BYOD: Manage the Band, not the Box
This post was originally published in a longer form on trevorpott.com on April 7,2012.
I have recently been involved in an interesting debate focused on the concept of “bring your own device” computing (BYOD). I argue that no company will go out of business implementing BYOD, while others argue strenuously against the entire concept except under very narrowly limited circumstances.
Previous iterations of the argument focused on the costs of BYOD (is it cheaper?), the security (isn’t BYOD a security threat?), demand from end users, and possible resistance from IT.
I make the argument in the latter case that there are enough unemployed IT guys out there right now that resistance from IT is functionally irrelevant. IT operations staff are functionally disposable; there are so many of us that for every one you fire a dozen more are willing to step into the position. That varies by region, but I feel that on a global scale this is largely accurate.
IT staffing deficiencies are largely in development, Big Data, niche virtualisation deployments, Metal as a Service (MaaS) or in specialisations such as CCIEs, high-end storage and so forth. Sysadmins are a dime a dozen, and this is a fundamental premise to be borne in mind when reading the below.
BYOD policy MAY be more expensive, but this is not guaranteed. There are many high profile examples of successful deployments. (Intel and Google spring to mind.) Thus when the business side of the company comes to IT and says “make it happen,” they know it’s possible. The question is “do your extant IT staff have the skill to pull it off properly?”
If they don’t, you fire them and you get new IT staff.
Most businesses are small and medium enterprises. They aren’t running 1000 seats and they don’t need their data screwed down tighter than Fort Knox. In fact, on the lower end of the SME side of life, the time has come for them to bid adieu to their IT departments altogether. They can have IT delivered to them as a service cheaper and more securely than they are getting it now.
One argument against BYOD is that “you must open up more information to the internet.” I’m going to call bollocks here. Done even halfway competently, BYOD allows you tighter control of your information than most businesses currently have.
Let’s consider the average SME today. The average SME today has one (maybe two) overworked sysadmins. When they are not trying to prop up the ancient servers, they are rebuilding (again) some desktop or stuck on some support call with a user who can’t remember that “clicking” and “double clicking” are different.
These companies exist in an environment where half the company runs as local administrators because – despite their warnings against these behaviours by IT – alternative methods are simply less convenient. SMEs are companies where the IT is in nearly every case not “proper” to begin with. They aren’t set up by whitepaper and they aren’t managed and locked down like a fortune 500 company.
There are orders of magnitude more of these companies than there are organisation who are “doing it right” today.
Let’s centralise that
So what does a BYOD with Virtual Desktop Interface (VDI) and Software as a Service (SaaS) approach bring? Well, first off it allows you to put everything in a single location. No information arriving or departing by USB stick, CD, DVD or any other physical manner. The endpoints don’t get to talk to the core network unless they are locked down. Everything else comes through an RDP session.
I’ve been running VDI on dozens of SMEs since 2005, and in all but one case, I haven’t had a single person notice that they can’t move files off the network (except through the internet) yet! They just don’t care. Everything they’d want to do with those files they can; through RDP. (Yes, we block RDP file transfer, USB pass-through, etc.)
AHA, you say! A weakness in his argument! They can move files around using the internet! We must prevent this at all costs!
Bah. This is what IDSes are for. Check out Palo Alto networks, for example (http://www.paloaltonetworks.com/index.php). They have IDS/IDP systems that outclass everything everyone else can bring to bear in this space: dirt cheap, application aware, and simple to configure. Even my precious Linux box configured as network-sniffing IDS/IPS systems simply can’t compete.
Suddenly, I can manage the band instead of the box. Sure, you can move information off the network using the internet, but I can monitor and restrict it with an appliance: a simple plug-and-play appliance that a twelve year old could manage. Here is a great example of the commoditisation of IT. What 10 years ago was deep voodoo now comes in a nice pre-canned box that simply does the thing for you.
So now we’ve got a great big ball of everything living in the datacenter, maybe with a few select SaaSy apps on the web. It all goes through an awesome IDS/IPS which allows me to filter it, and I even work with my SaaS providers to ensure that our instances of the SaaSy applications have logins restricted to selected IPs.
The only way you are getting information off of this network is to take a photograph of someone’s screen while they are RDPed in. If you are honestly concerned about this; if this is a legitimate security threat to you, then you are either dangerously paranoid, or you work in the kind of organisation that has enough qualified and competent IT personnel that you should be talking to them about this topic instead of reading my blog. (Suffice it to say that even this risk is one that can be mitigated using any of a number of different technologies.) This is a realm of infosec paranoia that is simply out of scope of this post.
I want my computer, and my data too!
The inevitable argument is “well, that’s not true BYOD! In a real BYOD environment, people can use files on their computers!”
But that’s where BYOD gives awesome options. Most people don’t need this, so they can (and will) use RDP. If you want to do things local to your system, then you have to accept some restrictions. Management software has to be put on your PC, and it will restrict what you are able to do. Mobile Device Management for the cell phones and tablets, Puppet for Macs and Linux boxen and Active Directory join for my Windows boxes.
The choice is up to the end user. BYOD and third-party management software has allowed me to provide greater security than I would otherwise be allowed to provide by the business owners under a more traditional model. Why? Because BYOD gets the convenience part of the security/convenience equation right.
Not the bogeyman
The argument that BYOD is usually/probably “bad” is rooted in several assumptions that just don’t hold true for the vast majority of the world. The first: that BYOD is being implemented in an environment that is properly setup already. This is almost never the case. The second, that IT has the kind of pull within an organisation that they can set things up properly and manage by fiat and edict. Again; when are you from, 2000?
In these organisations, BYOD is probably not a consideration. IT still has their little empire, and they will viciously and vociferously defend it against all comers. Here, we have the talent and knowledge to pull off BYOD properly if they so choose, but they won’t if they can possibly avoid it.
And frankly, who cares? These companies have something that works: proper security. They just don’t get any real benefit from BYOD beyond staff retention and a modification of CAPEX as a line item. BYOD will cost them more than their current setup if for no other reason than that you will have to cram it down the throats of IT.
So we have proven that BYOD is not a magic solution for all companies in all cases. Who has ever claimed that it was? My previous arguments on this topic have argued – quite simply – that no company is going to go out of business for deploying it. SMEs either have or they don’t have the talent to deploy this. If they do have, then their guys will probably jump all over it as a chance to (finally) do some real security in the enterprise. If they don’t, then they will bring in consultants/contractors – myself, say – who know this stuff cold and deliver the transition as a proper service.
If the company is large enough (and with a well enough set up extant IT apparatus) that the benefits of BYOD are marginal to begin with, then they already have the IT guys who are fully capable of pulling this off properly and securely, should they choose to do so.
BYOD is not a risk. It isn’t a security threat. It isn’t a disaster waiting to happen and it isn’t automatically – or even in most cases – a negative approach to computing. Quite the opposite; for the vast majority of organisations it provides the opportunity to significantly simplify their IT delivery.