Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

BYOD Bring Your Own Device: One of the most STUPID Gartner/Forrester/Executive Ideas EVER!

with 15 comments

God Damned Executives On A Plane

Last night a lively debate broke out on Twitter between Rafal Los, myself and Hrbrmstr about the wonders of BYOD (Bring Your Own Device) A movement brought to you undoubtedly by some moron of a CIO/CTO/CEO and your pal’s at Gartner. Now, if you haven’t run into the concept of BYOD yourself, just go and Google it to understand. Suffice to say that my theory on how this all came to pass is the following scenario…

  • C level executive A was on a plane one day and reached into the pocket in front of him. He pulled out the “In Flight” magazine and starts perusing it when low and behold he see’s an article about how YOU TOO CAN SAVE LOTS AND LOTS OF MONEY if you let your employees BUY THEIR OWN PHONES AND LAPTOPS to use at work!
  • C level exec then gets an EXTREME hard on for the idea envisioning his bonus growing exponentially as he foists the cost of phones to the employee as well as most of the cost of the service plan! GENIUS!
  • Contentedly the rest of the flight C level exec sits pondering just what fancy addition to his yacht he will be able to buy with the savings from this master plan.
  • C level exec immediately upon return drafts an email to the other C level execs with the master plan.. They all see bonuses and shiny things they can buy once their bottom line has been altered by pushing the costs to the employees by making them pay to work (remember the days of company stores and housing? Yeah, its kinda like that again)
The C level conclave concludes and they all decide this is a capital idea! Lets do it!.. Of course, they have not talked to the CSO or CISO and if the CSO is capable, they will raise the question over security and legal/privacy concerns. If they have a CSO/CISO at all.

Alas… They still will forge ahead… Dollar signs in their eyes like cartoon characters.

But.. It Will Make Our Workers SO HAPPY and SAVE US MONEY!

And on it goes, the steamroller of BYOD begins its descent, picking up velocity where it finally makes it to the security folks (if the company has any) and someone will undoubtedly say;

“WHOA, what about the security issues here?

What about the PRIVACY issues?

Legal issues?

To which they will be told it’s all good and not to worry.. Just do it. This even after being told by a smart security person that there are many moving parts here that present major problems that could in fact cost more money in the long run to do right AND that if they don’t do it right, they could be more easily compromised or have big legal issues.

“Do not worry about that.. It will save us money and it will make the employees happy” says the C level… Just do it.

The poor security person is left with the pile of shit idea in the paper bag from then on.. Just waiting for it to be lit on fire for them to stamp out with their new Nike shoes.

The Magic Fucking Quadrant of STUPID (Now With Added Unicorn Spit!)

Soon the security team and the exectives/managers are on the phone with Gartner or Forrester having meetings about how BYOD is the SHIZ and how magic it is in the quadrant and just what companies are offering the newest WHIZ BANG products that will help you “secure” the personal devices for you!

For just 50 thousand dollars YOU can have this solution!!!

*eye rolls all around*

But the executives… They are eating this shit up! They are fully drinking the kool aide and have the purple lips to show it! I mean, its Gartner! How could they EVER be wrong!!

The unicorns have won the day and you, you poor security sod, are stuck with the new task of ultimately making your life more miserable and creating new and silly problems to make your environment and job more complex. Welcome to BYOD.. Bring Your Own Doom. Be sure to buy more Maalox and other products to sooth your nerves and G.I. tract. Your life as you know it is about to change for the worse and when the shit goes down, undoubtedly, you will be asked why you didn’t tell them that this was a bad idea! YOU FAILED TO TELL US!

Remember to be the squeaky wheel… and to save all your emails warning that this… is indeed a bad idea.. Unicorn spit or no.

Technical Problems

But seriously folks.. There are some major issues technically with this idea. Of course the same issues crop up with any smart phone or device that you need to secure but, you are adding complexity to the mix because you need to secure the device AND keep it real loose because its a PERSONAL DEVICE, it isn’t the companies asset! This means that the guy who paid for it wants to USE it the way THEY want. So if you secure it properly, well, then they CAN’T USE IT the way THEY WANT TO!

