-Public) is a hardened Linux client with a small memory footprint. It creates a pristine, trusted end-node within the volatile memory of an unmanaged computer system. LPS boots a small operating system from a CD-ROM without mounting the internal hard drive, thus bypassing any resident malware. Since a local hard drive isn?t mounted, no persistent user session data is saved. Each time LPS boots, a trusted, known, read-only configuration is loaded.[/i] System Requirements: [i]* A computer system with an x86 processor and a minimum of 256 MB of RAM. LPS supported on standard Wintel-type PCs and Intel-based Macs. * Ability to boot from CD-ROM (USB booting is also supported). * Wired Ethernet connection (DHCP highly recommended). * CCID-compliant USB SmartCard reader (if accessing CAC-enabled websites). [/i] Looking at the screen shots, I suspect it runs at a screen resolution of either 800x600 or 1024x768. Most modern graphics adapters will handle either of these with no problems. It doesn't load sound drivers. From what I read on the website, it's primarily intended to provide Continuity of Operations in a contingency. For example, if a major H1N1 outbreak requires a base be quarantined, those personnel locked off-base could access their email and files on the unit server. The major drawback I see is that broadband connectivity is far from universal outside cities and large towns.

dcolbert
dcolbert

A thumbdrive or a bootable CD like "Winternals" that is configured just to allow connectivity and actually disables access to local disks - that would work. And, theoretically, something like this would work on PCs and Macs, any Intel or AMD chipset home PC (which is most of them). I could get behind *this*. I can imagine problems though. It really becomes a "This works on your machine or it doesn't" proposition. Screen resolution, WiFi configuration, all of those "driver" issues that plague Ubuntu and other bootable disk solutions... are going to exist here. It also isn't persistent, it is session based, basically turns your home machine into a thin-client. So, there are some severe limitations on what can be achieved through this method. But, with that said, within those well defined parameters, I can see this as one of the few workable solutions to allowing employees to use their own equipment.

dcolbert
dcolbert

And, the responses I've seen over there are similar to the ones over here, with a lot of people agreeing with me, and one guy saying I'm just lazy. :)

dcolbert
dcolbert

That is the thing about ZDNet, it is so much more difficult to find, or to track back to follow up, on posts to the forums. That is why as soon as I found that this was over here, I moved my response to TR. I prefer the format, layout, and ability to track conversations in this forum to ZDNet's forums. ZDNet is a more glossy, slick layout than TR - good for drive-by commenting, but not for in-depth conversation like develops here. I am certain that there are benefits and disadvantages to both approaches. :)

CharlieSpencer
CharlieSpencer

I'm over there occasionally in response to the Newsletter e-mail, but not as familiar with navigating it as I am this ... place. Thanks.

jasonhiner
jasonhiner

If you ever want to post on ZDNet, your TR login works. You don't have to create a separate account. Just FYI.

NickNielsen
NickNielsen

Usually grab the transcript for most anything else.

santeewelding
santeewelding

Although at least in a podcast there are no hands to watch. Audio or video, the only time you catch me is when it's about me. Well, and one or two others. Toni comes on like the voice and visage of God. And Sonja is pure delight.

dcolbert
dcolbert

There have been a few audio or video podcasts you have done that I've been interested in, but just never remembered to follow up on when I got home. I'm sure that a transcript isn't as satisfying as watching or listening to the rich-content version, but where a transcript is feasible, it beats nothing at all.

CharlieSpencer
CharlieSpencer

In addition to using the town crier, His Lordship has agreed to post his decrees in the Town Square :D

Editor's Picks