SBN

!@#$ Your Own Device

The real cost of BYOD (smartphones & tablets)

In the last year this term has rung out more than Lady Gaga (love you Gaga).

Each one of our Security Solution Architects meets with between 35 & 50 customers per month, and 90% of our meetings are on BYOD.  Each of these customers are different in many ways. From size to industry the common denominator is that they are all interested in allowing their users to use new mobility platforms and use them securely.


Smaller, faster, and lighter client devices are nothing new. This is how client computing evolves so that more of our employees can do work from wherever they are. And who are we to stop users from being more productive?

Think about all the laptops you’re friends and family own that are completely soaked in malware.  System and network administrators go to great lengths (much of the time) to harden and secure corporate laptops from external threats and deliberate and non-deliberate threats from the user.  This approach needs to be applied to our mobile fleets so these devices don’t end up like your mom’s laptop.  Without turning this into an article on why to use MDM let’s just highlight a few of the reasons;

  1. Users should be able to en-roll their own devices without the assistance of I.T.
  2. All of our personal computing devices require a password with some level of complexity.
  3. Operating System compliance.  Just like we don’t want Windows XP systems connected to our networks (seriously if you still have this pull the plug) we probably don’t want IOS 4.1 or Android cupcake connecting to our networks.
  4. Strong authentication.  Directory services are used to authenticate and authorize users based on their username and password.  Many environments we work in today are using digital certificates to authenticate the device.
  5. Profile management.  Having a help desk administrator walk users through setting up email, calendar, contacts, wifi, VPN, etc is a total waste of time and likely a painstaking task for all involved.  All of these configurations should be configured centrally and pushed to each device once the user has en-rolled (see point 1).
  6. Application blocking.  A more recent feature where administrators may prevent an app from running if they find it to cause lots of grief due to in-app purchases or perhaps an app identified as malware.
  7. Encryption.  Another new feature where perhaps you will allow the box.net app to run but you want to encrypt all of the corporate data that goes into it before allowing it to go to someone else’s network (sounds a little nuts when you say it like this).
  8. Visibility.  When something is still as new as this we often don’t know what other types of polices to implement before we see what is out there.  Once en-rolled there is an incredible amount of information about each device sent back to the MDM server.
  9. Remote wipe.  Funny most environments don’t have this capability with their laptop fleet but it is a requirement for smartphones/tablets.

There are many options and architectures out there today in order to allow users to Bring Your Own Device and Choose Your Own Device.  While they may all be attractive on the surface we would like to outline what is required for each scenario to make it worth your while and to do it securely.  There are lots of options and technologies, but putting all of them in the network is going to be prohibitive and even more cumbersome to manage.

In most cases of Bring and Choose Your Own Device there is a simple agreement that the user needs to sign and take accountability for before participating in the program.


Having managed and been privy to telecommunications management over the last ten years I can tell you this.  Corporate users are consumers.  This does not change just because a phone, tablet, or laptop is given to the user.  

When a user sees that the latest and greatest is available they will do everything in their power to get it sooner than later.  Incredibly every time the latest Blackberry is released < 30% of handsets are lost, stolen, or damaged.  The same level of dissonance is applied to the cellular and data plans.  If you provide your employees with cell phones take a look around the office and notice how many people are walking through the halls or sitting at their desks talking on their cells instead of landlines.  Over the year phone usage above the subscribed plan typically amounts to 20% in overages.

Let’s take a look at a typical example.  We will base this on 250 devices, which will hopefully be a nice number that can be multiplied and divided as needed.  There will be a mix of Android, iPhone, and Blackberry.  For the Android and Apple phones and tablets we will require Mobile Device Management at a minimum to control them.  Blackberrys can be serviced with BES Express.  To lessen the blow we will assume their is a hypervisor of some sort so that we can virtualize the management consoles required.


Bring Your Own Device


For BYOD we will assume that allowance will be provided to the user for the monthly plan only. Hardware will be the responsibility of the user. And a MDM solution will be required to manage and secure the devices.

Total for year 1:  $48,250

Mobile Device Management solution:  $45/device on average for a 3 year term is $27,000

BES Express:  Free for 50
Cellular and data plans:  $85/month for each device, $21,250 annually.


Total for year 2:  $21,250

Plans:  $85/month for each device, $21,250 annually.

Total for year 3:  $21,250

Plans:  $85/month for each device, $21,250 annually.

Choose Your Own Device


For CYOD we will assume that the monthly plan will be covered by the company and the user will never have to see the bill. Hardware will also be managed by the organization. And a MDM solution will be required to manage and secure the devices.

Total for year 1:  $70,000

Mobile Device Management solution:  $45/device on average for a 3 year term is $27,000
BES Express:  Free
Handsets:  $70/device on average for the first year is $17,500
Plans:  $85/month for each user multiplied by an estimated overage of 20% is $102, $25,500 annually.

Total for year 2:  $40,500

Handsets:  New hardware comes out.  20% of users drop their phones in the toilet.  The carrier discounts replacements to $300 since they’ve been on contract for 1 year.  $15,000

Plans:  $85/month for each user multiplied by an estimated overage of 20% is $102, $25,500 annually.


Total for year 3:  $35,500

Handsets:  New hardware comes out.  20% of users drop their phones in the toilet.  The carrier discounts replacements to $200 since they’ve been on contract for 1 year.  $10,000

Plans:  $85/month for each user multiplied by an estimated overage of 20% is $102, $25,500 annually.


BYOD will cost a total of $90,750 after 3 years in this environment. CYOD is very similar with sticking with a corporate standard for mobile devices and will cost this organization $146,000 over 3 years.

*** This is a Security Bloggers Network syndicated blog from Insecurity authored by asdfasdfasdfasdf. Read the original post at: http://stephenperciballi.blogspot.com/2012/08/your-own-device.html