Discussion on:

BYOD: Four reasons why your staff will take the plunge - with or without you

...that I wouldn't lose sleep over what my neighbors did.

Businesses paying for your services think if they hire you to set up any system, your system should "protect" them to perpetuity. The overall misunderstanding I found on these matters was mind boggling.

I want the best system.....but I don't want to pay for it.

I want everything safe and secure.....but I don't want to change any of my habits.

Most of the time they wanted either magic, or just someone to blame.

The customer I discussed had a guy who fancied himself an IT Tech, but it wasn't his primary role. The other employees, and the boss, did too. He really though he was doing big things by sharing a folder on a workstation. And plugging that WAP into the network was awesome. Now they could be anywhere on the premises and get to their files. Law enforcement officers told me they would ocassionally pull into that parking lot to use the web, so I'd say the "chance" somebody up to no good would do this were pretty high.

I won't even get into the many instances in other businesses of passwords taped to monitors in high traffic areas. Malware laden machines...etc...etc. All businesses, sometimes the boss himself or herself being the biggest perpetrator. They all told me they wanted me to make them secure. They all protested when I told them until some habits changed, I couldn't. They wanted magic.

I say all that to say I know the personalities of people who are beating the BYOD drums. Management can do what they want. But if management gets into some trendy notion of BYOD because it's the cool thing....they're demonstrating they aren't too serious about security.

I think we need to recognise that there is a ridiculous edge to BYOD that needs to be eliminated. I find it hard to believe that unsecured wifi is a common occurence. I've never found one in domestic areas for the last 5 years and only heard of one 7 years ago from a colleague. Wifi is secured by WPA auto set up out of the box these days.

Even if I'm wrong about this it's obvious that these sort of ridiculous edge case scenarios need to be eliminated. BYOD does NOT mean any employee can start sharing commercial information on unsecured networks that they provide for themselves.

Every BYOD location is going to have a policy whitelisting allowed parameters for hardware, firmware, software and connections.

More are secured than not in 2012.

But that's not the point.

The point is the public is absolutely apathetic about security....believing data leakage is something that only happens to other people. They believe they are obscure enough they don't have to worry about it.

For many employers, that attitude with their data is not acceptable.

I am willing to be that the President has security on it - security at the level that most users would refuse to allow on their devices.
When security bumps up with convenience, convenience almost always wins.

nt

I don't deny there are many reasons for refusing to permit BYOD, but your argument assumes it's a device that will travel back and forth. What if that user wishes to use a different computer at his desk simply because they don't like the hardware or wants additional capability? True, a receptionist might not need the latest-and-greatest, but the ability to use a touch screen rather than having to mouse through pages worth of documents or touch a spreadsheet cell rather than wiggling her mouse to find the pointer then clicking that cell might realize better efficiency simply through speed.

There are many meanings of BYOD and you're apparently restricting yourself to a single one.

Do you think if the personal device is portable, it will stay at work?

When refering to a personal device I do assume that "Bring" means bring it back and forth.
Even if they kept it a work, do you think they will leave it when they get another job?
Do you think they will allow me to wipe it clean before they go?

BYOD can also mean "Buy Your Own Device". By this I mean that some corporations are allowing their employees to 'bring in' their own desktop computer, as evidenced by the fact that Macs themselves are tying into the corporate network--not as quickly as mobile devices, but they're still there.

but if you google "BYOD", you will see that the most common definition is Bring Your Own Device.
Bring? Buy? It doesn't matter. I would only allow a personal device on the network if I could partition their hard drive and control the partition. The owner would not have administrative level rights to the partition and I would block all other partitions from connecting to the corporate network..
I would provide no hardware support.

... and skew my workload in such a manner. Sure, I'd let you put anything you want into the Bootcamp partition, but there are far better ways to monitor UNIX than by breaking up its boot drive. If I'm using my Mac as an enterprise desktop device, such invasive measures are exactly that, invasive overkill.

I feel the same way you do. You don't want me to affect your device and I don't want users to affect my network.
Users want the IT Department to support and accept the risk of allowing unsecured devices running on various OS'es access to corporate data.
I am not sure of their reasoning. Either they don't understand the risk or they don't understand the cost of supporting multiple OS'es or they have been fed bologna about how secure their OS is or they just don't care. The majority probably fall in the latter category.
Don't get me wrong. I'm not unreasonable about the corporate network that has been entrusted to me. I am cautious.
Users can access certain data from outside of the corporate network on their own device provided their computer meets certain criteria required by the VPN application. They must be running a Windows OS of a certain service pack level and they must have one of over 70 supported Anti-Virus applications running with an up to date anti-virus library file.

