BYOD Madness
When it comes to computing we all like convenience, just like in other areas of personal or business life. It’s nice to use familiar tools. Provisioning is much easier for your IT department if your users bring their own hardware. So, let’s sprinkle this idyllic setting with some security in terms of malware protection, data loss prevention and policies. This is a recipe for a lot of fun and sleepless nights at the same time.
The laisser-faire bring your own device (BYOD) approach is all the fashion these days. Since your users really like to do serious business on electronics and software designed for entertainment, why not combine both ends of the spectrum and create a worse starting point than with using either one technology. While being able to view, edit and create confidential documents on your TV set is of major importance today, let’s not forget that having a minimum level of security is a requirement (until completely superseded by the need for entertainment electronics, which might be in 2013 or 2014).
Skipping the sarcasm you might have noticed that BYOD is a lie. Unless you can do without security (measures), you cannot let BYOD be unspecified. I might bring my old Amiga computer and my self-engineered cell phone (complete with a custom OS). And if you slap some requirements on the trendy BYOD stance, then you got BTDWAYTBBWHSRN instead – bring the device we allow you to bring because we have some requirements now. Sounds a lot less catchy, doesn’t it?
BYOD proponents might point out that there will be some OS hardening going on, and that there will be an agent installed that will handle all things malware/DLP/spam/policy. Nice argument, but instead of taming the zoo of code this approach will only bring you a step closer back to the realm of magic where every problem stemming from complexity will be solved by adding more of it. Only gadget vendors have a vested interest in pushing/supporting BYOD.
If you have experience how BYOD can be managed without buying lots of (alcoholic) drinks, let us know by submitting a talk to the DeepSec CfP manager. Hardware vendors do not need to apply.
Update: If you think that BYOD saves you some money, think again. Blackpool Council has found out that it doesn’t.