BYOD: don't let the dream turn into a nightmare Most vendors and analysts agree: you can’t avoid BYOD (bring your own device). But despite all the excitement about letting people use whatever smartphones, tablets, convertibles or latest thingamajig they want at work, many businesses are still wary of the BYOD trend. Some organisations, by necessity, just cannot adopt BYOD …
Absolutely agree that policy needs to come before technology. Otherwise you pick the tech that you think will work based on assumptions of what you think users want, and what the business will allow.
Set up a policy on the basis that users WILL use their own devices, but make it appropriate to your organisation. CYOD will only work if you provide devices people want to use. You will lose staff to organisations that are less restrictive if you're not careful. If the policy means no data is ever stored on the device, then that's fine. If it means users have to use 2FA to access sensitive data, then make that the policy. But allow the policy to match expectations, then implement a technology that supports the policy.
Sticking your head in the sand and saying no users can access the data remotely ignores the fact that they will find a way, and unless you provide them a way to do it safely, the way they choose will certainly not be one you have any control over.
because the crippled network blocks Skype which we use then setting up tests with our customers.
because the corporate browser is IE8 (nuff said)
because all webmail access if blocked
Yes it allows Facebook, Twitter and YouTube.
because the crippled laptop we are issued with is so locked down we can't create a VM on the internal HDD even though we have VMWare Workstation installed.
etc
etc
etc
So a laptop with a 3G dongle is the order of the day.
{thankfully the boss understands this and pays to the SIM}
No, it's not the way to go! At my current workplace I've been patiently waiting for more than three weeks until they allowed me to install Webex plugin on my locked down PC. During this time our manager was becoming increasingly impatient about the incident I had opened with the provider for one of our applications so he was the one begging the security teams to grant me local admin rights. Bringing my own PC would have triggered a security incident and would have had me fired on the spot. Paying me for doing nothing will always force my employer to be creative about giving me the right tools for my job.
Either wifi locked to mac addresses meaning only authorised devices on company network (previous company) or (as current company) have a wifi network completely separate from corp LAN. You want LAN access over wifi in the building (from your work laptop) you have to VPN in.
Sure you could still get a BYOD device physically plugged in unless you do complete mac address level access, as they had at an investment bank I worked at. But either of the above stops most tablets and phones connecting to the corp network.
"But either of the above stops most tablets and phones connecting to the corp network"
And neither of the above is more than a slight annoyance for a lowly capable attacker. All those measures are "tick box" preventions, which may make auditors happy, but don't avoid someone above the simplest level to go and enter your network at will.
wifi locked to mac addresses
Wow. I don't know about on Windows, but MAC addresses are easily changeable - please don't do that (I know you're not, but there are plenty of low calibre IT admins on here who'll read that).
But yes, wifi on the visitor lan then VPN in, definitely - that way you need to go through the same security any other bugger on the Internet has to - wifi won't give an attacker anything they haven't got already.
One place I was at, there was no wifi at all. Fair enough, good security in theory. Unfortunately, you'll then get dick heads working around it by sneaking in access points somewhere - using consumer grade security, if at all.
I think you are confused on the term. A MAC address is not the address of an Apple machine, it is the Media Access Control number of the network chip in anything that connects to a network.
Thus Windows machines have MAC addresses too.
Oh sorry for the confusion - that's quite funny. I did mean "MAC address", not "a Mac's address". You've made me feel like a Windows user, now!
I meant I don't know if the MAC (as in layer 2) address was easy to change in Windows (or even a Mac, for that matter). Back in my day, on Windows you had to reboot just to change the hostname.
>Wow. I don't know about on Windows, but MAC addresses are easily changeable - please don't do that (I know you're not, but there are plenty of low calibre IT admins on here who'll read that).
>And neither of the above is more than a slight annoyance for a lowly capable attacker.
You both miss the point somewhat... This is about employees bringing in devices, finding out the wifi password from someone and then connecting their own device to your wifi. Put on filtering by MAC address and bang this stops Frank in the warehouse being a dick on your network. Of course it will not stop attacks but then that wasn't what the article was about... Key 4 letters are BYOD and key words are 'at work' ....
Put on filtering by MAC address and bang this stops Frank in the warehouse being a dick on your network
Sorry, no. That's bad.
A few years ago, I used to be "Frank in the warehouse" (my name isn't Frank, but I worked in a warehouse - and I'm still a dick...). I'm also waffling on here about how MAC (hardware) addresses can be easily spoofed.
