back to article BYOD: don't let the dream turn into a nightmare

Most vendors and analysts agree: you can’t avoid BYOD (bring your own device). But despite all the excitement about letting people use whatever smartphones, tablets, convertibles or latest thingamajig they want at work, many businesses are still wary of the BYOD trend. Some organisations, by necessity, just cannot adopt BYOD …

  1. Anonymous Coward
    Anonymous Coward

    Good article

    Absolutely agree that policy needs to come before technology. Otherwise you pick the tech that you think will work based on assumptions of what you think users want, and what the business will allow.

    Set up a policy on the basis that users WILL use their own devices, but make it appropriate to your organisation. CYOD will only work if you provide devices people want to use. You will lose staff to organisations that are less restrictive if you're not careful. If the policy means no data is ever stored on the device, then that's fine. If it means users have to use 2FA to access sensitive data, then make that the policy. But allow the policy to match expectations, then implement a technology that supports the policy.

    Sticking your head in the sand and saying no users can access the data remotely ignores the fact that they will find a way, and unless you provide them a way to do it safely, the way they choose will certainly not be one you have any control over.

  2. Pen-y-gors

    Simple solution

    Of course you let people BYOD - but under no circumstances should they ever be allowed to connect to a company network with it or store company data on it. If they want to browse the company website, no problem.

  3. Anonymous Coward
    Trollface

    I don't know why they're worried about buggy/insecure clients - Windows tablets aren't catching on.

  4. Anonymous Coward
    Anonymous Coward

    No other choice but to use BYOD

    because the crippled network blocks Skype which we use then setting up tests with our customers.

    because the corporate browser is IE8 (nuff said)

    because all webmail access if blocked

    Yes it allows Facebook, Twitter and YouTube.

    because the crippled laptop we are issued with is so locked down we can't create a VM on the internal HDD even though we have VMWare Workstation installed.

    etc

    etc

    etc

    So a laptop with a 3G dongle is the order of the day.

    {thankfully the boss understands this and pays to the SIM}

    1. Anonymous Coward
      Anonymous Coward

      @AC - Re: No other choice but to use BYOD

      No, it's not the way to go! At my current workplace I've been patiently waiting for more than three weeks until they allowed me to install Webex plugin on my locked down PC. During this time our manager was becoming increasingly impatient about the incident I had opened with the provider for one of our applications so he was the one begging the security teams to grant me local admin rights. Bringing my own PC would have triggered a security incident and would have had me fired on the spot. Paying me for doing nothing will always force my employer to be creative about giving me the right tools for my job.

  5. Anonymous Coward
    Anonymous Coward

    "Most vendors and analysts agree: you can’t avoid BYOD (bring your own device). "

    Uh, yes it can.

    1. Anonymous Coward
      Anonymous Coward

      You didn't get it!

      It is about vendors of all gadgetry and mobile bling and they are categorical, you must not avoid BYOD.

  6. Anonymous Coward
    Anonymous Coward

    Either wifi locked to mac addresses meaning only authorised devices on company network (previous company) or (as current company) have a wifi network completely separate from corp LAN. You want LAN access over wifi in the building (from your work laptop) you have to VPN in.

    Sure you could still get a BYOD device physically plugged in unless you do complete mac address level access, as they had at an investment bank I worked at. But either of the above stops most tablets and phones connecting to the corp network.

    1. Anonymous Coward
      Anonymous Coward

      "But either of the above stops most tablets and phones connecting to the corp network"

      And neither of the above is more than a slight annoyance for a lowly capable attacker. All those measures are "tick box" preventions, which may make auditors happy, but don't avoid someone above the simplest level to go and enter your network at will.

    2. Anonymous Coward
      Anonymous Coward

      wifi locked to mac addresses

      Wow. I don't know about on Windows, but MAC addresses are easily changeable - please don't do that (I know you're not, but there are plenty of low calibre IT admins on here who'll read that).

      But yes, wifi on the visitor lan then VPN in, definitely - that way you need to go through the same security any other bugger on the Internet has to - wifi won't give an attacker anything they haven't got already.

      One place I was at, there was no wifi at all. Fair enough, good security in theory. Unfortunately, you'll then get dick heads working around it by sneaking in access points somewhere - using consumer grade security, if at all.

      1. Anonymous Coward
        Anonymous Coward

        Easy pie!

        Make an example of one or two of those so called dick heads. Fire them and bring them in front of a judge for non-authorized access, especially if you happen to live in the US of A. Make a short movie and make it mandatory for the rest of employees to watch it.

      2. Pascal Monett Silver badge
        Headmaster

        Re: "I don't know about on Windows, but MAC addresses are easily changeable"

        I think you are confused on the term. A MAC address is not the address of an Apple machine, it is the Media Access Control number of the network chip in anything that connects to a network.

        Thus Windows machines have MAC addresses too.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I don't know about on Windows, but MAC addresses are easily changeable"

          Oh sorry for the confusion - that's quite funny. I did mean "MAC address", not "a Mac's address". You've made me feel like a Windows user, now!

          I meant I don't know if the MAC (as in layer 2) address was easy to change in Windows (or even a Mac, for that matter). Back in my day, on Windows you had to reboot just to change the hostname.

      3. Anonymous Coward
        Anonymous Coward

        >Wow. I don't know about on Windows, but MAC addresses are easily changeable - please don't do that (I know you're not, but there are plenty of low calibre IT admins on here who'll read that).

        >And neither of the above is more than a slight annoyance for a lowly capable attacker.

        You both miss the point somewhat... This is about employees bringing in devices, finding out the wifi password from someone and then connecting their own device to your wifi. Put on filtering by MAC address and bang this stops Frank in the warehouse being a dick on your network. Of course it will not stop attacks but then that wasn't what the article was about... Key 4 letters are BYOD and key words are 'at work' ....

        1. Anonymous Coward
          Anonymous Coward

          Put on filtering by MAC address and bang this stops Frank in the warehouse being a dick on your network

          Sorry, no. That's bad.

          A few years ago, I used to be "Frank in the warehouse" (my name isn't Frank, but I worked in a warehouse - and I'm still a dick...). I'm also waffling on here about how MAC (hardware) addresses can be easily spoofed.

          My point? Attacks can come from anywhere. There will always be dicks like me who will spot a poorly secured system and utilise it... mostly for a geek triumph, sometimes to prove a point - but only if it's maintained by (supposedly) professionals.

  7. Anonymous Coward
    Anonymous Coward

    There's an essential contradiction here

    And it lies in the "Y" part of BYOD. "Your" own device by definition is yours. Yours too is the data that you put there. So unless there is a way of clearly separating both, the problem is unsolvable.

    In the end "BYOD" is the pinnacle of shadow IT. BYOD does happen for one single reason: people gets frustrated because their IT work tools are not good enough, especially in comparison to their day to day use of consumer IT.

    BYOD is a capitulation from corporate IT. Not that is not necessarily a bad thing, but it has to be treated as such.

    1. Number6

      Re: There's an essential contradiction here

      My device, my rules. I don't use my phone for company business (I haven't even given them the phone number so they can't call me on it) and when at work, it connects to the guest wifi. I don't always like the IT security policy but I understand why they see fit to implement one (and I've and anything from complete freedom to do what I want to having to ask for approval for any changes to my desktop PC).

    2. Anonymous Coward
      Anonymous Coward

      Re: There's an essential contradiction here

      "their IT work tools are not good enough" meaning they can't install their software, browse the Internet for inappropriate material, use social work networking, play games, use net based email or cloud storage or put pictures of their cat as a wallpaper!

      The organisation I work for refreshes its corporate devices every two years (the latest generation having SSD for fast boot times), has a catalogue of commercial software for all the tasks people are likely to need to do (and will consider any reasonable request to expand said catalogue should you find a task that you really can't do with the tools available). Despite all this, we still get service requests to add personal devices to the network, and reports of attempted device connection that failed. The only possible reason for this is that they want to do one of the above.

      We handle shedloads of highly sensitive personal data. So no, BYOD is not an option. Wifi is locked down to devices already registered in AD, likewise the corporate network. We have a guest wifi but it's for external trainers etc, it requires a password and the password is changed daily. We also use secure email products to ensure that data can't be sent outside the corporate enclosure without encryption and encryption software on all corporate devices so that any USB storage device is automatically encrypted upon connection (you do get one warning that this will likely bonk your camera, phone, etc if you continue).