"...they just don't care. The majority probably fall in the latter category."

The reality is employees, on the whole, don't care about the confidentiality of their employers data.

I will say I wouldn't sweat the malware risks of non-windows devices. They really are a rare thing.

But I most definitely would sweat confidential data leaking out into the world.

Heck, some employers will fire you for bringing a smart-phone that isn't connected to their network for fear of your using the camera. I don't have any opinion on whether or not that's overkill, other than to say a business has a right to protect it's data. What they do over their 3g connection, as long as it doesn't involve confidential employer data, is no business of the IT Department.

There are benefits to BYOD. And as everything becomes more and more browser based, they become more pronounced. Even with that though, the concerns regarding web cache and such are there.

Data leakage is the big concern here. If management decides they don't care about that, then they are the ones responsible when it happens.

Think they'll accept that?

If you've paid attention to the last couple of years specifically, OS X at least is extremely easy to support on a corporate network with the same kind of group control software you've used for Windows all these years. In fact, based on many reports and reviews I've read over the years, OS X has fewer problems in an enterprise network than Windows. In other words, BYOD should not be an issue any more as long as IT has the right software available.

Yes, I will grant that certain devices are weak in this area, but Apple at least has made monitoring and even wiping easy through multiple methods including a complete system wipe if unauthorized personnel attempt to access data--for instance on a stolen laptop.

My point is that you don't need to partition a drive if it'a a device purchased specifically for the work environment--simply image it and run just as you do Windows. I've had people attempt to partition a Mac before for their 'security'--an ISP I worked at, in fact, and they so screwed the job because they didn't know what they were doing that the machine, though brand new, was nearly unusable. The so tried to do it the Windows way that they totally overlooked that easier, even more effective means were available. I, as the only Mac user in the office (though we had hundreds of Mac clients) had to fix their mistakes to restore functionality and point out what they should have done. Interestingly, I had the full support of the Systems Administrator who realized I knew a lot more about Macs than she or her staff did. In one case, she flat crashed the Mac (damaged the boot sector) to the point it couldn't boot. When I came in to discover the problem, merely holding a single key during bootup let me access an emergency boot sector which repaired the damage and got me right back to functionality in less than 30 minutes. This was almost 15 years ago even before OS X.

IT needs to not only be aware of other OSes, but learn how to incorporate them. OS X is nothing more or less than UNIX with a GUI; Linux is a spin-off from UNIX that has its own advantages. The "higher costs" that have become associated with using them is more due to a lack of education and understanding than through any inherent perceived incompatibilities.

"My point is that you don't need to partition a drive if it's a device purchased specifically for the work environment--simply image it and run just as you do Windows."

I don't know of any employee who would buy a computer specifically for work, let alone allow the IT department to image it.
That would be ideal but I think that's as likely as seeing a real leprechaun on a unicorn flying over my house.
What I see for BYOD are users coming in with Macbooks and Android and iPad tablets expecting me to somehow join it to the corporate domain so they can access network resources and bring the device back and forth from home to work. - as soon as I spot that unicorn...
If I allowed it and the user intentionally or accidentally transported personal or IP data on it and got caught, he would be fired and I would be right behind him.
No thank you.

Given that the traffic from a cell phone browsing a web site looks nearly identical to that of a PC hitting the same site, how can a company determine the amount of Internet bandwidth utilized by the combined smart phone devices? Monitoring BYOD traffic with NetFlow and IPFIX is one of the best ways to find out how much BYOD traffic your infrastructure is currently supporting. Loaded with accurate data, IT members can educate employees and remind them to use appropriate behaviours when using BYOD devices.

Anyone read http://www.networkworld.com/news/2012/060812-california-byod-259984.html? The state of CA is trying to get employees to use their own smartphones to save on the cost of Blackberries.

Most of the clients I've worked with have BYOD as their tablet strategy. People like being able to specify what hardware they use but don't like being told how to lock downand manage the hardware they buy themselves.

You say, "People like being able to specify what hardware they use but don't like being told how to lock down and manage the hardware they buy themselves."
This is the biggest hurdle to BYOD. They don't want to be bothered with requiring password and let's not even talk about encryption.
Or worse, they drank the Kool-Aid from a certain computer / tablet / smartphone manufacturer believing that their devices are somehow naturally immune to malware therefore they don't need protection.

You totally ignore that the hardware from that specific manufacturer IS immune to Windows-specific malware and quite honestly the mobile devices are effectively immune to drive-by malware as long as they're not jailbroken. You also ignore that specific brand's reliability and efficiency at the desktop (probably because you are unaware/biased against it) even after decades of testing have proven that brand's abilities.

