drink the sweet feeling of the colour zero

BYOD: Manage the band, not the box

Tags: , , , , , ,

I have recently been involved in an interesting debate focused on the concept of “Bring your own device” computing.  I argue that no company will go out of business implementing BYOD, while others argue strenuously against the entire concept excepting under very narrowly limited circumstances.

Previous iterations of the argument focused on the costs of BYOD (is it cheaper?) the security (isn’t BYOD a security threat?) demand from end users and/or resistance from IT.

I make the argument in the latter case that there are enough unemployed IT guys out there right now that resistance from IT is functionally irrelevant.  IT operations staffs are functionally disposable; there are so many of us that for every one you fire a dozen more are willing to step into the position.  That varies by region, but I feel that on a global scale this is largely accurate.

IT staffing deficiencies are largely in development, Big Data, niche virtualisation deployments, Metal as a Service (MaaS) or in specialisations such as CCIEs, high-end storage and so forth.  Sysadmins are a dime a dozen, and this is a fundamental premise to be borne in mind when reading the below.

BYOD policy MAY be more expensive, but this is not guaranteed.  There are many high profile examples of successful deployments.  (Intel and Google spring to mind.)  Thus when the business side of the company comes to IT and says “make it happen,” they know it’s possible.  The question is “do your extant IT staff have the skill to pull it off properly?”

If they don’t, you fire them and you get new IT staff.

Think Small

Most businesses are small and medium enterprises.  They aren’t running 1000 seats and they don’t need their data screwed down tighter than Fort Knox.  In fact, on the lower end of the SME side of life, the time has come for them to bid adieu to their IT departments altogether.  They can have IT delivered to them as a service cheaper and more securely than they are getting it now.

One argument against BYOD is that “you must open up more information to the internet.”  I’m going to call bollocks here.  Done even halfway competently, BYOD allows you tighter control of your information than most businesses currently have.

Let’s consider the average SME today.  The average SME today has one (maybe two) overworked sysadmins.  When they are not trying to prop up the ancient servers, they are rebuilding (again) some desktop or stuck on some support call with a twit who can’t remember that “clicking” and “double clicking” are different.

These companies exist in an environment where half the company runs as local administrators because – despite their warnings against these behaviours by IT – alternative methods are simply less convenient.  SMEs are companies where the IT is in nearly every case not “proper” to begin with.  They aren’t set up by whitepaper and they aren’t managed and locked down like a fortune 500 company.

There are orders of magnitude more of these companies than there are organisation who are “doing it right” today.

Let’s centralise that

So what does a BYOD with VDI and SaaS approach bring?  Well, first off it allows you to put everything in a single location.  No information arriving or departing by USB stick, CD, DVD or other physical manner.  The endpoints don’t get to talk to the core network unless they are locked down.  Everything else comes through an RDP session.

I’ve been running VDI on dozens of SMEs since 2005, and in all but one case, I haven’t had a single person notice that they can’t move files off the network (except through the internet) yet!  They just don’t care.  Everything they’d want to do with those files they can; through RDP.  (Yes, we block RDP file transfer, USB pass-through, etc.)

AHA, you say!  A weakness in his argument!  They can move files around using the internets!  The internets are scary and filled with lolcats!  We must prevent this at all costs!

Bah, I say.  This is what IDSes are for.  Have you met Palo Alto networks?  (http://www.paloaltonetworks.com/index.php).  They have IDS/IDP systems that wreck everything everyone else can bring to bear in this space.  Dirt cheap, application aware, simple to configure.  Even my precious Linux boxen configured as network-sniffing IDS/IPS systems simply can’t compete.

Suddenly, I can manage the band instead of the box.  Sure, you can move information off the network using the internet, but I can monitor and restrict it with an appliance.  A simple plug-and-play appliance that a twelve year old could manage.  Here is a great example of the commoditisation of IT.  What 10 years ago was deep voodoo now comes in a nice pre-canned box that simply does the thing for you.

So now we’ve got a great big ball of everything living in the datacenter, maybe with a few select SaaSy apps on the web.  It all goes through an awesome IDS/IPS which allows me to filter it, and I even work with my SaaS providers to ensure that our instances of the SaaSy applications have logins restricted to selected IPs.

