I have recently been involved in an interesting debate focused on the concept of “Bring your own device” computing. I argue that no company will go out of business implementing BYOD, while others argue strenuously against the entire concept excepting under very narrowly limited circumstances.
Previous iterations of the argument focused on the costs of BYOD (is it cheaper?) the security (isn’t BYOD a security threat?) demand from end users and/or resistance from IT.
I make the argument in the latter case that there are enough unemployed IT guys out there right now that resistance from IT is functionally irrelevant. IT operations staffs are functionally disposable; there are so many of us that for every one you fire a dozen more are willing to step into the position. That varies by region, but I feel that on a global scale this is largely accurate.
IT staffing deficiencies are largely in development, Big Data, niche virtualisation deployments, Metal as a Service (MaaS) or in specialisations such as CCIEs, high-end storage and so forth. Sysadmins are a dime a dozen, and this is a fundamental premise to be borne in mind when reading the below.
BYOD policy MAY be more expensive, but this is not guaranteed. There are many high profile examples of successful deployments. (Intel and Google spring to mind.) Thus when the business side of the company comes to IT and says “make it happen,” they know it’s possible. The question is “do your extant IT staff have the skill to pull it off properly?”
If they don’t, you fire them and you get new IT staff.
Most businesses are small and medium enterprises. They aren’t running 1000 seats and they don’t need their data screwed down tighter than Fort Knox. In fact, on the lower end of the SME side of life, the time has come for them to bid adieu to their IT departments altogether. They can have IT delivered to them as a service cheaper and more securely than they are getting it now.
One argument against BYOD is that “you must open up more information to the internet.” I’m going to call bollocks here. Done even halfway competently, BYOD allows you tighter control of your information than most businesses currently have.
Let’s consider the average SME today. The average SME today has one (maybe two) overworked sysadmins. When they are not trying to prop up the ancient servers, they are rebuilding (again) some desktop or stuck on some support call with a twit who can’t remember that “clicking” and “double clicking” are different.
These companies exist in an environment where half the company runs as local administrators because – despite their warnings against these behaviours by IT – alternative methods are simply less convenient. SMEs are companies where the IT is in nearly every case not “proper” to begin with. They aren’t set up by whitepaper and they aren’t managed and locked down like a fortune 500 company.
There are orders of magnitude more of these companies than there are organisation who are “doing it right” today.
Let’s centralise that
So what does a BYOD with VDI and SaaS approach bring? Well, first off it allows you to put everything in a single location. No information arriving or departing by USB stick, CD, DVD or other physical manner. The endpoints don’t get to talk to the core network unless they are locked down. Everything else comes through an RDP session.
I’ve been running VDI on dozens of SMEs since 2005, and in all but one case, I haven’t had a single person notice that they can’t move files off the network (except through the internet) yet! They just don’t care. Everything they’d want to do with those files they can; through RDP. (Yes, we block RDP file transfer, USB pass-through, etc.)
AHA, you say! A weakness in his argument! They can move files around using the internets! The internets are scary and filled with lolcats! We must prevent this at all costs!
Bah, I say. This is what IDSes are for. Have you met Palo Alto networks? (http://www.paloaltonetworks.com/index.php). They have IDS/IDP systems that wreck everything everyone else can bring to bear in this space. Dirt cheap, application aware, simple to configure. Even my precious Linux boxen configured as network-sniffing IDS/IPS systems simply can’t compete.
Suddenly, I can manage the band instead of the box. Sure, you can move information off the network using the internet, but I can monitor and restrict it with an appliance. A simple plug-and-play appliance that a twelve year old could manage. Here is a great example of the commoditisation of IT. What 10 years ago was deep voodoo now comes in a nice pre-canned box that simply does the thing for you.
So now we’ve got a great big ball of everything living in the datacenter, maybe with a few select SaaSy apps on the web. It all goes through an awesome IDS/IPS which allows me to filter it, and I even work with my SaaS providers to ensure that our instances of the SaaSy applications have logins restricted to selected IPs.
The only way you are getting information off of this network is to take a photograph of someone’s screen while they are RDPed in. If you are honestly concerned about this; if this is a legitimate security threat to you, then you are either dangerously paranoid, or you work in the kind of organisation that has enough qualified and competent IT personnel that you should be talking to them about this topic instead of reading my blog. (Suffice it to say that even this risk is one that can be mitigated using any of a number of different technologies.) This is a realm of infosec paranoia that is simply out of scope of this post.
I want my computer, and my data too!
The inevitable argument is “well, that’s not true BYOD! In a real BYOD environment, people can use files on their computers!”
But that’s where BYOD gives awesome options. Most people don’t need this, so they can (and will) use RDP. If you want to do things local to your system, then you have to accept some restrictions. Management software has to be put on your PC, and it will restrict what you are able to do. Mobile Device Management for the cell phones and tablets, Puppet for Macs and Linux boxen and Active Directory join for my Windows boxes.
