Enterprise Management Associates
Published: 23 Jan 2013
To many IT pros, bring your own device (BYOD) is an overused marketing term that should be put to rest. But there is no escaping the fact that droves of users are bringing their smartphones and tablets to work and causing BYOD challenges that fall right into the laps of network managers -- and the issues go well beyond security issues.
BYOD challenge #1: Network security
Security is clearly at the top of every list of BYOD challenges, and it's most often the factor preventing enterprises from adopting a BYOD strategy.
The Wenatchee Valley Medical Center in Washington state, for example, has declined to embrace BYOD because of security concerns. Instead, the hospital system only allows smartphones that meet stringent security requirements to access email and calendar systems via McAfee's Enterprise Mobility Management product.
"Protecting patient health information is a top priority, and consumer-grade devices have simply not evolved to the point where that information can be reasonably secured on any personal widget that comes through the door," said Don Lester, senior engineer for Wenatchee Valley Medical Center.
Generally IT shops are accustomed to managing in an end-to-end model where they control device selection and every application installed, said David Willis, chief of research for mobility and communications at Gartner Inc.
"Now we're moving in a direction where not only is [the device] chosen by the user, but they own everything that's on it. The enterprise side of that device is just another set of apps."
Yet addressing security alone doesn’t guarantee BYOD success.
BYOD challenge #2: Enterprise leadership is not on board
Network pros are trapped in the middle of a face-off: End users and some individual enterprise departments are demanding BYOD connectivity, yet C-level executives won't buy into a centralized strategy.
Jonathan Davis, a senior solutions engineer for an extremely decentralized global manufacturer of heavy equipment, says getting the company's multiple subsidiaries on the same page for any technology strategy is difficult, but BYOD has been impossible. In fact, Davis' company has declined to adopt a global BYOD strategy, instructing IT that it should not support consumer devices on the network. Yet individual business units are pushing for exceptions to this policy. The IT organization can't invest in a comprehensive strategy, but it also can't lock things down because of the exceptions that business leaders are pushing for.
"The business leaders are saying ‘we aren't supporting iPads on the wireless network. We aren't supporting iPhones on the wireless network,’" Davis said. "But at the same time, we aren't allowed to use certificate-based hardware authentication, so anyone who starts messing around and tries to connect to our wireless network finds out that the only thing required is their credentials. That now puts a load on the network that's not planned for."
As a result, wireless access points (APs) are saturated with rogue devices, and DHCP servers are running out of addresses because IT doesn't have good visibility into how many devices are connecting to the network, he said. Davis said he could easily throw access control lists (ACLs) onto the VLANs in his global wireless LAN and block the MAC addresses of all those devices, "but the business won't allow us to do so. So we're kind of in limbo."
In reality, Davis is forced to support a piecemeal BYOD strategy without the proper tools to manage it. One business unit "was building a custom system that would have iPads talking to a server," he said. "Initially the plan was to buy iPads with cellular service and put the server in the DMZ so it could be accessed from the internet."
This strategy was fine with IT because it didn't violate any security policies since the iPads wouldn't touch the corporate network. Hhe business unit ultimately backed away, however, because it determined the solution was too expensive and didn't give them enough control over the environment.
"They said, we'll connect the iPads to the corporate network," Davis said. "We pushed back and said that was completely against policy. So they requested an exemption and got it."
BYOD challenge #3: Scaling infrastructure to handle the slew of devices
Even if CEOs or CIOs commit to a BYOD strategy, they often don't understand how much traffic growth it creates and how it impacts the overall IT ecosystem.
Brandeis University has roughly 6,000 users on campus, but because many users carry multiple wireless devices, the network often has 15,000 connected devices at a time. What's more, users often don't even know their devices are connected. The latest Mac laptops, for example, stay connected even while asleep, waking up at regular intervals to ping the network to check email and perform other periodic updates. The sheer number of connected devices makes upper management's "heads explode," according to John Turner, director of network services and systems at Brandeis University in Waltham, Mass.
"The single biggest challenge is growth; it's gone exponential," Turner said. "It's causing us to need to scale beyond what our original design was, and it goes outside what people believe is reality."
One way to handle the increased network demand is with deep and comprehensive network monitoring. "Part of addressing that issue is knowing what's going on in your network and having really good intelligence," Turner said. "Why are people connecting? How long are they connecting? How much data are they using? And who are these people?"
Other enterprises have opted to upgrade wireless LANs to handle the influx. They've replaced 802.11a/b/g infrastructure with 802.11n and deployed APs for maximum bandwidth and coverage. And yet, they still run into trouble. Even with a big new network, Davis is constantly getting calls from production sites that are having wireless network problems.
Saturated APs are a common problem. When Davis's company upgraded its wireless LAN, it planned for each access point to support 28 desks. But when he troubleshoots connectivity, he'll find 76 clients connected to an AP "because they have so many iOS devices," he said. "I see the client counts and I say, ‘Here's the problem. Your users have connected iPhones and iPads, and those aren't supported."
The business unit leader tells employees to get those devices off the network, which works "until the next week when things settle down and they reconnect. Then we have the same issues and I get another phone call. After a while it becomes a network problem from the user and management perspective, not an employee problem, and not a policy problem," Davis said.
