Wow, this subject could go on to become a large book. My company is looking at this today. We already have a guest wireless network that only has access to the internet, and this seems ok, until you start to see the increase in bandwidth on the internet pipes. So now we have to watch that traffic and use QOS to police how people go certain places. We found the number 1 place the guest wireless is going to is Netfix. I doubt that is work related.
My point in telling this is to point out the added work the IT department must do in order to maintain the bandwidth for these devices. We are now talking about using websense (more) on the guest network and stopping some sites like Netflix and Pandora.
The idea of BYOD as a main source of the employees computing power seems almost ridiculous to me except for trusted products. With the use of some tools such as (the failed Cisco) NAC, the theory is that we can control what they are doing and where they are going and what they are "spewing". But that has not been all that the marketing machines have stated.
The amount of man hours to handle this does not seem worth the advantages. But it looks like we are headed here anyway.... so Thank God for NTA and Websense!
I agree completely. For large organizations, this seems like it would require an impossible amount of man hours. For smaller orgs, this may not be such a big deal. The most fluid part of most organizations are their user computers. This is assuming we are talking about IT controlled devices. If you try to account for the amount of, for lack of a better word, "****" most home users have on their machines, this is something which will lead to major security issues in the long run.
I like the idea of VDI for this. I have a number of friends who's companies are using this already. IT controls everything and is able to provide a secure environment. The user gets to use their own device yet connectivity into corporate is from the VDI and some sort of VPN.
An interesting topic tangential to this is how we define expectations for personal devices.
So we have a motivated and modern workforce, and we want to encourage this workforce to engage in business activities, say, outside of the workplace.
As a lever to do so, we allow (with conditions) BYOD programs and deliver VDI or some other sandboxed/secure workspace that gives the personal device access while protecting corporate assets.
I wonder how many individuals in said workforce would more easily engage in work activities off-clock if it's on their familiar and well-regarded personal device instead of the work laptop they lug home every day with varying degrees of resentment.
As familyofcrowes said, it could be a large book!
BYOD isn't a bandwidth for us because we are service provider and therefore have a huge amount of bandwidth spread across three different upstream providers though I can certainly see how this would be a problem for companies that have to keep their costs down and only purchase as much bandwidth as they need.
The problem that we have had is having to support non-standard systems and applications. Our company standard desktop is a Windows system though several people have chosen to bring in Apple systems and applications that we aren't setup to support as well as a few Linux desktops. We also end up having to support the whole range of smart phones that employees choose to use that end up locking them out of their Active Directory accounts when their passwords expire and the phone keeps trying to access their email with the wrong credentials.
Having a standard set of systems and applications simplifies and reduces the amount of IT resources necessary to support a department and/or company. BYOD significantly increases the amount of IT resources necessary to support those same environments. BYOD also increases security risks due to the uncontrolled devices that enter the environment, for example with our Windows systems we have an enterprise patching system that keeps them up-to-date; however, the patch level on the non-standard systems that employees use isn't guaranteed to be kept up to date.
Ultimately I think the management or executive team at a company needs to decide if BYOD is worth the additional risk and cost.
Having just left my previous organization, a regional hospital, this was a huge issue for them. Physicians, therapists, sales reps, patients, visitors, guests, everyone it seems wants to bring in their own device and have it get instant access to both the internet, and in many cases, the internal network. Physicians especially want to be able to use whatever they desire to connect to the medical records system. This presents some major risks, especially in such a secure environment.
At the time of my leaving (a few weeks back) we were providing a simplified solution though it was not very effective. Using Guest Wireless, we provided those we were allowing to connect to the internal network with the VPN client or VMWare remote access into the network, so basically they were going out and back in on another connection. This provided the desired level of security, but not the desired level of convenience.
At my new company, a global manufacturing firm, we're looking into this and how we plan to address it. In our HQ building alone, on a single floor, we have tons of 'rogue' points appearing, every phone, laptop, ipod, ipad, etc... all desiring internet access and bandwidth, which is in limited supply. An effective policy has to be developed, along with a plan for how users will use this bandwidth. We don't want everyone firing up Pandora on their droid and taking down our Internet... Yet trying to convince the users of the risks and inherent issues is difficult. Hopefully this becomes clearer as time and bandwidth progress.
I think byrona's conclusion is the most correct of any -- management must decide if BYOD is worth the cost, and then take a stand on their position. I think there is a technical solution out there for nearly every BYOD scenario -- heck, Pres Obama had a special blackberry created for his own BYOD needs. But businesses survive based on P&L, so ultimately the decisions about how much time and money to invest in a solution needs to be determined at the top. What is the cost of the technology? What is the cost of a data loss/breach? What are the returns for a happy, more accessible workforce? Management types live for ROI analysis, so put the ball in their court.
