Bring your own back door....
....not very security focused.
The rise of ‘consumer’ expectations in the workforce is driving some organisations to think up ways of giving their employees more choice when it comes to personal computers. ‘Bring your own computer’ (BYOC) has quickly become an umbrella term for employees, erm,.. bringing their own computer into the workplace. But just how …
So, if the user has their own computer running on the network then they have local admin on the box, probably the locally managed anti virus program of their choice (agh!!!! ie. no management and a million laptops updating individually) and any number of arbitrary apps running that can cause conflicts with anything else. No licensing controls as it's the users personal property, yet your still liable for it as it's being used for work and you paid for it.
In addition, you can't then run group policy or meaningful software restriction policies as it's the users laptop.
This is a good idea, why?
Because a bunch of dumb fscking bean counters said it was.
BTW, you do bring up some extremely valid points.
I am curious who would get screwed by the Bulls--- Society of America (aka BSA) in the event unlicensed software is found on an empolyee owned machine.
Another question comes to mind: Data ownership.
Can the employee REFUSE to allow the company to gain access to data that is stored on the employee owner computer in the event they are no longer associated with that company???
Does the company have any right to `analyze` private data on an employee owned computer in the event that there is suspicion that some wrong doing had occurred; or at the time they plan to terminate an employee???
If I got fired by an employer, where I was supplying the computer; once they handed me the pink slip, the answer to a question about looking at my computer would be `tough s---`.
IMHO some serious LEGAL minefields to wander through. I am not sure I want that task. BTW, this applies to more than simply computers, one could apply this to cell phones, iPads, etc. I would rather, from a legal standpoint, not want go down this road. I would rather keep my s--- separate from the employer's s---. If they tell me `goodbye`, then `here is your fscking s---, see ya`!!!!
I assume that the point of the exercise is not to be joining random malware infested PC's to your domain but rather providing each user with a virtualised environment to work within. This virtual environment will be what is joined to the domain.
This also applies to the licencing controls issue you raise. Because the "work" aspect of the computer is entirely virtual, it could easily be argued that anything that is outside that work environment (ie the virtual host PC) is Not Our Problem.
I can see some potential issues with this approach but I can also see quite a lot of benefits too.
What they are suggesting is abstracting the Work environment from the hardware (the "hardware" becomes virtual. Just doing that can give you enormous benefits even iuf you still retain ownership over the fleet of iron it is running on.
But, once you have divorced the work environment from the physical hardware, it is quite valid to ask yourself exactly why you should bother caring about "owning" the actual hardware and all the problems that goes with that ownership.
It's not a huge strep.
Being able swap a virtual image from one machine to another would make life a whole lot easier.
On the one hand you have IT support having to deal with each machine as a special case - taking time to work out what software / versions / drivers / patches are installed and then having the luck to not break any of the owners stuff while trying to fix a work problem.
On the other hand you have a conflict between the users domestic practices and arrangements and any mandated software (such as firewalls, anti-virus, encryption) the employer requires.
Personally I would not allow any IT support dept. do work on my personal machine (and not for the reasons Gary Glitter might be regretting) not just because I would fully expect them to either break something or just go for a wipe-and-reinstall approach (since their time is more valuable to them than my equipment is), but also because of the inconvenience: I can't do "my stuff" while it's in their hands - which could be for days.
The only thing I might, just , possibly consider is a company installed VM. That would give a solid line of demarcation between their stuff and my stuff. I still wouldn't give them physical access to the machine itself, they could work on their VM remotely, during working hours.
However, I can't see any company seriously accepting the extra complications, support burdens and security nightmares for the sake of a few hundred quid's worth of hardware. Unless of course, their workforce was in the habit of "losing" the thing every time they didn't get a pay rise or promotion.
Our CIO was mooting the idea on an internal board.
His model was one of individual budgets to buy PC+support (no internal support, we recently outsourced our engineers) for personal and business use, and using a virtual machine to host a protected work environment.
One of the sticking points at the time was that we have a mobile workforce, so choose-your-own-supplier was too high-risk, and our CIO said his preferred option was to sign up with PC World as the only supplier with wide enough UK presence. You can imagine that a bunch of computer geeks didn't like that idea.
