BYOD - what to know, and what to do

[spidey07]

An open discussion on "Bring your own device" to corporate networks, specifically wireless but the concepts can be applied to wired if you want to go that route. It IS coming if not already on your network and you just don't know it.

The thing to keep in mind is it touches all aspects of the business and IT - client management, security, network, support, etc. So I'll start off with a few easily deployable models that can be tailored to your environment.

1) Stick them on the guest wireless. That's usually the first step - let them on, but ONLY to access the internet, nothing internal. It sounds good at first but then the questions come from the business "what good is my smart phone/tablet if I can't access internal systems?" You WILL get that. But this is a good first step. Along with this you should start putting services on the public Internet to support these devices.

2) Guest+ network. Allows access to Internet and only specific internal hosts/services/applications - drop them off in a DMZ and let a few things in.

3) Put them on production internal/secure wireless network. This is ideal, but security concerns come into play. But it is the end goal.

So that takes care of access and some security/firewall control. The next BIG question - do you want these devices to be controlled by IS or are you OK with somebody and their personal, true "bring your own" device being on your net? There are many MDM (mobile device managers) out their with AirWatch currently the leader of the pack. You can use this to truly provision and control devices.

The holy grail of real BYOD is the concept of "self provisioning and profile/posturing". This is where more advanced authentication methods and intelligence come into play. I'm most familiar with Cisco's ISE platform, it can pretty much do anything you want, all on one box/platform.

Right now, the direction for BYOD is self provisioning using EAP-TLS as the wireless authentication protocol. This means the device must request and get a certificate = you MUST have a solid certificate infrastructure already in place, most of you likely do or at the least it's not too difficult (depending on size) to get it going if you're an MS AD shop. If it's a large 1000+ server network, some real planning and design will have to be done.

Lastly, these devices have VERY poor radios meaning they'll connect at much lower data rates than laptops with high power, high quality radios in them. Plan and design the wireless aspect of it accordingly.

 

[mammador]

Whilst obviously smartphone/tablet ownership is high, i have reservations about this.

For one, it would cut down on workstation costs. No spending hundreds of dollars each for a laptop or desktop. But what if an employee resigns or is fired? IT departments need to ensure that all critical information is removed from his or her device.

IMO, the major issues are security-wise. Router/AP configuration is easy enough, as the subnet size is obviously dependent on employee numbers/scalability needs.

 

[spidey07]

Whilst obviously smartphone/tablet ownership is high, i have reservations about this.

For one, it would cut down on workstation costs. No spending hundreds of dollars each for a laptop or desktop. But what if an employee resigns or is fired? IT departments need to ensure that all critical information is removed from his or her device.

IMO, the major issues are security-wise. Router/AP configuration is easy enough, as the subnet size is obviously dependent on employee numbers/scalability needs.

That's where the MDM/remote wipe and cert revokation come into play. All depends on how much you want to control. Even with device certs, you'll need some way to internally tie the cert to a person and device.

And IMHO, a tablet will never be a replacement for a laptop in terms of productivity and work. The tablet enhances, but not replaces, a real work machine. But the days of the tablet being docked the same as a laptop are here, just lighter and better battery life.

Seminars/working groups I've been to show folks now have 2-3, if not 4, different devices, all to do different things/needs.

 

[mammador]

I can see some benefits, such as Word editing, softphone use anywhere on site, etc.

As said, I think the major issue is security.

 

[Ghiedo27]

Maybe this is a bad question, but I wonder if it's possible to secure things with a sandbox browser app. Allow internet traffic through with the mobile user's standard browser, but build your certificate around the browser so that while using it you can access company resources.

I imagine it would be a nightmare to make a broadly compatible browser app that controls the data you access through it well enough to be secure and displays it efficiently enough to be useful, though.

 

[spidey07]

Split tunneling per tcp session VPN does what you're talking about.

 

[ScottMac]

Great post & discussion Spidey, thanks! I made it a sticky, at least for a while, so we can see how it develops.

Thanks again

ScottMac
Anandtech Network Forum Moderator

 

[seepy83]

Spidey (and, everyone else)...I'm curious about any first-hand experience you've had with MDM products. We've been BES/Blackberry-Only at work since we first started getting smartphones 6-7 years ago, but people have been wanting iPhones and/or Androids for at least a couple of years now, and we've had no time to do real evaluation of our options (the most that has happened is I've looked at Garter's magic quadrant and the marketing materials from a handful of vendors).

Due to the culture here, I couldn't imagine us going truly BYOD even in the next 10-15 years, but we need to ditch Blackberry/BES for a new MDM solution in the near future.