And this leads to unhappy end users.

So here are just some of the technical problems..

  • Differing OS’ require different solutions for security in some cases
  • Android… OMFG Android rooted by the EU is bad. How many botnets are there out there now for Android? Google also has a real lack of quality control here (nightmare)
  • Adding layers of protection to “sandbox” applications
  • Adding a layer of auditing and tracking to protect the asset (not the companies once again) to protect your IP and infrastructure if said “asset” attaches to your network at all
  • Insuring that CRYPTO is working and or used to protect that IP again
  • Insuring that the system has AV on there and it is up to date
  • Insuring that the user just can’t install anything they want on their asset to prevent compromise of CORP data (due diligence)
And the list goes on.. So here you have it, you are adding layers of complexity to a device that naturally the end user, who PAYS FOR IT does not really want because its THEIR TOY! Its a PERSONAL DEVICE! They bought it! They want to play with it and use it for their amusement. This is a key point here that most of these guys advocating this fail to understand.. Or is it they really don’t care? Suffice to say though that in the end you are forced to add software and hardware solutions to secure the personal assets in your BYOD program that will cost you money. Money to buy, and money to keep updated and licensed.
So, where is the cost benefit analysis here on this? Are you really saving all that much money in the end?
Never mind the legal aspects that you also must engage counsel for….

LEGAL Problems

Legal problems.. Oh yeah, there are many legal issues here with the whole BYOD thing. It seems to easily escape the faculties of the C levels who are all hot for these programs though.  When you bring up these issues, even in the clearest of ways, they still seem to be all for the BYOD which confuses me personally. Oh well, they have lawyers on retainer right? They will just dump it on them and they will work out the details. Details like the following;

  • E-Discovery issues with personal assets and corporate information (the company does not own the device and unless the owner signs a document saying they will give up the phone/laptop/hardware for discovery, you’re F’d)
  • PRIVACY, if you are auditing all that goes on on the device (say a phone) then you can see everything they are doing with their personal/corporate-tized/asset In short, no privacy really
  • The vagaries of corporate IP on personal assets and the legalities of who owns what when and where
These three bullets cover a HUGE amount of the problem with BYOD and people need to realize this as they go ahead thinking about this as a solution to their bottom lines.. AND this is all it really is, its not really about making end users happy. Never let yourselves be deluded into this belief that by doing all of this you will be making a more happy and productive work force. Eventually, those users will come to their senses and realize that they are being used in so many ways and that there are many grey areas.
… And if you have not gotten them to sign iron clad agreements.. You Mr. C level are gonna be in trouble eventually.

Bad BYOD Rising

Nope, this is a bad idea from all angles as I have seen. Yet, people are going for this model more and more as a way to save money and “make workers happy with new toys like iPhones” I only see the technical and legal issues as well as the potential for paranoia and bad blood on the part of the users/owners of their now corporate assets… that are theirs.. sorta… It’s just a nightmare really, but Gartner says its GREAT!

*facepalm*

Please, for the love of sanity think this stuff through before you even think about this model for your orgs!

Savings to the business my ass.. You’re only adding a slow poison to your company and your carcass will be rotting soon enough.

K.

About these ads

Written by Krypt3ia

2012/02/10 at 12:01

15 Responses

Subscribe to comments with RSS.

  1. Great article. I can’t imagine anyone really doing this. Its stupid on all level and the legal ramifications are huge. Unfortunately it will be dollar signs that could bring a company down. One scenario could be a ‘long con’ through Social Engineering. You have one person that is looking to bring a company down and they are willing to go the distance by applying for a job and end up getting hired. Game Over.

    AJ

    2012/02/10 at 12:17

  2. In addition to the security issues the technical support issues would be just as complex in this scenario. I think the only way it could potentially work effectively is to have the BYOD connect to a virtual environment ie Citrix to provide at least provide a common OS and applications.

