God Damned Executives On A Plane
Last night a lively debate broke out on Twitter between Rafal Los, myself and Hrbrmstr about the wonders of BYOD (Bring Your Own Device) A movement brought to you undoubtedly by some moron of a CIO/CTO/CEO and your pal’s at Gartner. Now, if you haven’t run into the concept of BYOD yourself, just go and Google it to understand. Suffice to say that my theory on how this all came to pass is the following scenario…
- C level executive A was on a plane one day and reached into the pocket in front of him. He pulled out the “In Flight” magazine and starts perusing it when low and behold he see’s an article about how YOU TOO CAN SAVE LOTS AND LOTS OF MONEY if you let your employees BUY THEIR OWN PHONES AND LAPTOPS to use at work!
- C level exec then gets an EXTREME hard on for the idea envisioning his bonus growing exponentially as he foists the cost of phones to the employee as well as most of the cost of the service plan! GENIUS!
- Contentedly the rest of the flight C level exec sits pondering just what fancy addition to his yacht he will be able to buy with the savings from this master plan.
- C level exec immediately upon return drafts an email to the other C level execs with the master plan.. They all see bonuses and shiny things they can buy once their bottom line has been altered by pushing the costs to the employees by making them pay to work (remember the days of company stores and housing? Yeah, its kinda like that again)
Alas… They still will forge ahead… Dollar signs in their eyes like cartoon characters.
But.. It Will Make Our Workers SO HAPPY and SAVE US MONEY!
And on it goes, the steamroller of BYOD begins its descent, picking up velocity where it finally makes it to the security folks (if the company has any) and someone will undoubtedly say;
“WHOA, what about the security issues here?
What about the PRIVACY issues?
To which they will be told it’s all good and not to worry.. Just do it. This even after being told by a smart security person that there are many moving parts here that present major problems that could in fact cost more money in the long run to do right AND that if they don’t do it right, they could be more easily compromised or have big legal issues.
“Do not worry about that.. It will save us money and it will make the employees happy” says the C level… Just do it.
The poor security person is left with the pile of shit idea in the paper bag from then on.. Just waiting for it to be lit on fire for them to stamp out with their new Nike shoes.
The Magic Fucking Quadrant of STUPID (Now With Added Unicorn Spit!)
Soon the security team and the exectives/managers are on the phone with Gartner or Forrester having meetings about how BYOD is the SHIZ and how magic it is in the quadrant and just what companies are offering the newest WHIZ BANG products that will help you “secure” the personal devices for you!
For just 50 thousand dollars YOU can have this solution!!!
*eye rolls all around*
But the executives… They are eating this shit up! They are fully drinking the kool aide and have the purple lips to show it! I mean, its Gartner! How could they EVER be wrong!!
The unicorns have won the day and you, you poor security sod, are stuck with the new task of ultimately making your life more miserable and creating new and silly problems to make your environment and job more complex. Welcome to BYOD.. Bring Your Own Doom. Be sure to buy more Maalox and other products to sooth your nerves and G.I. tract. Your life as you know it is about to change for the worse and when the shit goes down, undoubtedly, you will be asked why you didn’t tell them that this was a bad idea! YOU FAILED TO TELL US!
Remember to be the squeaky wheel… and to save all your emails warning that this… is indeed a bad idea.. Unicorn spit or no.
But seriously folks.. There are some major issues technically with this idea. Of course the same issues crop up with any smart phone or device that you need to secure but, you are adding complexity to the mix because you need to secure the device AND keep it real loose because its a PERSONAL DEVICE, it isn’t the companies asset! This means that the guy who paid for it wants to USE it the way THEY want. So if you secure it properly, well, then they CAN’T USE IT the way THEY WANT TO!
And this leads to unhappy end users.
So here are just some of the technical problems..
- Differing OS’ require different solutions for security in some cases
- Android… OMFG Android rooted by the EU is bad. How many botnets are there out there now for Android? Google also has a real lack of quality control here (nightmare)
- Adding layers of protection to “sandbox” applications
- Adding a layer of auditing and tracking to protect the asset (not the companies once again) to protect your IP and infrastructure if said “asset” attaches to your network at all
- Insuring that CRYPTO is working and or used to protect that IP again
- Insuring that the system has AV on there and it is up to date
- Insuring that the user just can’t install anything they want on their asset to prevent compromise of CORP data (due diligence)
Legal problems.. Oh yeah, there are many legal issues here with the whole BYOD thing. It seems to easily escape the faculties of the C levels who are all hot for these programs though. When you bring up these issues, even in the clearest of ways, they still seem to be all for the BYOD which confuses me personally. Oh well, they have lawyers on retainer right? They will just dump it on them and they will work out the details. Details like the following;
- E-Discovery issues with personal assets and corporate information (the company does not own the device and unless the owner signs a document saying they will give up the phone/laptop/hardware for discovery, you’re F’d)
- PRIVACY, if you are auditing all that goes on on the device (say a phone) then you can see everything they are doing with their personal/corporate-tized/asset In short, no privacy really
- The vagaries of corporate IP on personal assets and the legalities of who owns what when and where
Bad BYOD Rising
Nope, this is a bad idea from all angles as I have seen. Yet, people are going for this model more and more as a way to save money and “make workers happy with new toys like iPhones” I only see the technical and legal issues as well as the potential for paranoia and bad blood on the part of the users/owners of their now corporate assets… that are theirs.. sorta… It’s just a nightmare really, but Gartner says its GREAT!
Please, for the love of sanity think this stuff through before you even think about this model for your orgs!
Savings to the business my ass.. You’re only adding a slow poison to your company and your carcass will be rotting soon enough.