Enterprise mobility experts have warned IT managers not to enter bring your own device (BYOD) programs with cost reduction in mind, arguing that application development and support costs can quickly get out of hand if not strictly controlled from the start. IDC VP Tim Dillon told attendees at the analyst’s Asia Pacific …
What am I going to do, my BYOD work computer has been compromised by my 5 year old, the company files have been invaded, there's a CBEEBIES virus on the system.
Re: Oh god
That's why anyone who does this implements a variety of sound security systems, first when devices connect before they are plugged into the real network they're placed in a staging area scanned/have security software implemented. Then they connect to a the network.
Then all secure components within the network should be correctly firewalled to allow the minimum access. Also user permissions should allow minimum required access.
These should then all have some form of ID, AV and, auditing.
That's more or less a minimum and if an organisation has any sense much of this should already be in place.
Re: Oh god
This is exactly one of the reasons i beleive BYOD will become an absolute nightmare for IT.
When you are required to make changes to company material it is not normally a problem via GPOs and scripting. When you are required to make changes to a variety of "personal" material then that it is a whole other ballgame.
Re: Oh god
Genuinely don't find BYOD to be a problem.
Secure wifi setup, device security checking and remediation, application virtualization, and you're done; business apps running on an iPad, or a personal laptop, or a phone or whatever.
If you have a proper costed TCO of corporate PCs you could probably find enough savings to justify the infrastructure expenditure required (particularly as you'd be putting in place most if not all the components of a home working set up).
Re: Oh god
So how does the Desktop Support guy in BRIC do that for the US Executive's new toy?
(There won't be any US Grunts left).
This is just an underhand way to dip into the employees wallett.
First they came for the pens and paper, then they came for the internet access, then the phone....
We're all salve workers for the Corporate Nazis....
Re: Oh god
"This is just an underhand way to dip into the employees wallett."
Nowhere I know of is making BYOD mandatory.
"We're all salve workers for the Corporate Nazis...."
Well, jackboots can really chafe.
“For every change you need to make in Android it costs $50,000 in developer time,” he said.
Pulled that figure out of his arse & doubt its wildly different cost for any OS mobile device.
Don't think it;s just "everyone knows someone in IT" for support either, we already tell users we don't support their own stuff but some just don't accept it. Even more difficult to deal with when that's a director as rules just don't apply.
Developer and QA time, maybe, but the problem with BYOD is that instead of paying it once, you've got to do it a couple of times because the people who demand the changes use three different phone platforms. On this, the study is right to point at HTML5.
BYOD was touted as a money-saver, but actually increases costs because the cost wasn't in the hardware, but rather the complexity of managing the hardware population. It won't be too long before these policies are dumped, and companies standardise on one system, as they always have: be it for phones, staples, or printer equipment... This outcome would be very good news for the Android makers with their wide range of hardware, and Microsoft, who still have most of the corporate IT cards, but bad news for Apple.
"the study is right to point at HTML5"
In terms of BYOD I haven't found that re-writing applications has been necessary - using Citrix (other similar products are available) meansyou can ignore the end device and present existing apps wherever they are required.
If there was a serious need to work using corporate applications on a phone sized device it might be necessary to write a new front end but that isn't something people are requesting, even if it was the use of a presentation layer means the technology preference of the developer was not crucial.
I'm all for standards, and open standards are best , but there are other ways to skin the BYOD cat and make it fly.
I was going to mention one of Citrix's competitors because I sell them, otherwise, I agree with your points.
"IT managers should not be looking at BYOD programs as a cost cutting exercise, he argued."
Oh FFS. WE don't. Silly directors who look on it as a neat way of getting people to shell out for their own office equipment do. WE know that it won't save on costs because we know that the licensing and support costs will likely increase. We know that support will become more complex and we know that "no support" policies aren't even paid lip service in the real world. Honestly, well done on stating the ****ing obvious...to the wrong people.
One the one hand those lovely users will bring in with them, their Pron collections, pirate software, media, and network toxic apps.
On the other hand when, not if, the company stuffs up their licensing and puts their software on user devices, the users are then criminally as well as civilly complicit and liable.
No-one has any idea of the trouble that is on the way with this.
....or if the company insists on putting a piece of software on the users nice shiny toy and bricks it. I think the usert is going to expect the company to pay.
Then there's the grey are in between where the user says the company's software or advised change has bricked the device or borken it in some way.......
What a bunch of moaning bastards.
It's what people want, the tools exist to do it (and some are probably already in place), and security can be managed perfectly well.
Cost it up, present it to the business and get on with it.
I know thinking through the potential downsides is part of the job but so is getting things done, and isn't that the fun part?
I am an end user not an IT Pro, but I disagree with you completely and I think you are being massively naive in terms of the various risks and issues here. Company confidential data on personal devices? When the device gets stolen or goes missing are you going to send out a self-destruct code and wipe out their holiday pics? Malware payloads a la Flame and Stux sent out widely, or targeted, or cleverly built into a digitally signed and approved consumer app going on fishing expeditions and screen and audio capturing, etc, etc.
"Company confidential data on personal devices?"
What data, where?
Use a presentation layer (RDP, Citrix, 2X etc) and there is no data transfer to the end device.
IMO the naive thought is that devices that are 'owned' and inside the perimeter are somehow more secure.
