As evidenced by the continual growth in all forms of security intrusion, we can’t fully trust any platform that involves human design or operations, so the question BYOD computing asks is ‘why bother at all at the hardware level’ (i.e. do your really good security/control/policy somewhere else)?
I think it’s an interesting and important question as it challenges assumptions, and 10 years ago assumptions said that self-check in at airports would be impractical and insecure, 20 years ago that encryption should never be publicly available, or 30 years ago that public cash point machines could never be securely deployed.
Now each of those processes can still be insecure in a minority of cases, but the overarching benefits outweigh the problems, and these are now services we would be loath to live without.
I setup a network years ago in a uni lab that had a stability/hacking problem, using a PXE boot and a pre-staged ‘fresh’ Windows 98 copy loaded from a hidden partition (periodically refreshed from a server as newly patched OS versions were released). In this scenario I didn’t have to care what went on in each session of Windows (or try to fix things as they broke), as I knew the next person on that PC was always going to get a fresh copy. So the first user could re-write the video driver so it became unstable, deploy malware on the hard disk, or uninstall required software (and they did each of these) – as soon as logoff happened (or a forced power cycle), everything was re-written/cycled, and we were back to a Known Good state. The network was 99% reliable from that stage onwards.
I’m interested if this model can be extended to any hardware regardless of origin (I’m thinking what’s the possibility of pushing Knoppix or Damn Small Linux onto BYO devices – after all, most admin staff need tiny amounts of memory/processor power to complete their work?).
The security concerns mentioned against BYOD apply if you allow ANY personal use such as social networking, webmail, personal mobiles of any flavour… in other words, if the whole work day is not explicitly ‘whitelisted’ from start to finish, then you can’t trust the workday at all (regardless of who owns the hardware). And this includes landline desk phones, post it notes/pens, and the conversations each worker has with their friends/families at home – each is a means to leak information out of the workplace.
I’ll be interested to see if BYOD grows legs as I don’t think it is just a matter of trendiness, it is much more serious than that – its about budget. It is such a powerfully attractive notion to transfer the cost of hardware purchasing onto users, that I am sure many sectors and even government niches will find a way to make it work – it may take some time and need a few good innovations to plug into it, but I think the Dollar may well win the day on this.