Danger, Will Robinson! Beware the hidden perils of BYOD When I first became involved with networked PCs, the company I was working with was upgrading its NetWare 2.0a installation to 2.15. We were pushing the boundaries of networking with our three-way gateway connecting Ethernet, Token Ring and PCnet. The only local storage on all but the most high-end PCs was a floppy drive, and …
On the subject of BYOD(ish) for my remote needs I can use Citrix Receiver or VMware View to connect into a Windows desktop env from my Mac or iPad. Both are very useful for weekend/out-of-hours support that being a sys admin usually incurs. Because I'm an owner of fruity tech I also have become the unofficial Apple support bod when it comes to linking BYOD kit to the office.
I also have a 2005/6 vintage work HP laptop which is still running XP (recently rebuilt) and that can use VPN to get in. But it runs like a dog nowadays, so I prefer to use my own kit.
There's no choice for BYOD when it comes to phone, so I still have a work Blackberry and my own iPhone.
Yep, it was a neat solution. RIM's problem was that Apple had already trained everyone in what to expect from a tablet. So when RIM came along saying "Actually there's a different way" (and it was a very different way indeed!) no one listened or understood. There loss, but an even bigger loss for RIM.
Nowadays the idea is moot because the PIM / Email client software on the Playbook is perfectly capable of connecting to all sorts of things in its own right (Exchange, IMAP, etc), though arguably with less security for the corporate employer than the Playbook / BB6/7 / Bridge way. And alas the Playbook line isn't going anywhere either, so that's it.
It's much the same with BlackBerry Balance on BB10 phones. It's a really neat idea, it's pretty well bullet proof from the point of view of corporate security and personal privacy, it's a very good BYOD solution, far in advance of what everyone else is doing. Also it's the first actually useful Multi Level Security System I've ever heard of (all the others have been terrible usability kludges). And once again very few people out there have ever heard of it let alone know what it could do for their corporate users. Yet with pretty much every Android app now working just fine in BB10, you really can have a mix of personal fun and properly good (i.e. accredited) corporate security.
You can't do that too slowly! No point setting up MDM software after all the company's intellectual property has already leaked out through a compromised BYOD phone.
Joking apart, that why I like the idea behind BlackBerry's Balance. Phone split into Corporate half and Personal half. Corporate half locked down to the n'th degree, but the Personal half is yours to do what you wish with. And yet things like calenders, email and contacts remain usable, sane and well managed.
Same territory as Citrix I guess but cheaper?
That's what we use. Data stays on employer's servers. None on my laptop. Login/password to Windows desktop not stored.
T'other employer does not provide RDP session, so I use an encrypted hard drive and offline email reader. Disabled suspend so only hibernate or power off choices, hence reboot needed, so you have to know passphrase.
Tramp icon: I can run my whole tiny world from a recycled laptop...
My current company is trying to implement a "Bring your own device that we hoisted on you" policy, where you can choose a discounted laptop or high-end mobile phone, as your own, it's reduced price is taken from your monthly pay, but the corporate IT will manage it for you. When you leave the company, it will be remotely wiped and you can then do with it as you wish.
Good idea in theory, but what about grumble flicks you watched at home, on your personal device, off company time that may leave browser traces that could get you fired for having pr0n at work the next morning (not to mention, sticky keys)...
Paris, because grumble flicks...
It is situations like this that make Digital Restrictions Management (DRM) inevitable. I am deeply concerned about the capacity for abuse of DRM, but would eventually end up writing in myself if it is not done. Before DRM extends deep roots we need to put in place laws and technical mechanisms for key escrow that preclude single nefarious entities from abusing the technology.
Thus far, the bad guys rule DRM and the only reason it has not sent us to hell already is that the bad guys are not very good at securing things. They are getting better and before they actually get DRM working we need to stop them from making it work against us.
Treacherous devices without controls to protect the public interest are dangerous. Note: The public interest is not equal to the interest of the state. These interests are so divergent now, the state is one of the bad guys we need protection from.
... bring your own device (and leave it here in this safe while you're at work, and never ever use it to access company resources, though we'll make sure of that last part by allowing only authorized devices and users to access our company's data and apps).
In my opinion, the other meaning of BYOD (The one that everybody else uses, i.e. bring any mobile device you fancy, so we can save X Euros in hardware purchases, and expend 10X Euros more in software, security and support) is utter madness, a clear indicator that management, more often than not, doesn't have a clue, and a recursive security nightmare.
The biggest problem with encrypted USB sticks is when you need to copy files to a client's computer and find it can't read it.
Of course they don't have the rights to install any special software to permit such use, and even if you can get their IT folk's attention in time you may well find they use a Mac or Linux box so Windows-specific support is useless.
I know there are the odd device out there that is properly self-contained (e.g. with own PIN keypad for the encryption and just appears as USB storage when correct) but most of the affordable solutions are useless in such a situation.
But on a locked down PC, will you be able to run TrueCrypt at all?
If the admin had done their job right, you won't be able to run an arbitrary program of a USB stick!
Back to my basic point - there are no universal solutions that work "out of the box" and don't involve changing the client's Windows/Mac/Linux box.
If you want your users to be able to work on a train, they need a local copy of the data. That's a fundamental constraint. Thin-client solutions like Citrix simply aren't usable over 3G/4G networks while moving through tunnels and railway cuttings; even Outlook Web Access can be torture.
This means documents on the client device must be stored in encrypted form. BitLocker is suitable on Windows, but I'm not aware of any equivalent on Android or iOS.
It's astounding to me that there could be such a long discussion of "all" the issues surrounding BYOD, and yet there's absolutely no treatment at all for what the network looks like in that scenario. The experience of users is jolted from the beginning in most BYOD scenarios by the idiotic NAC schemes deployed by those who buy such snake oil, but I don't suppose that's important enough to be included in a discussion labeled as "all".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