The choice is up to the end user. BYOD and third-party management software has allowed me to provide greater security than I would otherwise be allowed to provide by the business owners under a more traditional model. Why? Because BYOD gets the convenience part of the security/convenience equation right.
The argument that BYOD is usually/probably “bad” is rooted in several assumptions that just don’t hold true for the vast majority of the world. The first: that BYOD is being implemented in an environment that is properly setup already. This is almost never the case. The second, that IT has the kind of pull within an organisation that they can set things up properly and manage by fiat and edict. Again; when are you from, 2000?
Circle the wagons
In these organisations, BYOD is probably not a consideration. IT still has their little empire, and they will viciously and vociferously defend it against all comers. Here, we have the talent and knowledge to pull off BYOD properly if they so choose, but they won’t if they can possibly avoid it.
And frankly, who cares? These companies have something that works, proper security…they just don’t get any real benefit from BYOD beyond staff retention and a modification of CAPEX as a line item. BYOD will cost them more than their current setup if for no other reason that you will have to cram it down the throats of IT.
In such a scenario, IT will make the entire project as miserable as possible, most going to far as to actively sabotage it. Unless the company is willing to functionally jettison their entire IT department (some have) in order to see the project through – and thus changing how IT is delivered across the company – BYOD holds no value.
Fine, cool. Wunderbar. We have proven that BYOD is not a magic solution for all companies in all cases. Who has ever claimed that it was?
My previous arguments on this topic have argued – quite simply – that no company is going to go out of business for deploying it. SMEs either have or they don’t have the talent to deploy this. If they do have, then their guys will probably jump all over it as a chance to (finally) do some real security in the enterprise. If they don’t, then they will bring in consultants/contractors – myself, say – who know this stuff cold and deliver the transition as a proper service.
If the company is large enough (and with a well enough set up extant IT apparatus) that the benefits of BYOD are marginal to begin with, then they already have the IT guys who are fully capable of pulling this off properly and securely, should they choose to do so.
BYOD is not a risk. It isn’t a security threat. It isn’t a disaster waiting to happen and it isn’t automatically – or even in most cases – a negative approach to computing. Quite the opposite, for the vast majority of organisations it provides the opportunity to significantly simplify their IT delivery.
BYOD offers the chance to properly secure the IT of these organisations; what’s more, it offers the chance to do both in a convenient way that won’t see the sort of end user and management push-back that results in insecure IT in the first place.
Just who are you, really? And why are you here?
More interesting to me are those organisations that steadfastly and ardently resist BYOD. What else are they resisting? How “integrated into the needs of the business” are these fiefdoms of nerdly hegemony?
Are they organisations that practice DevOps? Or are they siloed, each department peering over the rafters with a suspicious eye at the next, carefully protecting their budgets? Are these departments agile? Capable of adapting rapidly to changing demands? Or are they rigid, inflexible, with a well established “change request system” whose primary function is to prevent change through the implementation of excess bureaucracy?
Are these IT departments that care about the good of the company, or is “them” separate from “us?” Are they providing optimal service to the business with their extant systems, or are they an anchor that has to be tugged at any time change needs to occur?
In my personal experience, IT departments that are most integrated with the needs of the businesses are ones that were doing DevOps before DevOps had a name. They are ones where the head sysadmin isn’t just a sysadmin, but is in fact a full participant of the business-side meetings. IT in these organisations helps plan company strategy and has the corporate security clearance to know what’s coming down the pipe. This close integration allows IT to plan to meet business needs not just now, but 6 months, a year, 5 years from now.
IT delivery in these agile organisations is shaped not against a whitepaper, or to protect someone’s job…but to meet the exacting and specific requirements of the business in the most efficient possible way. IT here isn’t a department, and they aren’t a “cost center.” They aren’t a silo or an empire. They are part of the team. They work hard to make the business perform, and they are rewarded accordingly.
IT in these agile organisations isn’t really “IT” at all. They aren’t grunts twiddling with boxes and networks, they are fully fledged members of the management hierarchy. The IT services they provide are generally either off-the-shelf pre-canned appliances, provided by contracts that the internal IT department project managed, or are customer in-house solutions developed and maintained in a DevOps style.
Also in my experience, the larger the company gets, the LESS likely it is that this sort of agility and business-line integration exists within the IT department. And again, also in my experience, the IT departments that have this level of integration with the business would read this post and laugh their asses off.
They’d laugh because they went BYOD before BYOD had a name. These sorts of integrated, agile IT departments didn’t implement BYOD to jump on a trend. They implemented BYOD so they could get out of the businesses of playing nursemaid to endpoints and focus on the business of growing the business itself.