The other problem we brought up was that deploying a virtual machine is a massive efficiency hit, and that the budget would need to be ridiculously high to get a PC powerful enough to cope.
And while the CIO was stating it was a "benefit" because it's also a free personal PC, some people countered that us geeks visit all sorts of abuse on our PCs. If I'm not free to botch up a Linux install and bugger up the boot sector, it ain't my PC!
The idea of BYOC is popular amongst upper and middle managers that have a PC at home and think that their work environment is just like their home network, but just bigger. Specially higher ups usually have access to "at home" support from IT if necessary, so they perceive any problems that they have as small bumps that are solved easily by what appears to be a not very experienced person. Well, certainly he/she does not wear a suit and a tie so it must be someone with little experience, right?
This is not the case, as they discover soon when they have to understand the rules and configuration of such arcane (for them) details of network configuration, domain authentication, proxy configuration, application connection information, shared file server security, backup of local hard disk, antivirus, anti-spam, data privacy and so on.
Only when they actually set themselves up for the task they can understand the difference, and then you, and most important, they, have a good measure of the degree of complexity you support.
For an organization made up of developers or sysadmins, BYOC may work. For almost anything else, try before you buy.
Security is not the issue. BYOC2W is about hooking up to a model office managed virtual infrastructure via an office internet connection.
Consumerisation and the adoption of this area if halted mainly by the users ability to maintain the device i.e. break/fix, and the inability of the company to provide a suitable mechanism to assist in the financing of such assets.
Current finance models can only be associated with the BIK tax (benefit in kind) to the employee, so the adoption fails due to the employee not wishing to spend their hard earned cash on a computer to to their employers work.
The VDI (Virtual Desktop Infrastructure), via whichever flavour you prefer, is a very mature offering, but it currently leverages existing assets for connectivity, or involve a tech-refresh of the desktop devices in line with the current asset depreciation/ lifecycle.
The best approach today appears to be achieved by creating a pre-boot environment on a USB stick, or an isolated environment, to provide connectivity to a company broker system, or by using portals; but agin the issue of end-point device ownership/ control still lingers.
We currently have two types of machine:
1) a closed portfolio one where applications are determined by each department/country and each package is tested on each model. Updates are pushed after testing.
2) an open one where people can try out other applications at their own risk, but may not work on applications like SAP which are business or compliance critical .
The pain of keeping this going and updated globally means that hardware & software cost is less than 20% of the total cost of PC support.
I'm expecting one last iteration for windows 7, then a switch to Any PC, and a push of my virtual company machine onto a corner of my APC every morning. That should solve the security and shared storage issues too. It is fortunately not my call, though.
As a contractor, I'd love such a scheme in companies I work with, assuming the company's software runs in a VM. I already have VirtualBox on my machine so adding a new VM would be no problem: this way, the company has complete control over what goes in the VM, while I have complete control of the hardware (and the OS that runs on it).
A BYOC scheme would solve the following issues for me (as usual YMMV):
More often than not, the hardware I have is more powerful than anything a company I work with can provide me with so I generally end up with an XP box that takes ages to do anything and on which I can't install tools that could actually help with my job. With a BYOC scheme, I could have my own hardware running my own software, while having the company's VM for work (occasionally working out of the VM when I need something that's not provided by the company).
Every single company I've ever done contracting work for have needed at least 4 weeks to source a computer, meaning that I tend to spend the initial 4 weeks of any contract using my own laptop but with no access to company networks thus making my job more difficult (and therefore costing the company I work with a fair share of the price of a laptop in lost time and effort). Having a VM that can be deployed on any BYOC hardware would reduce that time significantly.
Of course, the devil is in the details as always but I think it's an idea that could work in principle, especially for non-permanent staff. And if would help working round IR35.
Seriously, I'm trying to be ironic or anything!
Using Citrix or a VM is the only option, the local LAN must not let anything else through or route any host machine traffic (so even an infected keylogged system would be "safe"), and *assuming* the host machine actually works, it can be anything Win/OSX/Lin, I just built a 3Ghz dual quad core/16Gb machine for about £700 so I don't think there's any issue with price/performance these days.