      You don't have to give in to BYOD; just tell people that they can't have it and ensure they can't work around it. After all, they'd be the ones screaming if it was their personal data that had just been leaked...

  8. Brewster's Angle Grinder Silver badge

    If "careless employees find ways to circumvent [your security] controls" you thank them for acting as unpaid pen testers.

  9. SVV

    The acronym should really be BYEHWYW

    Buy your employer's hardware with your wages.

  10. Alex Brett

    Surely NAS is the answer?

    No I don't mean storage, but a Network Access Server, which is where the 'network' (normally the switch in consultation with a backend service) decides whether to grant you access (normally put you on the right vlan) if you comply with the business requirements around AV etc...

    Having said that, in a lot of cases peoples personal machines may be more secure than company laptops which have nothing more than default Windows firewall to protect them when off the network, and the user having no permissions to do anything more stringent...

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely NAS is the answer?

      NAC should be part of a BYOD solution. You get internet access unless you meet the requirements (AV, patched up to date, management client installed etc).

      1. Anonymous Coward
        Anonymous Coward

        @Should b Working - Re: Surely NAS is the answer?

        Dead wrong!

        You only get access to a remediation VLAN where you can update your AV, management tools and patch your Windows.

  11. ecofeco Silver badge

    BULLSHIT

    "Most vendors and analysts agree: you can’t avoid BYOD (bring your own device)".

    Bullshit self promotion.

    Yes, yes you can and vigorously should ban BYOD under penalty of job loss for those who refuse.

    That is the professional advice and best practices of REAL network admins and directors. Not snake oil salesmen.

    1. Ian Johnston Silver badge

      Re: BULLSHIT

      That is the professional advice and best practices of REAL network admins and directors. Not snake oil salesmen.

      Nah, it's appropriate advice for a very small number of companies and paranoid, will-nobody-think-of-the-child job-preserving bullshit for most. The average university has upwards of ten thousand privately owned devices connected daily, and nobody dies as a result.

      1. Anonymous Coward
        Anonymous Coward

        @Ian Johnston - Re: BULLSHIT

        Your example is BS because university students are not employees and because universities are not subjected to financial/energy/manufacturing regulations. Oh and also because those privately owned devices are not managed by IT staff with tight SLAs.

      2. Pascal Monett Silver badge

        @Ian Johnston

        Universities. That is your justification.

        So tell me, what corporate data do Universities deal with on a daily basis ? How much consumer data do they process ? And how does my banking data get into their hands ?

        Oh, none of any of the above. So you might as well have mentioned schools in Africa as far the relevance of your example is concerned.

        1. Michael Wojcik Silver badge

          Re: @Ian Johnston

          So tell me, what corporate data do Universities deal with on a daily basis?

          Universities are businesses. Some of them are very large businesses indeed. The physical plant for Michigan State University dwarfs that of any business I've ever worked for, except IBM's. MSU has more employees than many large corporations. It has a huge number of internal budgets and deals with a vast number of external accounts.

          How much consumer data do they process?

          A lot. What's your unit?

          And how does my banking data get into their hands?

          I don't know about your banking data, but universities in the US generally do a lot of payroll by direct deposit, and let students pay tuition and fees by ECH and often by credit/debit card. Universities here typically run a variety of on-campus stores (MSU has hundreds of them). And so on.

          Now, we can hope that universities use separate virtual networks for business data and Internet access. (Many, like MSU, also have a separate VPN for guest Internet access.) But they potentially have the same sorts of data exposures as private businesses do, because they are businesses.

          (Really, I'm amazed this needs to be explained. How do you think universities work?)

      3. Vinyl-Junkie
        Facepalm

        Re: BULLSHIT

        @Ian Johnston. I think you'll find that the network to which users can connect their BYOD in a university is not the one on which staff payroll, student medical details etc are stored...

    2. Anonymous Coward
      Meh

      Re: BULLSHIT

      Where I am if you connect any BYOD to the works network you will be lucky not to be hung drwan and quartered with the quarters buried at seperate crossroads and your head on a spike "to discourage the others" All USB ports are blocked and even charging your own device is considered (technically correct) theft.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022