13 Replies Latest reply on Oct 29, 2012 11:35 AM by Joep Piscaer

    How should organizations organize BYOD?

    mbroeken

      While more and more people are working from their homes. BYOD programs will most likely motivate employees to get their own devices connected to the corporate network, while giving them a sense of personal choice, this can also bring unforeseen consequences when it comes to cost and security, even productivity, which must be fully considered before something like BYOD can be implemented. BYOD has the potential to increase productivity and improve efficiency in the workplace, but only if employees are utilizing their devices properly.

       

      I have seen some good solutions for BYOD but if you adopt BYOD in your corporation you have to deal with much more issues than only the devices...

      • Network Capacity.  Let’s say you have 1000 employees and each of them has 2 to 3 personal devices.  Is your network ready to handle triple of what is has today?
      • We would have way more devices to manage, can you or should you manage a device that is not yours ?
      • You would have to consider to implement VDI or Cloud based Apps to give a secure workspace to your employee.

       

      How do we deal with securing all those devices and how do deal with all those new technologies and services in the cloud?

        • Re: How should organizations organize BYOD?
          familyofcrowes

          Wow, this subject could go on to become a large book.  My company is looking at this today.  We already have a guest wireless network that only has access to the internet, and this seems ok, until you start to see the increase in bandwidth on the internet pipes.  So now we have to watch that traffic and use QOS to police how people go certain places.  We found the number 1 place the guest wireless is going to is Netfix.  I doubt that is work related.

          My point in telling this is to point out the added work the IT department must do in order to maintain the bandwidth for these devices.  We are now talking about using websense (more) on the guest network and stopping some sites like Netflix and Pandora. 

           

          The idea of BYOD as a main source of the employees computing power seems almost ridiculous to me except for trusted products.  With the use of some tools such as (the failed Cisco) NAC, the theory is that we can control what they are doing and where they are going and what they are "spewing".  But that has not been all that the marketing machines have stated.

           

          The amount of man hours to handle this does not seem worth the advantages.  But it looks like we are headed here anyway....  so Thank God for NTA and Websense! 

            • Re: How should organizations organize BYOD?
              Sohail Bhamani

              I agree completely.  For large organizations, this seems like it would require an impossible amount of man hours.  For smaller orgs, this may not be such a big deal.  The most fluid part of most organizations are their user computers.  This is assuming we are talking about IT controlled devices.  If you try to account for the amount of, for lack of a better word, "****" most home users have on their machines, this is something which will lead to major security issues in the long run.

               

              I like the idea of VDI for this.  I have a number of friends who's companies are using this already.  IT controls everything and is able to provide a secure environment.  The user gets to use their own device yet connectivity into corporate is from the VDI and some sort of VPN.

               

              Sohail Bhamani

              Loop1 Systems

              http://www.loop1systems.com

            • Re: How should organizations organize BYOD?
              rharland2012

              An interesting topic tangential to this is how we define expectations for personal devices.

              So we have a motivated and modern workforce, and we want to encourage this workforce to engage in business activities, say, outside of the workplace.

              As a lever to do so, we allow (with conditions) BYOD programs and deliver VDI or some other sandboxed/secure workspace that gives the personal device access while protecting corporate assets.

              I wonder how many individuals in said workforce would more easily engage in work activities off-clock if it's on their familiar and well-regarded personal device instead of the work laptop they lug home every day with varying degrees of resentment.

              As familyofcrowes said, it could be a large book!

              • Re: How should organizations organize BYOD?
                byrona

                BYOD isn't a bandwidth for us because we are service provider and therefore have a huge amount of bandwidth spread across three different upstream providers though I can certainly see how this would be a problem for companies that have to keep their costs down and only purchase as much bandwidth as they need.

                 

                The problem that we have had is having to support non-standard systems and applications.  Our company standard desktop is a Windows system though several people have chosen to bring in Apple systems and applications that we aren't setup to support as well as a few Linux desktops.  We also end up having to support the whole range of smart phones that employees choose to use that end up locking them out of their Active Directory accounts when their passwords expire and the phone keeps trying to access their email with the wrong credentials.

                 

                Having a standard set of systems and applications simplifies and reduces the amount of IT resources necessary to support a department and/or company.  BYOD significantly increases the amount of IT resources necessary to support those same environments.  BYOD also increases security risks due to the uncontrolled devices that enter the environment, for example with our Windows systems we have an enterprise patching system that keeps them up-to-date; however, the patch level on the non-standard systems that employees use isn't guaranteed to be kept up to date.

                 

                Ultimately I think the management or executive team at a company needs to decide if BYOD is worth the additional risk and cost.

                • Re: How should organizations organize BYOD?
                  ken.montgomery

                  Having just left my previous organization, a regional hospital, this was a huge issue for them.  Physicians, therapists, sales reps, patients, visitors, guests, everyone it seems wants to bring in their own device and have it get instant access to both the internet, and in many cases, the internal network.  Physicians especially want to be able to use whatever they desire to connect to the medical records system.  This presents some major risks, especially in such a secure environment.

                   

                  At the time of my leaving (a few weeks back) we were providing a simplified solution though it was not very effective.  Using Guest Wireless, we provided those we were allowing to connect to the internal network with the VPN client or VMWare remote access into the network, so basically they were going out and back in on another connection.  This provided the desired level of security, but not the desired level of convenience.

                   

                  At my new company, a global manufacturing firm, we're looking into this and how we plan to address it.  In our HQ building alone, on a single floor, we have tons of 'rogue' points appearing, every phone, laptop, ipod, ipad, etc... all desiring internet access and bandwidth, which is in limited supply.  An effective policy has to be developed, along with a plan for how users will use this bandwidth.  We don't want everyone firing up Pandora on their droid and taking down our Internet... Yet trying to convince the users of the risks and inherent issues is difficult.  Hopefully this becomes clearer as time and bandwidth progress.

