To BYOD or Not to BYOD: One IT Director’s Take

Most IT pros I talk to today have strong feelings about BYOD (Bring Your Own Device) policies. Some welcome it as a way for their users to get the latest technology without causing a major hit to the IT budget, while others take a very stern NIMBY approach. While we, as IT admins, may be repulsed by the idea of devices we do not control on our network, many organizations are moving in this direction.

We have to face the fact that even if we put our proverbial foot down and tell our organizations there is no way BYOD is coming to a cubicle near us, C-level executives are going to conferences and talking to peers, who are telling them how great it is to connect and use personal devices to conduct business. Never mind that these peers may have very different network infrastructures, different regulations to adhere to, and very different policies than the environment you manage. Your ED and other executives may very well come back from these events and ask you why BYOD is not a policy in your organization. You need to be prepared for this conversation (if it hasn’t already happened). Here are a few tales from the trenches on how to handle it, and how I have come to love, and loathe, BYOD.

Here at the Broward Center for the Performing Arts, we take a two-pronged approach to BYOD. First, I do not allow any devices the IT department does not control on our internal network. Second, for users with a business need, I do provide remote access to their desktops so they can use whatever device they want. This two-pronged solution has worked well both for the organization and the IT department. First, the IT department gets kudos for allowing access to internal desktops from external devices and enabling users to work from whatever device they choose. Second, we still do not have any unauthorized devices on our network, which decreases the risk of a security breach or falling out of compliance with certain regulations.

Many people have asked me how I sold the “no devices not under IT control on the network” portion of this to my C-level folks. For me, one of the strongest arguments (and a valid one) is Payment Card Industry (PCI) compliance. We do credit card processing, and for those of you who have taken this on, you know how much of a PITA it can be. The myths about the “advantages” BYOD brings in C-level minds are quickly dispelled when I explain that if we are not PCI compliant and we have a breach in security, we are liable for massive fines as well as actual losses. That ends the conversation pretty quickly. Other regulations, such as HIPAA, may inspire similar fear.

Next, I always try to come to the table with a solution rather than say “No Freakin’ Way”. For us, this solution is remote access. At our organization, users with a business need get a remote access app on their desktops to enable them to connect from home, the road or anywhere else there is an Internet connection. Since it is a Web-based solution, it works on Mac, Windows, and Linux. Apps for Android and iOS for tablet users are also available. In certain parts of our campus, we provide full Internet connectivity so folks can remote into their desktops. This solved the need for users to connect into the network without compromising my network security protocols. The product we use is fully configurable to block file transfers, so the IT department doesn’t have to worry about users moving files to personal devices. Well, at least not through the remote connectivity app anyway. There are a multitude of other options out there as well. If you have virtual desktop integration (VDI) implemented, there is usually an app that covers most mobile devices so they can securely connect to that virtual desktop. In fact, one of the strongest reasons people have for VDI implementation is the BYOD capability that is baked in.

Last, let’s talk about email access. I mean, that is part of today’s BYOD discussion even though the IT department has been providing that for years. In our environment, we have some pretty hefty security protocols that scan emails for credit card and other sensitive information, such as social security numbers, and strips them out. That said, for many organizations, there could be other sensitive information such as intellectual property that could be sent via email and bypass these security protections. How do we as IT pros deal with that? What do we do when a user is terminated or loses their mobile device? Well, mobile device management (MDM) or mobile application management (MAM) security suites from a variety of vendors address this issue very well. With many, in just a couple of clicks, you can wipe the device or account (along with all related downloaded files), depending on your budget and the cycles you can devote to implementation.

No matter in which camp you pitch your BYOD tent, there are tools out there to help ease the pain of implementation (or fight the hordes clamoring for it). The thing is, BYOD is here to stay so the solutions available today may not be the best solutions tomorrow. As BYOD becomes a larger concern with IT pros, products such as Spiceworks may implement MDM/MAM solutions into their already rich application offerings. So, the key is to not become too tied — either in man-hours or dollars — to one product since more cost effective ones may be right around the corner.

Join me and your fellow NTEN members as we discuss the finer points of BYOD at the NTC “To BYOD or not to BYOD” session from 1:30 PM – 3:00 PM on Thursday, Apr 11, 2013.

Looking forward to seeing you there!

Darren Schoen
Director of Technology Infrastructure
Broward Center for the Performing Arts