A banking app that requires a 5-digit passcode?
Name and shame right now. That should be criminal.
Back in the old days providing your employees with corporate computer equipment was an expensive business. When I was 19 I was the university holidays PC guy in an office full of RPG III developers; the fact that they thought their System/38 with its 5250 terminals was a pretty neat piece of kit was the only reason they didn't …
Can't say for sure what bank they're referring to here, but my bank would match this, however they have a device enrolment process so that only your enrolled device can get in with that pin. ie: the passcode is one half of a 2-factor authentication scheme (the other half being, obviously, possession of the phone) This is as secure as my debit card, so seems pretty reasonable to me. In fact, I'd probably notice my phone missing sooner than I'd notice my debit card left behind in a shop...
A number of places I've worked at even the guest WiFi devices (including Phones) had to have their MAC Address registered. One place even required that guest devices were security scanned before and after use.
Then there is the fallacy about 'you leave and nothing goes with you when your access is disabled'.
Doh!
Do you insist on all BYOD devices have all possible removable or network storage disabled?
Even places that block all the USB ports on desktop devices are not secure. got a phone with a camera? Take a picture of the screen, sms it to your phone at home and delete everything.
You were doing so well right up to this point: "on which of course you can enforce frequent password changes."
Why would you do that? It only encourages users to write their password down somewhere accessible. Frequent password changes are the idle instructions of lazy auditors and are not based on any sort of sound evidence.
If you can't detect compromised accounts then you have already failed.
This is the opposite of why BYOD catches on. People don't want your shitty windows desktop on their iPad, they want an iPad experience with a rewritten corporate app (OWA, Salesforce etc.) which either is an app or is a web interface. If you're thinking terminal services, VDI or the like then trust me when I say your users already hate you and it's the reason they will begin to create THEIR content outside of your network. Information workers are the ones creating the data, and if you make it hard for them to do so they will just cut you out of the loop, just like the CEO will when he goes for a full cloud strategy...
Couldn't agree more. Using remote Windows on a tablet is a really crappy experience and quite frankly is completely missing the point. It's often even crippled by Windows standards; things like visual effects are often turned off to conserve resources on the hosting servers so you end up with a cluttered interface that looks like it's straight from the 1990s. Sadly this only widens the gap between the corporate and consumer experience.
I'd argue that if you're considering VDI as in the article then BYOD is utterly pointless. The expense you've just gone to with server hardware means that the screen and WYSE unit you could have on the desktop is an insignificant cost compared to the hassle of someone connecting their porn filled malware riddled laptop to your network. Obviously an exaggeration but why would you ever want to deal with this eventuality, it makes no sense? Please don't try and offload your hardware costs onto me.
When there's an environment where a lot of business partners and sub contractors are working on site, each with their own corporate standard and secured laptop, VDI gives a nice abstraction layer for shared working. I've concerns about end users bringing home devices onto a network.
(*aka 'Be SOD'd' - copyright pending)
" I've concerns about end users bringing home devices onto a network."
These concerns are down to your security configuration on your network. If you had enabled the Windows firewall on desktops like you were supposed to, and configured Direct Access, and enabled firewalls on your servers, and segregated your endpoint networks from your server networks using firewalls then you probably wouldn't be so worried. The corporate network is where the user is, if not you've either done it wrong or you're tied up in compliance which means you won't have a BYOD policy saying anything more than "no BYOD here pal".
A good modern network treats the endpoint network like the Internet, only possibly with web filtering to prevent porn in the workplace. If you genuinely are worried I assume you have NAP/NAC enabled to stop people plugging stuff in? And don't have any wireless networks? Ah I remember the 90s well :)