                  • Re: How should organizations organize BYOD?
                    branfarm

                    I think byrona's conclusion is the most correct of any -- management must decide if BYOD is worth the cost, and then take a stand on their position.    I think there is a technical solution out there for nearly every BYOD scenario -- heck, Pres Obama had a special blackberry created for his own BYOD needs.  But businesses survive based on P&L, so ultimately the decisions about how much time and money to invest in a solution needs to be determined at the top.   What is the cost of the technology? What is the cost of a data loss/breach?  What are the returns for a happy, more accessible workforce?  Management types live for ROI analysis, so put the ball in their court.

                    • Re: How should organizations organize BYOD?
                      RandyBrown

                      VDI is a large part of the answer for us.  I work for a medium sized hospital and our physicians want to use tablets to connect to the systems that they use.  We have had a difficult time convincing them that this is not as easy as it sounds.  Our vendors aren't keeping up with the times, therefore, there are no apps for the specific EHR systems that they need access to and utilizing RDP to a Windows Server is very tedious and cumbersome for most users.

                       

                      We are currently working to allow VDI access over our guest wireless network via VPN.  Although this is not ideal, currently, it is the only viable solution in order to make BYOD useful to our users.

                        • Re: How should organizations organize BYOD?
                          ken.montgomery

                          We had this exact issue/discussion.  Until our EHR vendor would be able to provide a 'portal' for physician or employee access, we were really struggling with a method of remote access... VDI was working for desktop users at home, but not portable devices like tablets and such.  There is a VMWare VDI app for the Ipad, but we had not implemented as we were a version or two behind... the push though for more and more meaningful use, CPOE and other drivers will force these issues soon.

                        • Re: How should organizations organize BYOD?
                          goodzhere

                          This is not very feasible for my organization yet.  This creates too much additional cost.  When our organization supplies the equipment, we have full control and there are many aspects that we can do and create automatically.  If we were to allow, BYOD, we would have to hire additional personel to cater to this idea.  People for security, monitoring, updates to ensure devices are compliant, vpn personal and engineers for new designs to protect the current network.  Remote access really needs to be looked at and engineered heavily before implementing this idea or you are just asking for trouble.

                          • Re: How should organizations organize BYOD?
                            ccie14430

                            While BYOD is a concept, I believe the first step is the same as any other technology or solution. That first step is for each organization to ask themselves; 'What are the requirements for our version of BYOD?'. I believe the next move is to take the answer from the first step and see how it lines up with your existing mission. That would include starting to ask the questions of how your organization's definition of the BYOD service lines up with or runs contradictory to your day-to-day mission. Resources and compliance obligations seem to be the elements that surface the most during this second step. As evident here in this thread, the requirements and environments vary drastically by industry and corporate size. What a university needs or wants to support can be very different from that of a regulated PCI or HIPAA environment. By starting at the beginning you can work your way through design, vendor bake-offs, implementation and on-going support. There are certainly leaders in the MDM space and vendors like Cisco are trying to bring along interoperability with solutions like ISE. Through the process just keep going back to the first two points to make sure you're still plotting a course for a viable service that doesn't keep your small staff working 24x7 or sleepless fretting over newly introduced security and compliance vulnerabilities.

                             

                            Great topic,

                            -chris

                            • Re: How should organizations organize BYOD?
                              jspanitz

                              This is another one of those areas where I feel top level execs just don't get it.  Sure it makes everyone happy to byod.  But I'm not sure anyone has a clear picture of the issues, costs and complexity of allowing byod.  Not even those of us living it.

                               

                               

                              We are starting to allow byod and we are doing it in baby steps.

                              scrapped cisco NAC and replaced with forescout counteract

                              Started categorizing devices - company issued, byod w/limited access and byod / guest access

                              filtering guest access with web gateway (mcafee) - blocking malicious, p0rn and streaming

                              allowing some byod via VPN web rewriting and email via active sync proxy (juniper mag)

                              Byod devices that are allowed run an agent - haven't solidified this yet but looks like we will use counteract agent which limits byod to IOS and Android

                              may use current endpoint solution (tem / bigfix) as agent as it supports more devices.  may use this for byod allowed and corporate issued devices

                               

                               

                              Of course there are still grey areas.  Should we let byod allowed devices with our agent full access rather than through web rewrites on VPN?  Do we do it through VDI (VMware for us)?

                               

                               

                              Any way you look at it, it's a huge outlay of time and money for, in my personal opinion, no savings.  What we've saved on cell devices and plans we have more than spent on NAC, VPN, VDI and employee costs to understand, implement and maintain.

                               

                               

                              My personal opinion is byod is here because a small minority of individuals feels they are entitled.  To me byod is really just not worth it.

                              • Re: How should organizations organize BYOD?
                                mbroeken

                                Thanks for all the reply's. My thoughts exactly, BYOD would make things easier for employees but for corporations it would not save anything and it will get you in a shitload of work + additional costs

                                It will just make things a lot more complex... I agree with

                                 

                                In my opinion the IT landscape is changing but BYOD might be not the answer to this... Why not just buy your employees the device they want, and manage this on the traditional way. let people work from their home with their corporate laptops (which they choose themselves) and still use something like VDI..

                                 

                                 

                                  • Re: How should organizations organize BYOD?
                                    Joep Piscaer

                                    I think ownership versus control of the device is a major issue though. I have forcibly accepted a policy 'IT can wipe my entire device' at the moment I set up work e-mail on my private device, effectively giving IT control over the entire device instead of just the work-related content / data. With VMware's Horizon Mobile, a step in the right direction was taken; albeit a small step. What do you guys think?