If on connection a security policy is enforced (AV must be present, up to date and have had a scan run in the last n days, firewall must be on, security patching must be up to date) then what's the difference between a machine you own and one you do not?
Is someone more likely to lose their own laptop than one the company supplies?
Is a virus more likely on a Windows PC owned by the company or an iPad the user supplies themselves?
Proper security policies and technology make BYOD easy and ought to be in place whether or not people are allowed to pick what they sit in front of.
"When the device gets stolen or goes missing are you going to send out a self-destruct code and wipe out their holiday pics?"
Sure, why not? Not only will they have signed up for that but if they've lost the thing then they have lost those copies anyway, so who cares?
Flame and Stuxnet were created by governments. If you're the target, you're about as likely to prevent yourself from being infected as you are to stop an incoming nuclear warhead with a baseball bat. Good luck with that.
Anyway, company confidential data on personal devices? Who says?
Would think nobody had ever heard of a remote desktop. Solves your licensing issues, too. When users complain about why they can't have (insert name of massively expensive software here) on their own PC instead of the remote desktop, tell them that they are quite welcome to install a copy if they want to pay for it.
HTML 5 won't fix anything.
Makes me laugh how everyone's wetting their pants about HTML 5. Ever tried to build anything with it?
The first and biggest problem is that not every browser supports is (notably any version of IE other than 10). The next problem is that device support for HTML5 is even more patchy.
Lastly, HTML5 is a little more complex than HTML as we know it - more line XAML with code-behinds. The average enterprise dev might hack out a basic HTML page. It takes a start-up-type-hack to make it work with all devices, degrade gracefully for older browsers, and still remain functional and usable.
Right now HTML5 is way too new, too big, and too nebulous to bet a BYOD strategy on - kinda like replacing an MQ Series app with Node.js.
Re: HTML 5 won't fix anything.
HTML5 is also completely unnecessary for the vast majority of enterprise applications.
I'd think anyone sensible would go with valid HTML 4.01 Strict, CSS 2.1, and conforming ECMAscript 3, with extensions to the last for AJAX when it actually provides useful additional functionality. And require apps to degrade gracefully if scripting isn't enabled, except in cases where it's really necessary to make the app useful (which are rare).
People who say HTML5 is the answer generally aren't to clear on what HTML5 is, or what the question was.
(And as for HTML5 being "too big and too nebulous" - agreed, but I don't see this ever changing, thanks to WHAT-WG's "living standard" foolishness. There's no mechanism to cut it down to a reasonable size or to get it pinned down.)
All our services are web based and open to the internet by design. Security policy ensures people are trained before getting access to confidential / customer data. Having out of date OS or virus is grounds for instant dismissal (not that we would, but having it in large letters at the start of the employee handbook is useful).
We're a techie company which helps.
No-one ever mentions device safety when talking about BYOD. In all the offices that I've worked in absolutely all electrical equipment has had to be PAT tested on a yearly basis. What happens when someone's knackered laptop, which isn't safety tested, burns down the office due to a faulty PSU/Battery etc? Or another member of staff gets electrocuted by a dodgy mains cable, brought in by an end user? How do explain to your insurance company that you were asking people to bring their own equipment in? What are your chances of claiming on insurance when this happens?
Now, you could ask all your staff to sign up for safety testing of their equipment, but this would require someone from facilities management to be on-hand all the time, for the new hardware trickling in. There is also the issue of human nature, the chances are you'll never be able to prevent people who will forget or not care because they don't understand the problem.
As for data safety, if I were going to run BYOD, it would be on a separate network which offered RDP or Citrix ports only. Even this doesn't prevent someone yanking an Ethernet cable out of a company laptop, which would require some sort of secure DHCP.
Your points are all valid. Only, they apply to the past.
First, you can make use of BYOD conditional. I'll leave the definition of "conditional" to legal types and address the part I know something about - data safety.
That one is a lot more straight forward. With an intelligently tiered and layered application you can protect anything you like. Throw a properly configured application firewall (Juniper, or Unified Access Gateway) in front of the web server and you can even whitelist URLs, URIs and GET, POST name/value pairs.
With a decent identity and access management strategy you can constrain access to individual apps, web pages, database records... I guess it helps if you create a service-based culture (talking about AJAX/REST/JSoN/SOAP/XML rather than helpdesk/filfillment QoS - which would benefit anyway) like Amazon has.
The technology exists. It's proven. A lot of it's also cheap/free, depending on your stack flavour. The cost of a decent architect that can design something coherent that has business legs will be no more than the rocket surgeon you hire to design and manage and polish the blinken lichten on your RDP/Citrix environment.
"No-one ever mentions device safety when talking about BYOD"
There are a few reasons for that. It's dull for starters, and is dealt with by policy, not by a technical approach and so it isn't a great Reg topic. People can (as opposed to may) bring in their own devices regardless of BYOD policy, and this is not limited to computing devices, I've seen fan heaters, coffee machines, christmas tree lights, phone chargers, music players, and all sorts.
"Even this doesn't prevent someone yanking an Ethernet cable out of a company laptop"
What prevents that before a company allows BYOD? If you are not already dealing with that possibility what difference does a BYOD policy make?
- iPad = i FAD! NOW we know why Apple went running to IBM
- Updated HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
- Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
- PROOF the Apple iPhone 6 rumor mill hype-gasm has reached its logical conclusion
- Black Hat anti-Tor talk smashed by lawyers' wrecking ball