No, the one who has drunk the 'Kool-aid' is the one who has closed his mind to anything but what he is told without bothering to do any research for himself. Maybe you should research that 'Kool-aid' argument back to its source and see who the real victim is here.

That does not mean that foxes are immune to viruses.
"hardware from that specific manufacturer IS immune to Windows-specific malware" is lawyer-speak.
For some reason TechRepublic will not let me link a ZDNet article to this post so you will have to search for it yourself.
Search for ZDnet flashback and gaps in security while you sip on the Kool-Aid.
April 29, 2012

... compared to 'rabbit' viruses. Yes, I am aware of Flashback and the previous trojan, but that is only two very limited malware attacks compared to what Windows suffers and affected a far lower percentage of 'foxes' compared to those 'rabbit' attacks.

I'll grant that we'll see more attacks against OS X in the future, but the simple fact that it took nearly 10 years to have even one marginally effective against OS X means that they have been safer (note I didn't say "safe") for longer than they have been elsewhere. With the simple addition of a router's built-in firewall that data remains safer for even longer as I never even saw any attacks on my own Macs despite them remaining online 24/7. Naturally, I do the same for my clients whether they use Windows or OS X and only the Windows users still have to have spyware and other problem software removed on any kind of a regular basis.

My point remains the same and i have this from first hand experience. There is a common misconception that the Mac is immune to malware. And your kind of Applespeak doesn't help.
I had three very senior staff members at work ask me to allow their Macs on our business network. i said no because they were unprotected. Each one told me that they don't need any protection because they are macs and macs don't get malware.
Mind you, all three were Ph.D's or M.D.'s who should have been a little more skeptical.
A month later, two of them asked me if I knew how to get malware off a Mac because their laptops were infected.

Does OS X not have a configurable firewall?
Are there not commercial firewall apps available for OS X?

No, I believe what you are afraid of here is that while the Macs themselves may have been protected (whether or not these headsheds know the truth) they might let some form of Windows malware slip through undetected.

Oh, yes; I saw your denigrating comment about "Applespeak" and I think maybe you should bother to learn exactly what OS X can do for security and how OS X itself can work in your network. You may be Windows-centric yourself, but things really are changing and have been different for a long time. Too small a target? That excuse died 2 years ago.

And exactly what were their laptops infected with? If the network itself they were using had been properly protected, said malware shouldn't even have reached their laptops.

Because the owners told me that they didn't need any protection. Therefore they did not make any attempt to secure them.
The fact that two of the computers subsequently got infected only proved my point.
Oh and the third one?
When he connected to our guest wireless network, we noticed a significant slow down on our switches and were able to determine that it was coming from his laptop. He was running the SETI application (search for extraterrestrial intelligence) in the background. He put it on his laptop and he had no idea how it worked. It's a huge bandwidth hog.
Imagine if that got on our corporate network. Then imagine something worse originating from his laptop.

Malware isn't the only thing that can cause you problems.

This amuses me a bit because I used to work with some Mac enthusiasts who would consistent tell me how unreasonable the Tech Dept was for not supporting their personal Macs. Two of us supported roughly 2000 machines at one time. This is not do-able without standardization.

Windows has so dominated business for so long that support staff are often "educated" in a purely windows environment. Some support professionals are so ignorant of other platforms that they have really skewed ideas about basic (otherwise well-known) principles such as open standards and erroneous opinions on cross-platform issues.

I think this needs to be recognised because the environment is moving. Recognition of this situation does put the onus on "windows supporters" to open their minds to what benefits are driving business users to request support for other platforms. It's the business requirements at the end of the day that need to be the drivers.

The cloud movement also suggests that an emphasis on the browser as thin client will eventuate and loosen requirements on corporate networks. BYOD may provide more and more value and enable cost savings for in house support. Windows guys may be forced move on from their (in) glorious communist past and move into a new republic.

I'm working with Windows engineers that have recently been required to support a large scale move to Mac platform and when interoperation problems are experienced the perception is usually that Mac is failing. This is hardly justified as a first reaction to any inter-operability problem, especially given Windows sterling track record at actively blocking inter-operation, which it seems they are ignorant of. I guess that's not included in the Windows manual. Windows "documentation" is never delivered without additional embedded "sales" information.

I use a Mac at home and at work, but I'm not familiar with any Mac malware, since I've never had any. Can you please tell me what kind of exploit you encountered with your Mac users? I'd like to know what kind of impact and what kind of entry point to be aware of.

I'd appreciate it. Thanks.

I'm not a MS shill. In fact my actual job title is Linux Engineer. I'm not anti-MS either though.