VDI is a large part of the answer for us. I work for a medium sized hospital and our physicians want to use tablets to connect to the systems that they use. We have had a difficult time convincing them that this is not as easy as it sounds. Our vendors aren't keeping up with the times, therefore, there are no apps for the specific EHR systems that they need access to and utilizing RDP to a Windows Server is very tedious and cumbersome for most users.
We are currently working to allow VDI access over our guest wireless network via VPN. Although this is not ideal, currently, it is the only viable solution in order to make BYOD useful to our users.
We had this exact issue/discussion. Until our EHR vendor would be able to provide a 'portal' for physician or employee access, we were really struggling with a method of remote access... VDI was working for desktop users at home, but not portable devices like tablets and such. There is a VMWare VDI app for the Ipad, but we had not implemented as we were a version or two behind... the push though for more and more meaningful use, CPOE and other drivers will force these issues soon.
This is not very feasible for my organization yet. This creates too much additional cost. When our organization supplies the equipment, we have full control and there are many aspects that we can do and create automatically. If we were to allow, BYOD, we would have to hire additional personel to cater to this idea. People for security, monitoring, updates to ensure devices are compliant, vpn personal and engineers for new designs to protect the current network. Remote access really needs to be looked at and engineered heavily before implementing this idea or you are just asking for trouble.
While BYOD is a concept, I believe the first step is the same as any other technology or solution. That first step is for each organization to ask themselves; 'What are the requirements for our version of BYOD?'. I believe the next move is to take the answer from the first step and see how it lines up with your existing mission. That would include starting to ask the questions of how your organization's definition of the BYOD service lines up with or runs contradictory to your day-to-day mission. Resources and compliance obligations seem to be the elements that surface the most during this second step. As evident here in this thread, the requirements and environments vary drastically by industry and corporate size. What a university needs or wants to support can be very different from that of a regulated PCI or HIPAA environment. By starting at the beginning you can work your way through design, vendor bake-offs, implementation and on-going support. There are certainly leaders in the MDM space and vendors like Cisco are trying to bring along interoperability with solutions like ISE. Through the process just keep going back to the first two points to make sure you're still plotting a course for a viable service that doesn't keep your small staff working 24x7 or sleepless fretting over newly introduced security and compliance vulnerabilities.
This is another one of those areas where I feel top level execs just don't get it. Sure it makes everyone happy to byod. But I'm not sure anyone has a clear picture of the issues, costs and complexity of allowing byod. Not even those of us living it.
We are starting to allow byod and we are doing it in baby steps.
scrapped cisco NAC and replaced with forescout counteract
Started categorizing devices - company issued, byod w/limited access and byod / guest access
filtering guest access with web gateway (mcafee) - blocking malicious, p0rn and streaming
allowing some byod via VPN web rewriting and email via active sync proxy (juniper mag)
Byod devices that are allowed run an agent - haven't solidified this yet but looks like we will use counteract agent which limits byod to IOS and Android
may use current endpoint solution (tem / bigfix) as agent as it supports more devices. may use this for byod allowed and corporate issued devices
Of course there are still grey areas. Should we let byod allowed devices with our agent full access rather than through web rewrites on VPN? Do we do it through VDI (VMware for us)?
Any way you look at it, it's a huge outlay of time and money for, in my personal opinion, no savings. What we've saved on cell devices and plans we have more than spent on NAC, VPN, VDI and employee costs to understand, implement and maintain.
My personal opinion is byod is here because a small minority of individuals feels they are entitled. To me byod is really just not worth it.
Thanks for all the reply's. My thoughts exactly, BYOD would make things easier for employees but for corporations it would not save anything and it will get you in a shitload of work + additional costs
It will just make things a lot more complex... I agree with Sohail, for smaller corps it's not such a big a deal as security is not that strict.
In my opinion the IT landscape is changing but BYOD might be not the answer to this... Why not just buy your employees the device they want, and manage this on the traditional way. let people work from their home with their corporate laptops (which they choose themselves) and still use something like VDI..
Tooling like VMware Migrage (formerly Wanova) can manage all your devices from Physical Desktops to View Desktops. Would that make a difference? especially if you do use forescout counteract or cisco nac to use.
I agree with jspanitz, Most of the time it's pushed from management where BYOD is sold as the aswer to their problems.
I think ownership versus control of the device is a major issue though. I have forcibly accepted a policy 'IT can wipe my entire device' at the moment I set up work e-mail on my private device, effectively giving IT control over the entire device instead of just the work-related content / data. With VMware's Horizon Mobile, a step in the right direction was taken; albeit a small step. What do you guys think?