BYOD might be a hipster honeypot but it's rarely worth the extra hassle
Security, compatibility, control... we enter another world of pain
I have a confession: I've fallen out of love with Bring Your Own Device.
Over the years, I've worked with, and administered, a number of BYOD schemes. I've even written positive things about BYOD.
After all, what was not to love? Users providing the mobile equipment and the company not needing to worry about maintaining the kit while at the same time treating them like company property, being able to manage device and content securely.
Just four years ago, Gartner reckoned by 2017 half of employers would be leaning on staff to supply their own smartphones or tablets. Somehow, this would let us deliver all kinds of business apps at the touch of a screen. Things like self-service HR or mobile CRM.
BYOD was the most "radical change to the economics and the culture of client computing in business in decades," Gartner reckoned. Among the benefits were said to be new mobile workforce opportunities, increased employee satisfaction and – ahem – reducing or avoiding costs.
Some ludicrous statements started being made: BYOD had become a critical plank in attracting millennials – a generation addicted to mobiles and social media – to your place of work. If you didn't have a BYOD programme and the competition did, well, guess where that potential new, hire wearing the chin thatch and lumberjack shirt would choose to work.
And after all that I've come out at the end asking why on earth would anyone bother?
The kit belongs to the user
On the face of it, users owning the kit is a great idea. When they sign up to the scheme they're agreeing that the equipment is their responsibility. It's up to them to have a warranty that'll get it fixed if it breaks. If it doesn't work, that's their problem. Well worth the price we paid to help fund the kit.
Except it doesn't work like that. Unless they've paid for a stonkingly expensive maintenance contract their kit will likely be on a collect-and-repair scheme, which means that if it exudes blue smoke (or simply goes silent on them) they're without it for a few days while the vendor wrangles with it, bangs it with a hammer, and so on. So what do they do in the meantime? At the very least you'll need to have a small stock of spare kit to help out users whose kit has turned up its toes... and of course that kit will be unfamiliar to them, won't have their favourite applications, and so on.
And even when the equipment is alive, this doesn't mean it won't get sick once in a while. Even my own kit has a bit of a hiccup sometimes... refuses to acknowledge the Wi-Fi network, decides it doesn't know how to access the networked fileshare that it was perfectly happy with yesterday, and so on. And your service desk will have the same problem from time to time – a user with a piece of kit the service desk staff don't know very well (if at all) which is behaving oddly and takes an inordinate amount of effort to support.
And if you're thinking: "Ah, that isn't my problem – it's up to the user"... well, can you really justify making the user figure out their own issues? They may not even be able to diagnose a problem without help from your teams. In reality then, it doesn't work.
So even if you've saved money by contributing to the purchase of a BYOD device instead of buying a corporate system, you may be starting to uncover costs you weren't anticipating.
Connecting it to the network
The next question is how you give the users connectivity into your systems. Connecting stuff you don't own into the corporate network is a security nightmare – you absolutely don't want to hook it in directly, because one outdated anti-malware package can wreak havoc with your world. So you have a number of options.
First is the concept of a "quarantine" VLAN. The idea's simple: when anything accesses the network for the first time in a session, the infrastructure puts it in a VLAN that can't see much – generally it can't see anything but the internet and a server that deals with network admission. The admission server won't let the device join the proper LAN unless it's convinced that the device's OS is up-to-date with patches, that it's running a suitable anti-malware package, and that the latter is also current with regard to its patches and virus signature files. Now, although it's a simple idea it's also relatively complex to implement and has a non-trivial cost: so unless your BYOD world is extensive, it may not be worth it.
An alternative is to decide that anything BYOD needs to stay outside the network completely, and act simply as a dumb terminal to the corporate system. You generally achieve this using some kind of virtual desktop à la Citrix or VMware. Again this is non-trivial and not cheap: it needs hardware, software, knowledge and maintenance. Getting the kit to talk to the network is non-trivial too, then.
Sponsored: Becoming a Pragmatic Security Leader