Why “BYOD” Policies are keeping me awake at night

 

In June 2010 a customer was starting to mull the idea of a “Bring your own Device” (BYOD) policy. There are various interpretations of this but it’s been certainly been driven by the huge growth in smartphones and tablets in the enterprise.  A story familiar to you all: CxO of your company is a “technical” and brings into the office Foxconn’s finest fondleware.  Suddenly it’s your number one priority to “increase the productivity” of this shiny-haired buffoon by allowing him to strut around the place with a rare-earth vanity mirror Facebooking his Mum or what-not.  I’m going to focus on the whole practicalities of access and network access control in a future blog, but as you may suspect, I’ve got a bit of an issue with these policies and what it means to the enterprise and the poor sap whose job it is too keep the data where it’s supposed to be and looked at by whom it’s supposed to be.

This customer was discussing the possibility of in lieu of issuing standard Wintel Laptops, employees would be offered a stipend of circa £400($500)/year to allow them to purchase a device of their choice, be it fruit-flavoured, Robot Penguin or just a regular “Grandpa Box”.  This fund was designed to cover the entire cost of the device, including productivity software, support etc.  The vision was that this would massively relieve the burden on support departments as they wouldn’t have to mess about supporting and setting up these Windows devices and worrying about patching it and rebuilding it etc.

A more common “BYOD” policy is just too simply allow users to bring in their personal devices and at the very least, allow them to “leach” from the company internet break-out.  In no particular order, my issues are as follows:

  1.  The management of Wintel devices is very well done. Microsoft is Good at this.  Even the standard AD GPOs allow a huge amount of control over every aspect of a corporate issued desktop or Laptop.  For the gaps where the “free” tools aren’t good enough, there is a huge ecosystem 3rd party tools which can go even further.  With the possible exception of Blackberry, all other fondleware providers have either completely excluded this from the design or rely on 3rd parties.  Whilst vendors such as Juniper, Check Point and Good Technology all have device management solutions which cover the most common variants, there are huge discrepancies in terms of the features which can be offered. They mostly rely on the uniformity on the platform to ensure that nothing bad can happen, but the built-in security on all platforms has been broken, usually within hours of the Beta SDK release, limiting the strength of this controls.
  2.  Corporate data is going to end up in these devices. Be it at the very least the synced mail, but especially on a OS which expose the file system and have a half-way usuable office suite, more serious amounts of data is going to be exposed.  Whilst file system encryption is available for some platforms, it’s sketchy and not usually integrated into corporate tools. These things get lost/stolen/dropped down manhole covers all the time.
  3. Actual Billable Productivity. My other worry is how much productive works actually gets done on a tablet.   Right now on my laptop I have about two browser Windows with about 20 tabs open, two IM clients, a photo editing application (a proper one), Excel, Word, Full Outlook, Notepad++, a “proper” terminal client and about four PDFS’ open. I switch between them constantly.  Most days you could add to that a 3rd Browser, MS Project, Wireshark and random other diagnostic/analysis tools.  I literally could not do my job with anything less than a full blown “Fat” operating system which I had complete admin privileges on. Whilst I appreciate that there are cut-down equivalents in the various app stores, no one platform has them all or implements task-switching as well as I need it to be.  Furthermore, I can type significantly faster than I can usually think, a task I find almost impossible on a capacitive touch screen. I hear you cry: “get a Bluetooth external keyboard!” But what’s the point? I’m sorry but if I’ve got to haul around an external keyboard with a tablet, then what I’ve got there is an even-less useful Netbook PC.  I really wonder how many jobs/roles in the public sector can actually be usefully performed using a device which has the following:
    1. A cut down web-browser which renders properly about 50% of Internet content 
    2. Complete dependence on reliable and “free” network access
    3. A “productivity” suite which is about as advanced as MS Works Circa 1999
    4. A really, really good Facebook Client (really, don’t get me started on Facebook)
  4. Provision of Enterprise Applications.  If your users are providing their own devices (or if you are paying them to do so) you don’t have any control over what they are running on their devices, or what data they are storing.  Again, device management tools exist but they are very fragmented and dependent on what the platform is capable of/What Steve Jobs says(said) is Ok with him.  An example; end-user brings in his “Bargain” £99 HP TouchPad and demands access to the CRM which he needs to do his Job.  Guess what, there is no client for WebOS.  Just a very limited iOS one.  Problem solved! Use Terminal Services/Citrix/VMware View, nice idea except:
    1. The users don’t like having to login every time
    2. There is no thin client for that platform or even worse:
    3. There is and your CRM GUI extensively uses the right-mouse button
  5. Pretty much every organisation going to have at least one non-office suite application which is core to the business; if you are lucky it MIGHT be web  based and supported by standards-based browsers.  However it’s more than likely that it was designed for a single platform (probably IE6) and none of the pages render properly on Safari or Chrome.  If you are REALLY unlucky the custom extensions you’ve made to Oracle forms don’t work at all and it’s going to cost a king’s ransom to upgrade the code, because at the time the CRM was developed Steve Jobs was still working for NeXT.

To show that I’m not a complete Luddite, I actually own a Samsung Galaxy Tab 10.1 running Honeycomb, certainly one of the slickest tablet implementations currently around. Of an evening, I play with it for a bit, maybe check my mail or Twitter feed; maybe play a couple of games then I put it down and get my laptop out for some “proper” work. It stays at home, where it’s was designed for. I don’t bring it into the office. No point.

Advertisements

One thought on “Why “BYOD” Policies are keeping me awake at night

  1. kenok

    Its a big challenge for enterprise IT teams going forward. They on one hand want the headache of users pestering them to give them access to go away and on the other want to control where the data lives. I too have seen the proliferation of these fondle slabs in various Organisations. The best ones organisations have stood up to the top brass and said no that it is against the companies own security policy to allow such access. Of course the standard response is "go away and find a solution to this" and then implement it. What the IT team then find out as you say is the various security limitations on each platform some being better than others. However I will say one of the things that has helped "standardise" some of this is that most organisation use M$ Exchange these days and activesync seems to be widely adopted as the "standard" way of doing mail sync even Google and Lotus Notes support it. So with Exchange you can force policies out to the devices like requiring 6 digit password, file encryption etc and can also do remote wipe of the device also. Oh I should say that if user of the fondle slab/device desperately wants to have access to email on their devices they will agree to anything. So you can enforce the security requirements as part of the access being granted.So some of your concerns can be addressed with the above. I know not all of them. Thing is though the IT team needs to grab the bull by the horns on this one quickly so they can control it as most users will find ways around the controls and use tools that sync to Google or interface with OWA and then the data is out of their control.It is certainly changing and challenging times ahead for the IT and security teams.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s