The only way you are getting information off of this network is to take a photograph of someone’s screen while they are RDPed in.  If you are honestly concerned about this; if this is a legitimate security threat to you, then you are either dangerously paranoid, or you work in the kind of organisation that has enough qualified and competent IT personnel that you should be talking to them about this topic instead of reading my blog.  (Suffice it to say that even this risk is one that can be mitigated using any of a number of different technologies.)  This is a realm of infosec paranoia that is simply out of scope of this post.

I want my computer, and my data too!

The inevitable argument is “well, that’s not true BYOD!  In a real BYOD environment, people can use files on their computers!”

Quite right.

But that’s where BYOD gives awesome options.  Most people don’t need this, so they can (and will) use RDP.  If you want to do things local to your system, then you have to accept some restrictions.  Management software has to be put on your PC, and it will restrict what you are able to do.  Mobile Device Management for the cell phones and tablets, Puppet for  Macs and Linux boxen and Active Directory join for my Windows boxes.

The choice is up to the end user.  BYOD and third-party management software has allowed me to provide greater security than I would otherwise be allowed to provide by the business owners under a more traditional model.  Why?  Because BYOD gets the convenience part of the security/convenience equation right.

The argument that BYOD is usually/probably “bad” is rooted in several assumptions that just don’t hold true for the vast majority of the world.  The first: that BYOD is being implemented in an environment that is properly setup already.  This is almost never the case.  The second, that IT has the kind of pull within an organisation that they can set things up properly and manage by fiat and edict.  Again; when are you from, 2000?

Circle the wagons

In these organisations, BYOD is probably not a consideration.  IT still has their little empire, and they will viciously and vociferously defend it against all comers.  Here, we have the talent and knowledge to pull off BYOD properly if they so choose, but they won’t if they can possibly avoid it.

And frankly, who cares?  These companies have something that works, proper security…they just don’t get any real benefit from BYOD beyond staff retention and a modification of CAPEX as a line item.  BYOD will cost them more than their current setup if for no other reason that you will have to cram it down the throats of IT.

In such a scenario, IT will make the entire project as miserable as possible, most going to far as to actively sabotage it.  Unless the company is willing to functionally jettison their entire IT department (some have) in order to see the project through – and thus changing how IT is delivered across the company – BYOD holds no value.

Fine, cool.  Wunderbar.  We have proven that BYOD is not a magic solution for all companies in all cases.  Who has ever claimed that it was?

My previous arguments on this topic have argued – quite simply – that no company is going to go out of business for deploying it.  SMEs either have or they don’t have the talent to deploy this.  If they do have, then their guys will probably jump all over it as a chance to (finally) do some real security in the enterprise.  If they don’t, then they will bring in consultants/contractors – myself, say – who know this stuff cold and deliver the transition as a proper service.

If the company is large enough (and with a well enough set up extant IT apparatus) that the benefits of BYOD are marginal to begin with, then they already have the IT guys who are fully capable of pulling this off properly and securely, should they choose to do so.

BYOD is not a risk.  It isn’t a security threat.  It isn’t a disaster waiting to happen and it isn’t automatically – or even in most cases – a negative approach to computing.  Quite the opposite, for the vast majority of organisations it provides the opportunity to significantly simplify their IT delivery.

BYOD offers the chance to properly secure the IT of these organisations; what’s more, it offers the chance to do both in a convenient way that won’t see the sort of end user and management push-back that results in insecure IT in the first place.

Just who are you, really?  And why are you here?

More interesting to me are those organisations that steadfastly and ardently resist BYOD.  What else are they resisting?  How “integrated into the needs of the business” are these fiefdoms of nerdly hegemony?

Are they organisations that practice DevOps?  Or are they siloed, each department peering over the rafters with a suspicious eye at the next, carefully protecting their budgets?  Are these departments agile?  Capable of adapting rapidly to changing demands?  Or are they rigid, inflexible, with a well established “change request system” whose primary function is to prevent change through the implementation of excess bureaucracy?

Are these IT departments that care about the good of the company, or is “them” separate from “us?”  Are they providing optimal service to the business with their extant systems, or are they an anchor that has to be tugged at any time change needs to occur?