I am on board with JJFitz's concerns though because I have experienced users in organizational settings who simply were not satisfied using what was provided them. My only point is businesses have good reasons not to dive into a BYOD policy.

Whether you want to acknowledge it or not, Windows users are just as likely to not know what they are doing as OS X users--they're no more tech oriented and far more likely to infect their own machines simply because there are so many exploits in use against them. Obviously, it's your job as the IT staff to protect them. The two Docs you mention are simply examples of this on the Mac side. Trojans affect both platforms equally, it's just that some AV apps are better at detecting them than others. All a user has to do is click on a (not so) well-crafted false login page and the machine is infected. But really, that's beside the point. As one person pointed out below, you certainly didn't mention WHAT infection was on those machines; it may not have been an infection at all, but rather some other issue entirely.

As for SETI, it's easy enough to disable or even remove that from any machine, Mac or otherwise. It can even be set up to run only at specific times, like when the machine is at the user's home and not on the corporate network at all. Personally, I used to love SETI when they used their own software, but hate the BOINX (or whatever) distributed computing service they use now. It's far less of a bandwidth hog as it is a resource hog on the host machine, pulling and pushing data only when the machine has completed its packet scans. On the other hand, if your firewall was blocking it, then the software was going nuts trying to access SETI to swap files. In that case, it should have been easy for you to simply uninstall the app (drag and drop to trash works really well, though I admit it leaves files behind unless you use a 'cleaner' app to trash it.)

Doctors, unless their doctorate is in CS, are no more computer literate than the average "Joe Plumber", their profession is whatever they specialized in, not computers. Yes, I do know what Apple claimed and even now Macs are immune to Windows malware which is still the prevalent malware environment on the internet. Apple itself does recommend AV software and has for many years, though they haven't released any 'commercial' scanner of their own--believe it or not for security reasons. Bloggers think they know what Apple is doing, but so far Apple has been far more effective in simply shutting down the malware authors and protecting their customers that way instead of putting bandaids over the exploits. By not telling anybody what they're doing to defend against an attack, they're not telling the attackers to start looking for another hole. Even Microsoft has begun using similar tactics as a combined Apple/Microsoft/police effort shut down and arrested the perpetrators of two very significant botnets. I guess you were unaware of this 'new' tactic.

If you keep your Apple patches up to date, you should not have a problem but obviously 2 of these folks didn't and the third guy had no idea what SETI did to a network.
Fortunately the malware folks' devices were not allowed on even our guest network. I didn't fix their problems for them, I just directed them to the information about addressing it.

I like to help people out. That's why I run the IT Department. I never say, "Flat out no, not on the corporate network." I explain that with unlimited resources, we can make anything happen in IT & this is what getting your device on the coprorate network would entail.
I don't care what OS is running on a personal device. They are not allowed on the corporate domain for all the same reasons.
I am not picking on Apple. I apologize if I made it sound like I was. It's just that for some reason, quite a few Apple users believe that their devices are immune to malware or viruses and that's a dangerous thing to believe.
As for the SETI guy, we have intelligent switches on the guest network. Once his device reached the "top talker" threshold, the switch shut off the port and sent me an alert. I explained the issue to him and asked him to disable SETI while at work. Sometimes it's good to let the users know what IT can see runniing on the networks.

With the caveat that sometimes just pointing to the information isn't enough. I have a client who, even though I've told him many times how to protect himself from malware (especially phishing emails) he still opens anything and everything that hits his mailbox. While I grant that if he were an employee I would strongly consider dismissing this person, instead he is a client and I have to at least try to keep him safe. His advantage? He's using a Mac so the majority of the malware attacks run into a dead end (he does know not to permit installs out of email or websites unless he triggers them himself) but even I have come close to getting caught out by some of the more recent phishing attempts. Using rules to guard his emails also doesn't work as it might, since the majority of the attempts tend to come through his whitelisted friends. Fortunately I get a mirror of most of these attacks and remind him to manually scan his machine when I see something questionable come through.

The point is that you do have to take the user into account and sometimes go that extra bit with them. Not only does it improve customer satisfaction, it makes you look good to the company, too.

What happens when you are involved in some law suit where the data is Subpoenaed, or seized? Do you want your personal machine and all it's contents to be bared to the world? or the Gov't?

