Saturday 24 October 2015

BYOD and why its always two from three.

There's an old IT saying which is “faster, better, cheaper, pick any two from three”.
Another one relates to work and is something like "interesting, well paid, legal".

It's surprising how many situations can be summarised in the same way. You have three clear requirements but when you fix two the third one breaks. To employ another cliche you can never quite “square the circle” - or the triangle in this case.

The promise of using personal devices in schools (BYOD) falls into this camp at the moment.

In this case the three requirements are;

  • The ability to use a personal device as an alternative option to a school computer.
  • Provision of a secure environment.
  • Ease of management.

The idea was that students could bring their own devices into school and use them to access learning resources in a safe way with minimal cost and without a management overhead.

Sounds like a good idea but at the moment you can have two of those things and not a third.

The problem has been caused by the move away from the standard http web protocol to the more secure https standard. The user connected to a home network with a personal device will have been unaware of the change over the last few years but for schools it's a different matter.

When a web site moves to https the data stream is encrypted all the way from the personal device to the site using a set of matching certificates held by the site and the user device. This stops the bad guys making any sense out of any intercepted data traffic and ensures that you communicating with the true vendor rather than somebody pretending to be that vendor.

All of this is very desirable except when it comes to filtering and logging. Because the data stream is now encrypted a lot of the information that filtering systems relied on to catagorise the traffic is now hidden from view. Systems can still make decisions around blocking or releasing the request but the fine grained control is gone and schools are often faced with the option of all or nothing.

The immediate solution has been to reintroduce the old proxy server setup which allows the traffic to be inspected by the filter and normal service is resumed.

All is well, except for BYOD.

This is because the solution requires that you install a certificate on each device and set a configuration which tells it how to find the proxy server. For devices under centralized management this is fairly trivial task but personal devices aren’t under any control. After all that's the whole point BYOD.

Visiting each device increases the management overhead. Introducing MDM (Mobile Device Management) software to do the same job just increases the cost.

Without this configuration BYOD devices cannot operate at the same security level as the school devices.

Therefore you can have BYOD with security but only with increased management overhead. Remove the management and you lose the security.

By the time you have purchased in an MDM licence to manage each BYOD device and upgraded the content filter you might as well have invested in a set of Chromebooks.

Two from three whichever way you look at.

No comments:

Post a Comment