My point? Attacks can come from anywhere. There will always be dicks like me who will spot a poorly secured system and utilise it... mostly for a geek triumph, sometimes to prove a point - but only if it's maintained by (supposedly) professionals.
And it lies in the "Y" part of BYOD. "Your" own device by definition is yours. Yours too is the data that you put there. So unless there is a way of clearly separating both, the problem is unsolvable.
In the end "BYOD" is the pinnacle of shadow IT. BYOD does happen for one single reason: people gets frustrated because their IT work tools are not good enough, especially in comparison to their day to day use of consumer IT.
BYOD is a capitulation from corporate IT. Not that is not necessarily a bad thing, but it has to be treated as such.
My device, my rules. I don't use my phone for company business (I haven't even given them the phone number so they can't call me on it) and when at work, it connects to the guest wifi. I don't always like the IT security policy but I understand why they see fit to implement one (and I've and anything from complete freedom to do what I want to having to ask for approval for any changes to my desktop PC).
"their IT work tools are not good enough" meaning they can't install their software, browse the Internet for inappropriate material, use social work networking, play games, use net based email or cloud storage or put pictures of their cat as a wallpaper!
The organisation I work for refreshes its corporate devices every two years (the latest generation having SSD for fast boot times), has a catalogue of commercial software for all the tasks people are likely to need to do (and will consider any reasonable request to expand said catalogue should you find a task that you really can't do with the tools available). Despite all this, we still get service requests to add personal devices to the network, and reports of attempted device connection that failed. The only possible reason for this is that they want to do one of the above.
We handle shedloads of highly sensitive personal data. So no, BYOD is not an option. Wifi is locked down to devices already registered in AD, likewise the corporate network. We have a guest wifi but it's for external trainers etc, it requires a password and the password is changed daily. We also use secure email products to ensure that data can't be sent outside the corporate enclosure without encryption and encryption software on all corporate devices so that any USB storage device is automatically encrypted upon connection (you do get one warning that this will likely bonk your camera, phone, etc if you continue).
You don't have to give in to BYOD; just tell people that they can't have it and ensure they can't work around it. After all, they'd be the ones screaming if it was their personal data that had just been leaked...
No I don't mean storage, but a Network Access Server, which is where the 'network' (normally the switch in consultation with a backend service) decides whether to grant you access (normally put you on the right vlan) if you comply with the business requirements around AV etc...
Having said that, in a lot of cases peoples personal machines may be more secure than company laptops which have nothing more than default Windows firewall to protect them when off the network, and the user having no permissions to do anything more stringent...
"Most vendors and analysts agree: you can’t avoid BYOD (bring your own device)".
Bullshit self promotion.
Yes, yes you can and vigorously should ban BYOD under penalty of job loss for those who refuse.
That is the professional advice and best practices of REAL network admins and directors. Not snake oil salesmen.
That is the professional advice and best practices of REAL network admins and directors. Not snake oil salesmen.
Nah, it's appropriate advice for a very small number of companies and paranoid, will-nobody-think-of-the-child job-preserving bullshit for most. The average university has upwards of ten thousand privately owned devices connected daily, and nobody dies as a result.
Universities. That is your justification.
So tell me, what corporate data do Universities deal with on a daily basis ? How much consumer data do they process ? And how does my banking data get into their hands ?
Oh, none of any of the above. So you might as well have mentioned schools in Africa as far the relevance of your example is concerned.
So tell me, what corporate data do Universities deal with on a daily basis?
Universities are businesses. Some of them are very large businesses indeed. The physical plant for Michigan State University dwarfs that of any business I've ever worked for, except IBM's. MSU has more employees than many large corporations. It has a huge number of internal budgets and deals with a vast number of external accounts.
How much consumer data do they process?
A lot. What's your unit?
And how does my banking data get into their hands?
I don't know about your banking data, but universities in the US generally do a lot of payroll by direct deposit, and let students pay tuition and fees by ECH and often by credit/debit card. Universities here typically run a variety of on-campus stores (MSU has hundreds of them). And so on.
Now, we can hope that universities use separate virtual networks for business data and Internet access. (Many, like MSU, also have a separate VPN for guest Internet access.) But they potentially have the same sorts of data exposures as private businesses do, because they are businesses.
(Really, I'm amazed this needs to be explained. How do you think universities work?)
Where I am if you connect any BYOD to the works network you will be lucky not to be hung drwan and quartered with the quarters buried at seperate crossroads and your head on a spike "to discourage the others" All USB ports are blocked and even charging your own device is considered (technically correct) theft.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