However, (and it's a huge however), as soon as the maintenance is shifted from the PC to the VM and you can use *any* kit for the physical PC then the overhead on managing the PC drops as well, so a cupboard full of Ubuntu installed boxes which need no additional config or maintenance (as they are just VM hosts) is pretty cheap.
In other words, as soon as using Citrix/VM is viable for the service then maintenance for the host almost disappears anyway so you've already saved your money (why give it to the users?), i.e. if it's safe and simple for the user to do the PC config then having a professional do it will be safer and cheap (consistent).
I suspect the only advantage would be for contractors who value better hardware than a company provides by default. This works (to a lesser extent) even if you go the local VM route.
Personally I bring my own keyboard and mouse and I'm severely tempting to bring in my own screen. These improve the user experience without compromising security and are platform independent. I don't compile code, but I'd take a couple of nice 20"-24" screens and a good keyboard over faster cpu or more than 2 gb ram any day.
So you get a nice new job and the first thing the company says is, "You have to supply your own computer. Our IT department says the minimum spec is..." and you find that to cover their backsides they have over-spec'd the requirements and you're into a couple of grands worth of new machine.
And when it breaks down the IT guys deem it to be your problem not theirs as it's your PC.
Sounds like a great ploy if you are an accountant. Not so great if you a grunt.
... this definitely seems like, if not a bad idea, a solution with far more problems than it causes. Bearing in mind that I am not specifically a techie, just the person in my group of friends that gets asked to sort out computers, the killer arguments that need to be dealt with if any company floats this idea are:
a) Is it practical for any tech department to know about umpteen different types of machine, possibly with different OSs, even if that is only in relation to a VPN or whatever virtual environment is used? OK, most of it is only an internet search away, but that is likely to be an inefficient use of the techies' time. (Trevor - I feel your pain!)
b) Who is responsible for damage to the machine? If worker X drops his BYOC computer so that it is no longer functioning, what is the replacement (temporary and/or permanent) protocol going to be? The IT department will not have spare machines of that type ready to lend out, so what is to be done?
c) Who is responsible for the data on the machine? It is relatively easy (well, it should be!!) to put in place a security policy for work-related stuff, but, as an earlier commenter said, are the techies going to be considerate to personal data if it comes to the most efficient use of time?
d) Probably the major argument against the whole scheme, and one that occurred to me before I read the earlier commenters (honest!), is the ennd-of-employment situation. Who does the machine belong to. All sorts of problems seem to arise from the scenario of the recently ex-employee saying "It's mine, and you're not having it, or the sensitive data, back". There may be a way around this, but it will be time-consuming and messy.
It seems to me that in many places, the workers don't actually care what the machine is. Some will modify the ergonomics with mice and keyboards of their own, and some, as an earlier commenter said, might go as far as bringing in screens of their own. Perhaps this simply comes down to laptops, which are often regarded as a bit of a fashion accessory rather than a tool, which raises the question - does the company *really* want to buying iPads (for example) which may or may not do what is required for the work intended?
Nah - this seems to be an idea with an understandable basis, but with little sense behind it.
maybe a nicer idea from the "no I will not fix your computer" point of view: virtualbox SDL launches "Work PC" that's a read-only configs with no local admin rights in VM, Work PC logs part of company AD with GPO etc - including My Documents redirection? - and can access local USB for printers but has local shared folders disabled. Local user can still mess it up by trying to be clever with VirtualBox, but that's misconduct and they have to pay for it to be fixed by company.
And yes there's probably a VMware / Citrix / whatever way of doing it that's better / different / whatever.
Still a minefield in several ways though .... can't we do the "this is your company PC; want to work from home you can, it'll cost you a £250 security deposit for a new company-provided PC in case you screw it up". Then give them a eeeBox to take home, preconfigured with dynamic DNS, VPN etc. and put all the line-of-business applications via remote desktop or Citrix?
Biting the hand that feeds IT © 1998–2021