In my personal experience, IT departments that are most integrated with the needs of the businesses are ones that were doing DevOps before DevOps had a name.  They are ones where the head sysadmin isn’t just a sysadmin, but is in fact a full participant of the business-side meetings.  IT in these organisations helps plan company strategy and has the corporate security clearance to know what’s coming down the pipe.  This close integration allows IT to plan to meet business needs not just now, but 6 months, a year, 5 years from now.

IT delivery in these agile organisations is shaped not against a whitepaper, or to protect someone’s job…but to meet the exacting and specific requirements of the business in the most efficient possible way.  IT here isn’t a department, and they aren’t a “cost center.”  They aren’t a silo or an empire.  They are part of the team.  They work hard to make the business perform, and they are rewarded accordingly.

IT in these agile organisations isn’t really “IT” at all.  They aren’t grunts twiddling with boxes and networks, they are fully fledged members of the management hierarchy.  The IT services they provide are generally either off-the-shelf pre-canned appliances, provided by contracts that the internal IT department project managed, or are customer in-house solutions developed and maintained in a DevOps style.

Also in my experience, the larger the company gets, the LESS likely it is that this sort of agility and business-line integration exists within the IT department.  And again, also in my experience, the IT departments that have this level of integration with the business would read this post and laugh their asses off.

They’d laugh because they went BYOD before BYOD had a name.  These sorts of integrated, agile IT departments didn’t implement BYOD to jump on a trend.  They implemented BYOD so they could get out of the businesses of playing nursemaid to endpoints and focus on the business of growing the business itself.

On the relevance of Social Media.

Tags: , , , ,

This post is in response to comments made on The Register regarding one of my recent articles.  I’ve had to post it here as the character limit on The Register is 2000.

While yes, the opinions expressed in my Sysadmin Blog on The Register are my own, I would be willing to make the statement that on the topic in question (the rise of Social Media) they are indeed quite informed.

First: let’s admit that there does not exist primary science that conclusively and definitively pegs the exact % of our population for whom $social_media_site has become “the lens through which they view all content on the internet.”  I would go so far as to say that this is A) an impossibility and B) functionally irrelevant.  The % will be under constant flux as the habits of individuals (and groups) change.

But there are a number of studies that have been conducted so far that hint at this, and the reality of it is considered “common knowledge” amongst a certain brand of IPM nerd. The proof will out when the science is done, but studies to really refine the error bars around the exact % of users for whom this is true are only now getting underway.

One person you could talk to about this is Scott Galloway, professor at NYU School of Business. He is considered one of the more notable “digital strategy” experts. Consider also the numerous studies being done showing how little email is being used by “da yoof,” with Facebook rapidly slotting into the role that email once filled. (Many argue that Twitter is slotting into the role that Google once filled.)

Dr. Michael Fenichel – amongst many, many others – has done a great deal of hard, primary research into Facebook/Social Media/Internet usage.  Indeed, their research has convinced them that Facebook/Internet Addiction Disorder is a very real phenomenon, and should be added to the DSM V.

Beyond that, there are numerous industry studies that have noted – and then explored in depth – the reality of “$social_media_site has become the internet for X segment of the population.”  These are studies performed not by organisations who would benefit from Facbook/Twitter/etc. becoming a vehicle for advertising, but rather by organisations who have a driving need to know exactly how people shop, how they do product research and what influences their decisions.

Starting in 2007 we have a report from private equity firm Veronis Suhler Stevenson and PQ Media.  They note that for the first time in decades, 2007 saw people spend less time on traditional media and more time on the internet.  The study also noted a huge uptick in advertiser spending online as well as consumer online purchasing.  They predicted that by 2011, the Internet would be the largest advertising medium.

They were right.

In the intervening years, hundreds of studies have been run on the topic.  In 2009, we have a study from the Retail Advertising and Marketing Association (via BIGresearch).  They concluded – amongst other things – that moms (women with children younger than 18) spend way more time on social media than anyone else.  They also use social media for product research, trusting peer opinion above all other review methodologies.

Pew research in 2010 concluded that 58% of all Americans have done research for products online, numbers that start to get a lot larger as you adjust to look at the critical 18-32 age bracket.  While there was no social media component to this study, the thing that got everyone’s attention was the fact that internet users in higher-income brackets do significantly more online research than those in lower income brackets.

