I think BYOD is far too broad a topic without discussing the business itself.
As I mentioned, in the high ends of the industry, it's obviously not about cost. Those 1 litre desktop PCs, 24" monitors and 15" laptops are available on the second hand market in their 10s of thousands for a reason.
In these places the "end device" is never trusted anyway. If I walk into the office and sit down at a desk, it isn't "my desk" and it isn't "my PC", it's just whatever desk and PC was free. That PC has almost nothing on it. No office, no email, nothing. No DNS let alone internet access. It won't accept USB devices either. It has IE installed and you can use that to authenticate to some periphery systems, but the main access is gained by authenticating to the VMWare edge proxy, requiring username, RSA token, pin code, host allocation number and the actual token. That gets you in the outer ring from where you can launch a session on a Windows Server for IT support or you can log into your Windows VM (VDI), usually in the cloud somewhere, though you can't tell. Usually in a location close by, but it could be on the other side of the world and it moves daily. The security once on that VDI does not stop. Every single services you touch requires authentication. You have no admin and your only networking is via a webproxy. Every web UI and ever application will time out it's authentication tokens anywhere from 1 minute to, thankfully on many dev systems 24 hours. You honestly spend about 5% of your day logging in to things.
When we started working from home the only thing that changed was the RSA token generators had to be requested differently and exported as "remote access tokens".
As to BYOD, they don't actually care, you still have to authenticate to that edge node with all the right credentials, the connection to the VDI is secure assuming they trust the VMWare infra they maintain.
The remote access token generator can be used in "App form", on your own devices, however the list of devices supported is incredibly short. This is because the various info-sec teams have limited resources to test and confirm security compliance across all devices. Additionally many devices, OS's and versions of OS's are blocked due to the company not liking the security or privacy of that OS.
The company "App" will sometimes then provide additional functionality, like forwarding your call into the company Zoom or conferencing system, access email, accessing IM chats etc. Not always, it differs. Typically those with a bespoke application will allow access through that. Others will provide you Office365 mobile access with the increased MFA security as a "pre-gate" to the SSO login.
On the other end of the spectrum a very common entity these days is the business with absolutely zero onsite infra and even close to zero private cloud infra either. They base 99.9% of their business in online 3rd party cloud services like Office365, Google Business, etc. etc. etc. HR applications are also exported to public cloud services. So in these places there is no on-site infra to authenticate to and all authentication is handled by the "Office365" SSO stuff... or is entirely independent. There is very little preventing access to these systems from any random location and the "company" might not even be aware.
I was using my personal PC for work for over a year when the company got bought and the new owners gave us all new laptops and told us we must use company hardware and networks to access any customer system, regardless of what the customer say. That ended that. So now my connection has to go out to my company infra in the cloud, "de-VPN" itself and head straight back out on the internet to a different country to the customers public IP.
A caution for people, as employees, who wish to take their company up on their BYOD policies... Read the small print. In many cases the software you use will have open and clear spying clauses, monitoring clauses which may, or may not extend to your phone use while the application is closed. they will claim this is to protect their security and is legitimate use.
The laws internationally are presently far, far, far behind the present technical situation regards to data, it's distribution and usage. Laws around "corporate privacy overreach" are still unestablished on the topics of monitoring people in their own homes and on their own devices.
Personally I refuse as much as I can now. I insist on keeping my personal security scope isolated from my work security scope. This is becoming increasingly difficult and the consequences for having miss-aligned views to the company (DEI Department especially) are growing rapidly.
If your company can move it's "Office workload" into Office365 you can save a lot on devices and allow BYOD access to that services and let Microsoft manage the security.
If you want personal PCs/laptops to access "onsite" infra (including private cloud infra), then provide access only to a DMZ "terminal server" or edge node. From there you control access on an individual basis.
If you move your infra to AWS, you had better understand the security, roles, permissioning complex nightmare that can be.
So, bottom line. Move on site infra to the cloud. Let the cloud handle the security. For everything you can't use multi-staging security regions and several MFA stages. A VPN with anti-bridging and end-point protection software might be worth enforcing while connected to said VPN. On the internal side, these are considered "UNTRUSTED" and their operations strickly controlled.
Note, external authentication providers can span many services with single set of creds. An example might be "Okta". These present interesting control and ownership models based around need to know and privacy. Typically the end user creates the account and owns the account with Okta. They then follow an invite like to bind that Okta account to the companies authorisation. This mean the end user has control of the data in the account and can reject or close associations with entities.
Home
Help
Search
Login
Register