Davis' only option is to add more APs to the network. Yet scaling for BYOD requires more than preventing AP saturation.
"You start troubleshooting, and you go in and see that your local DHCP is out of IP [addresses]," Davis said. "Then you go in and see they just rolled out 45 iPhones that weren't on the network a week ago. That type of thing has happened at our main corporate site, but also all over North America. I get pulled into something that appears to be a wireless issue, but when you start looking, you realize it's because people are abusing the network."
The old ways of delivering network services, such as DHCP and DNS, suddenly cannot scale to meet the needs of BYOD, Brandeis' Turner said. For years, his network has relied on internal experts to maintain open-source DHCP and DNS servers.
"[Now] we see hundreds of thousands of requests for addresses in a 15-minute period on our DHCP servers," Turner said. "I can't tell you how much it was before because we didn't have to even look at that until now."
The open-source experts Brandeis and other organizations use to run DHCP, DNS and other services won't scale with BYOD. Turner is trying to decide whether to continue investing in more open-source expertise or change strategies completely and buy commercial DDI (DNS, DHCP and IP address management) products. But it's hard to justify that type of spending to upper management, he said.
BYOD challenge #4: Troubleshooting and client support
Once the infrastructure is ready for BYOD, the IT organization is forced to ensure that users can access the applications and services they need. This is a whole new opportunity for failure.
"The service desk in particular now has to be good at figuring out if it's a problem with an application the business is trying to deliver or if it's a problem with the phone that the user supplies," Gartner's Willis said. "It requires a new set of scripts [for the service desk]. It also means application delivery people need to think about how they can deliver applications without assuming the device itself is secured.
To give the service desk a fighting chance, the IT organization should outline which devices and software versions are supported as part of a BYOD user agreement. Many enterprises also include security policy in these agreements.
"If we give you X amount per year to cover your hardware costs, you have to agree your hardware meets certain specs," Davis said. Otherwise, an IT organization might find itself trying to support an old iBook with a 500 MHz processor, he said.
In some cases, enterprises use a policy that allows them to mandate a handful of supported devices that users can buy, said Darryl Wilson, director of enterprise mobility for Dimension Data Americas. "There is so much device innovation happening with new phones coming out every three months. Where do you draw the line?"
Other enterprises supplement their service desks with a self-service approach, Wilson said. In that case, IT organizations launch a support wiki or blog that allows users to find solutions to their own problems.
Yet self-support can be lacking, especially in a BYOD world where every problem is unique and can't always be found on a wiki.
"Nobody ever has the exact same version of an operating system or the exact same hardware," Brandeis' Turner said. "We found a particular variant of Windows 7 phone that for some reason would assume the IP address of the router gateway, and in so doing, cause the entire subnet to shut down … Google didn’t have an answer. We tracked the user down, and they hadn't done anything weird. It's one of those random things that is not on a wiki."
Because of these issues, some IT shops opt for a hybrid approach where they support a very small subset of VIP users and let the rest deal with it themselves, Wilson said.
In Turner's case, wireless LAN vendor Aruba Networks is creating a larger client troubleshooting wiki that runs across multiple universities, giving users a better chance of finding a solution to their problems. Turner said this kind of wiki could expand beyond the university customer user base.
"We're seeing more and more hospitals that are interested in collaboration [on BYOD issues]," he said. "And I've been contacted by financial institutions asking us how we've been doing this. I don’t' see [banks] collaborating with each other, but they are coming to us."
BYOD challenge #5: Employee pushback
While BYOD has been driven by end-user demand, employees might start to push back as the lines between work and play blur, Gartner's Willis said. This could slow progress for enterprises looking to go 100% BYOD.
"Some organizations get to 80% BYOD and just can't get the last 20% onto the program," Willis said. "And to be honest, we don’t' ask people to go to Office Depot and buy an office chair. Why should we ask them to purchase a smartphone?"
In the future, users who have embraced BYOD may start to regret their decisions.
"People are concerned about the privacy of their own personal data on these devices," Willis said. "Is my employer watching my personal life? Is my employer tracking where I'm going? Those types of concerns will get greater over time. Employees will start to worry whether they are being tracked after hours or whether [they must answer] an email at eight o'clock on a Friday night. There are some real labor relations issues that need to be resolved."
While issues of adoption and user privacy may appear to be a headache for upper management, the IT organization will be caught in the middle. IT will be asked to execute whatever strategies upper management adopts to address these conflicts, and that execution may not be very popular.
Shamus McGillicuddy is the director of news and features for TechTarget Networking Media. He writes about networking, security, data centers, network management and other topics for SearchNetworking.com. He also manages overall news coverage for TechTarget’s other networking sites, including SearchUnifiedCommunications.com, SearchEnterpriseWAN.com and SearchCloudProvider.com.
- Myth vs. Reality: Cloud-Managed Wireless LAN and the Primary Access Network –SearchSecurity.com
- WLAN Best Practices: 10 Questions to Ask When Evaluating Solutions –SearchSecurity.com
- E-Guide: Wireless LAN access control: Managing users and their devices –SearchSecurity.com
- Ensuring an Optimal Wi-Fi Experience: Best Practices –SearchSecurity.com