In September 2011, Nielsen released a report saying that social media (in which they include blogs) account for nearly 25% of all time spent online.  That’s more than double the amount of time spent in online games.  3/4 of all internet users participate in social media.

Critically, 60% of people with “three or more digital means of research for product purchases” discovered retailers or brands from a social networking site.  According to the same study, Americans spend significantly more time on Facebook – 53.5% – than any other site.

Again, these are merelly sample studies I am discussing.  There are hundreds of studies – and a lot of primary science – that cover this area of discussion.  These should give you some starting points.  An idea of how modern marketing folk got to the belief that social media is in fact an important outlet for brand recognition and advertising in today’s world.

Suffice it to say that the most critical demographic – 18 to 32 year olds – are strongly influenced by social media.  So much so that they skew the statistics for “all internet users” towards the realm of “depressing amounts of time spent on Facebook.”

That “the internet” is for some – indeed for an increasing number – Facebook, Twitter, Reddit or so forth is not merely “my opinion.” It is the considered opinion of several experts in the area; I have merely taken notice. More importantly; this trend is increasing.

These social media websites are now the lens through which an ever increasing % of our population absorb their daily dose of internets.

Linux Routers Gone Wild (Introduction)

Tags: , , , , ,

I have recently embarked upon a difficult professional journey.  The larger part of this journey is in fact an attempt to secure my network and slowly, inexorably retire as much Microsoft software from service as possible.  The reasons for this lie largely in the complexity of Microsoft licensing; I am often beset by so many IT projects that it is honestly a nightmare attempting to comprehend the plethora of licensing options and caveats.  Trying to make sure our company remains in compliance is itself almost a full time job.

The solution to this is simple: cut back on as much Microsoft software as is humanely possible.  There are naturally some fairly enormous barriers to this concept.  The first being that there is simply no way we are (ever) going to be able to ditch Microsoft on the desktop.  There is simply too much industry-specific software we are totally reliant on for this to be anything but a midsummer night’s dream.  To manage these desktops, I need a directory and something that will handle group policy like templates.  After much searching and pondering the simple reality is that Microsoft’s Active Directory is the best bang for my buck in this department, and so there is no reason to abandon it.  (I should state for the record however that Novell’s offerings an unbelievably close second.)

The second obstacle is not a hardware or software limitation, but rather one of wetware.  The wetware, (which will remain nameless,) ultimately responsible for accepting or rejecting my various schemes and proposals consists of two units.  The first unit is logical, rational and driven by nothing more than sounds business rationale.  If you can make a solid business case for something, one of the two decision making wetware units will be easily won over.  Unfortunately, this wetware unit has exceptionally limited IT knowledge; when my recommendations clash with those of the second decision making wetware unit, issues can arise.

The second decision making unit in question is rather less approachable than the first.  Though remarkably intelligent, this unit remains deeply wedded to all things Microsoft and has what I consider to be an incredibly dangerous fascination with whatever happens to be the newest technology of the day.  As a born and bred technology geek, I truly understand the “gee whiz” factor shiny new kit can bring.  As someone who goes to work a loyal company man and puts aside everything except my job, I can’t and won’t let my employer risk the business on untested or questionable gear.  (Let several someone elses walk through that minefield first.)

The wetware obstacles to reducing the corporate Microsoft overhead, (and with it the licensing burdens) are thusly formidable.  An unfortunate amount of my job has devolved into simply playing the politics necessary to be allowed to implement the right solutions for our requirements and budget.  In many cases I actually have to purchase and implement first, and then inform people of it later if I feel it corporately critical that a project be accomplished without being tied up with internal political infighting and negotiations for six to eight months.

This year I am removing Microsoft’s Internet and Security Acceleration (ISA) Server from my organisation.  Like the use of LAMP webservers, LACS e-mail sanitisation servers and the slow introduction of Linux fileserver, this is the story of nibbling at the edges of a Microsoft network with tactical implementations of Linux systems.

© 2009 drink the sweet feeling of the colour zero. All Rights Reserved.

This blog is powered by the Wordpress platform and beach rentals.