While we agree that some IT departments need to play catch-up, there are a growing number of IT leaders who are embracing the BYOD trend, either by allowing user owned devices to be connected to the company infrastructure (usually in addition to a company supplied device) or by providing a stipend to the user to acquire a device intended for corporate use. The important thing is enabling employees on those devices, while balancing the needs of the organization. This is aligned with the point #2 about requiring updated management solutions. These solutions need to provide accountability and control, in spite of the flexible device policy, including effective strategies around application readiness (assessing and preparing applications for corporate use) and enterprise license optimization (ensuring the ideal procurement and allocation of software licenses). Then IT can more effectively manage the process of delivering vetted apps to users, whenever and wherever needed. Without them, BYOD policies increase the risks associated with system supportability, excessive software spend, and license compliance. ??? Steve Schmidt, Flexera Software

Biggest issue against BYOD for a lot of companies is funnily enough cost and money.
Netowrk and systems infrastructure in most companies has been setup to secure laptops and PC's. Mobile OS's and devices were never a design consideration.
To update your infrastructure to support the severely increased data leakage exposure that comes with tablets and smartphones requires a large investment in technology and training for your support staff.
I have been reviewing and comparing MDM's for several months now and have still not found one that adequately manages all mobile OS's out there. Only way I see to do this is with a proscribed list of devices provided by the company. BYOD would be a nightmare to support with multiple versions of Android OS, Windows phone 7.0 and 7.5 not supporting encryption just some of the problems.

Through the '80s, '90s and '00s, companies only looked at desktop replacement as bulk purchases, buying hundreds or even thousands at a time to get the lowest possible price. However, one company tried an experiment and separately purchased one Mac and one PC. They attempted to make the two machines as equal as possible, even to using the same software (as closely as they could) on both machines. They then went to a temp agency and hired two secretaries that had no PC experience of any kind and spent 30 days training them to proficiency on their respective machines. Once trained, these two workstations were given identical tasks for 90 days, neither knowing about the other. The company measured direct productivity between the two machines and all support issues.

At the end of the 90 day experiment, they analyzed the data and discovered that the Mac proved more than 200% more productive while only costing about 30% of the Windows machine's support. It proved that the long-term costs of using Macs went far below costs of remaining with Windows.

However, the results of that experiment, while documented and later even made into an educational documentary (I watched it some 10-12 years ago on The Learning Channel or similar) the company chose NOT to convert to Macs because of the--at the time--three times higher up-front cost per unit and overall cost to convert from Windows to Mac en-masse.

With BYOD, such a changeover's cost is minimized by the employee effectively absorbing the hardware costs (companies still tend to buy the cheapest they can get away with on their own) while managing to retain the majority of their existing infrastructure. They now gain the benefit of the higher reliability and resulting higher productivity without having to eat the higher up-front cost of buying hundreds of Macs at one time. IT itself may want to resist this conversion, but even though no company may never fully convert to Macs, they and other Apple devices are moving in and will remain as long as Apple retains its lead in real systems integration.

Last time I looked (early winter), Apple still had only around 5% market penetration on desktop and laptop systems. Considering some of those are corporate systems, then the percentage owned by individuals must be even smaller. I don't see that relatively small wave of BYOD Macs washing Microsoft out of the corporate pool, especially when the majority of laptop devices being brought in are Windows systems.

If you're talking about the dominance of Apple tablets, I might agree. On the other hand, such devices render your discussion of the 'MS vs. Apple' experiments irrelevant. Those focused on the only form factor available at the time: desktops. I'd also point out that many of those many of those Apple tablets are being used to remotely access Windows desktops and servers. If an employee is bringing his own tablet, regardless of brand, but is using it to access a company-owned desktop, the company isn't saving any money.

... my point was that the Mac did prove itself almost 20 years ago and the Mac today is still better than the majority of the Windows boxes currently in use in the enterprise--and still more expensive on a per unit basis for purchase. Why? Because the Mac adheres to far tighter specs on nearly every internal component compared to its competition. Higher cost on components means higher up-front price. But that's an old argument that will never be settled until the antagonist actually bothers to physically test each and every component to verify what I learned through working for an Apple component supplier. I know from experience what Apple's parts acquisition methods are like. Others simply refuse to believe Apple would do that when nobody else (except maybe the US Government) does.

I doubt the superior hardware provides enough advantage to be worth the price to most buyers, corporate or consumer. Sure, it would be nice to have a Lexus, but an Accord will be more than good enough for much less money.

So Windows XP is being used for long. Should I have installed Vista made things worst? We are already upgrading to windows 7 so don't agree.
Locked down PCs - so should we allow for company information to be stored in Google Apps, Sky Drive and DropBox and then when we have a leakage call the CIO and make him/her responsible? What is the solution?
Agent Hog - So should we uninstall all AV, Malware, Personal Firewall, SPAM filter and Proxy filtering and allow malicious code to infect our organization. To simple to say this is the problem. Selection of good tools is required but saying this is the problem is too simplistic.

Will this problems disappear with BYOD or will we just create another set of problems?