 

[spidey07]

The client group loves AirWatch. You can bring up AirWatch servers in your DMZ to get them on The Internet. The software will check in constantly for settings/changes so remote wiping a device or rendering it useless is easy and secure.

Right now everybody wants to use a tablet so businesses have a tool (tablet) and they're trying to find a use for it. Rather than having a specific problem they're trying to solve or opportunity to gain.

 

[O9O9O9]

Do any of you have BYOD policies in your place of work?

 

[alkemyst]

Ise ftw

 

[m1ldslide1]

Ise ftw

^^
What he said.

 

[Railgun]

Do any of you have BYOD policies in your place of work?

Yep.

We have two flavors at the moment, both of which are restricted to internet only traffic, cannot talk to each other, and can only have certain devices utilize them.

For external guests, we offer both a wired and wireless solution, both of which utilize a gateway for authentication. We create users ad hoc and for certain periods of time. No staff can use this solution.

For staff, we have a wireless solution that authenticates via LDAP. We too have started to look into what internal resources we would make available. The environment in which they would use is already setup. It`s simply a matter of letting whatever we need through the FW. We`re looking at hooks into VoIP for example. It`s possible our IT staff would be able to have SSH/SSL access into our gear. We`ve also created separate networks to separate "privileged" staff (IT, InfoSec, etc) from your regular staff, the finance folks for example, to better control that traffic.

.1x will be soon implemented as well which will greatly expand the abillity to control and restrict access in this regard.

 

[pub1279]

we are also implementing byod using airwatch as an enabler. The technology is only a small part of this - the bigger challenge really is the change management that is associated with implementing these policies.

Even with their endorsement from the most senior management there was still a huge amount of noise from staff as they were unhappy with security policies such as complex passcodes and requirements to change passwords every 90 days.

But anyway, it all worked out in the end. It's not a matter of if byod is brought into enterprises, it's a matter of when.

 

[ScottMac]

What kind of policy changes are y'all making to apply some control to the access system?

 

[Railgun]

That's a pretty broad question. Depends on what's being accessed, what kind of access they need, and from where.

 

[ScottMac]

I thought a pretty broad questions was something like "Did you see that blonde by the water cooler?" ...

Anyway, yeah, I know it's a huge generalization, but given the time it took for some organizations to decide they needed *any* kind of policy for wireless and, in some cases, the LAN in general, I was hoping to get responses for a variety of implementations.

 

[cpals]

We don't allow personal devices yet, but we do utilize MobileIron for our issued devices (iPhones/iPads) so someday that will hopefully help us out when we get there. We also do not allow our own devices to connect to the work wireless. Only thing they get is their Exchange information.

Due to some federal guidelines we're working on becoming compliant and figuring out some requirements before they get on our wireless.

 

[PragatiJain]

What are the other BYOD policies in place? Does your org also have BYOD policies for gaming applications and restricting phone features?

 

[spidey07]

What are the other BYOD policies in place? Does your org also have BYOD policies for gaming applications and restricting phone features?

Depends on if you want people using personal devices or company locked down ones.

I am REALLY impressed with Cisco latest ISE version. It's like BYOD in a box. It can provision end points, give them certs, push policies to iphones/android/windows, etc. Extremely powerful. Next version will offer AirWatch and other MDM integration.

 

[Nec_V20]

I was not popular, but when I was working as NetAdmin I introduced the policy of no changes allowed to company computer property and no private devices allowed to access the corporate network - no exceptions.

The only person to whine was the head of HR. Luckily the CEO saw the sense in the policy I had implemented and she could go and take a flying one at a rolling doughnut.

I am not going to spend money out of my budget to pander to employees false sense of entitlement - end of story.

 

[SecurityTheatre]

deleted. wrong topic.

 

[tech_head_wann]

So what happens if there is a lawsuit and something is done illegally on a BYOD device. Who owns the asset/information? Who would get sued?

 

[alkemyst]

So what happens if there is a lawsuit and something is done illegally on a BYOD device. Who owns the asset/information? Who would get sued?

Hard to say in the end.

Most registration pages dictate you obey the rules of the company and hold them harmless.

 

[Tr4nd]

We don't allow personal devices yet, but we do utilize MobileIron for our issued devices (iPhones/iPads) so someday that will hopefully help us out when we get there. We also do not allow our own devices to connect to the work wireless. Only thing they get is their Exchange information.

Due to some federal guidelines we're working on becoming compliant and figuring out some requirements before they get on our wireless.

Got a new task to secure my company's information after a number of our employees left, yeah it's a little too late I guess, but better late than never. Hmm MobileIron sounds like a pretty good solution. Thanks for the tip.