    Twinkle

    2012/02/10 at 17:57

  3. Something that just occurred to me while thinking more about this yesterday: over a disturbingly short period of time, the stance of the Respectable Security Pro seems to have steadily shifted from “hell no” to “I’m not comfortable with it” to “it’s inevitable, let’s prepare” to “maybe it’s not so bad” to “we can totally do this!” But here’s the thing: nothing about BYOD itself, that is the risks, the legal concerns over ownership, the encroachment of professional into personal and vice versa–none of that stuff has changed a bit (or if anything it’s gotten worse). It’s just the attitude of some folks that has shifted. So it’s got me wondering: what the hell is going on?

    opsecshellshock

    2012/02/12 at 16:28

  4. Very nice write up. 95% of my business is ePreservation. I take GREAT delight in making people surrender their personal devices to me for preservation. Trolls gotta. I’ve also warned my clients repeatedly not to mix business and pleasure on anything other than a phone call level, but do they listen? I’ll probably start charging a premium for private party devices included in a case. Sounds legit.

    icbkr

    2012/02/12 at 23:14

  5. [...] and communications platform (laptop/phone).  It is colossally stupid and that is well documented elsewhere, but for us, it is worse than just having to preserve a different device, because BYOD introduces [...]

  6. Looks like Gartner agrees with you: http://blogs.gartner.com/mark_mcdonald/2012/02/13/executive-vanity-is-a-force-driving-demand-for-mobile-solutions/

    “Executive Vanity is a force driving demand for mobile solutions”

    Anonym

    2012/02/13 at 20:30

  7. Whoa.. Gartner of all people huh?

    Krypt3ia

    2012/02/13 at 20:40

  8. Well, groups I mean… Thanks!

    Krypt3ia

    2012/02/13 at 20:40

  9. BYOD sounds like a really cool idea. Let’s stick potentially thousands of untrusted, and possibly malware-infected devices on the corporate network. A security breach would no longer be a possibility – it would be inevitable.

    Having them connect to a virtual environment (i.e. Citrix) is a good solution in many cases, but only provides more security where the network’s restricted to trusted clients, and where methods of exfiltrating data from the server have been eliminated (local storage, email, cloud, screenshots, etc).

    Michael

    2012/02/15 at 09:43

  10. [...] A Terban, a supposed temperament behind a security blog Kryptia reckons BYOD is a recipe for a confidence professional’s shaken [...]

  11. [...] um das Thema erstmals ausführlich hier im P’retioso-Blog aufzunehmen, bis ich auf diesen Artikel von Scot A. Turban stiess, einem anerkannten Security Spezialisten aus den USA und früherem Ethical Hacker bei IBM. [...]

  12. yo… It’s actually worse than you think and why international public cloud is not doable. Simply put, every country has different rules regarding discover-ability of data. Which means in more oppressive countries the corporate data you carry on your phone or other device will be discoverable. In the process you may become in hot water with US regs like HIPAA, PCI and others.

    However, the simple answer is this: BYOD coupled with VDI. Simply put, do not ever put corporate or other sensitive data on an untrusted device.

    Chip Stock

    2012/07/25 at 23:18

  13. “I’ve also warned my clients repeatedly not to mix business and pleasure on anything other than a phone call level” – hang on, isn’t that still mixing corporate and personal information on a single device…?

    wt

    2012/08/16 at 12:18

  14. Hmm is anyone else encountering problems with the pictures on this blog loading?
    I’m trying to determine if its a problem on my end or if it’s the blog.
    Any feedback would be greatly appreciated.

    Dorothea

    2012/09/19 at 20:34

  15. You kills me, I say, kills me. Unicorn spit. But, it gets the point across. Unfortunately, all the people that NEED to read this will not. I thank you for trying though. We all need to try!

    toni schimmel

    2014/03/10 at 22:07


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 131 other followers

%d bloggers like this: