Some thoughts on this:
- A company going and buying 40,000 iPads isn't BYOD. Corps have been buying phones (e.g. Blackberries), laptops and tablets for staff for a long time. If the corp is providing it, it's not BYOD - The concept of remote VDI isn't new. That said I don't think it'll fly in many financial institutions outside retail banking in the short term. IME the type of work that needs to be done in wealth management, investment and institutional banking is very different to tellers working out in branches in retail banking. Retail banking's been dominated by thin clients for a long time (fixing thick client PCs out in suburbia or out in the country is support PITA). Not to say there isn't some scope to pull some apps back to a centralised location for wealth/institutional/investment, but there are other things (like Bloomberg terminals, Reuters feeds etc.) where the underlying network required and the physical kit, is going to result in stuff sitting on people's desks. - BYOD + remote VDI is becoming more popular, but I just don't think (in the short term) that it's going to dominate banks. There's simply too many issues still around (e.g. what to do when the employee's machine breaks down) that there aren't clear-cut best-practise answers to. Whilst I see people trialling things, I don't think the evidence is in yet on whether it's a good idea or not. I think it'll be another 3-5 years before we have enough data on whether it's sustainable and economic. - Compliance/Risk depts. Have issues around a central infrastructure providing the entire service: the cost providing a full redundant, HA, platform for a small trading office with 10-20 staff kinda crimps this initiative. And a non-redundant, non-HA setup will not fly because the bank is unable to consolidate and report its overall risk position to regulators. - The other stuff (like his networking proposals), I think is just silly. He obviously knows his Citrix stuff well. But maybe that's where he should stick to - get networking and security guys to help paint the rest of the picture. Cheers Ken From: Webster [mailto:[email protected]] Sent: Tuesday, 16 April 2013 9:28 PM To: NT System Admin Issues Subject: RE: Some interesting thoughts about network security Most of the projects I work on are in the financial and healthcare sectors. 100% of them are doing BYOD. These are some of the largest companies in their respective industries. One healthcare related company just bought 40,000 iPads for their sales force. Where I am now they have 30,000 people using Citrix XenApp and are scaling up a XenDesktop project to 11,000 users. They are supporting almost every kind of device imaginable: iPhone, iPad, Androids, Surface, Mac OSX, Win7, etc. Brian Madden is a recognized name and thought leader in this space. But as a thought leader, his goal is to make you think. Think about the ways users are getting around IT (I see it daily at my current project), think about how IT really does not and cannot control every device. Back when Brian was in the trenches doing designs and installs, he designed and built some of the world's largest TS/RDS/XenApp environments. He does know his stuff. I think he is trying to stretch IT's way of thinking and can be considered more of a provocateur now. What we did in IT 5 or 10 years ago may not work with today's users and how they work and or want or need to access company data. Just my $0.02US worth Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Jon Harris [mailto:[email protected]] Sent: Monday, April 15, 2013 9:46 PM To: NT System Admin Issues Subject: RE: Some interesting thoughts about network security One of the things I saw in the article was part of his reasoning on this was the BYOD movement. I know a lot of places are looking at this and some have even gone for it but if it was a financial firm or a health care provider I don't know if I would want to do business with them. BYOD just opens too many cans of worms for me to feel comfortable with those firms doing that. IF they were using something like VDI or Citrix like work interface I would only be marginally comfortable. I don't see that happening unless a company really looks at where the data is stored and the risk of that data getting "lost" to parties unknown. From all that I am seeing it is more management wanting to push the cost of the workers hardware to the worker and little else is taken into account until they get bit hard and are faced with lawsuits due to their lack of use of their brains. Jon ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: Some interesting thoughts about network security Date: Tue, 16 Apr 2013 00:33:16 +0000 My thoughts: a) "One size fits all" solutions simply don't fit most organisations. Some e.g.: a. (e.g. "you support users connecting from home today", so obviously you can obviously scale to support the entire organisation doing the same at work, or b. "give each user their own VLAN" - yeah, we'll create 100,000 VLANs - imagine maintaining the FWs, routers, and how much more complex user provisioning and de-provisioning is going to be. What happens when users move between buildings? Telcos can make this happen, but telcos are in the networking business. b) Treating wireless users as "external" and then making them VPN in isn't new - that's been the thinking for 20 years. It was "start of the art" maybe in 2000, but it's not now c) I know Microsoft was arguing for the "hard core" and "soft shell" since circa 2006 or so - so even that's now new. However I disagree that there should be one boundary (around the data centre) and we ignore everything else. Obviously Brian doesn't understand how large organisations (and I'm guessing other sizes as well - I don't have that much experience) work. Most banks (for example) are stuffed full of "knowledge workers" that depend on data being on their client PCs. For example I've seen reconciliations in a large institutional bank being run on over 2,000 excel spreadsheets due to lack of straight through processing between diverse systems. You can treat them as being "on the internet", but that's too difficult to do in practise with granularity. If you make them VPN in, you end up giving them wide-open access anyway. So why not just use 802.1x to guard your physical (including WiFi) access? Surely 802.1x is easier and cheaper to deploy than catering for 100,000+ VPN connections? This looks like just another "magic bullet" - simple solution to a complex problem that only works in simple (i.e. small) environments. Cheers Ken From: James Rankin [mailto:[email protected]] Sent: Monday, 15 April 2013 10:24 PM To: NT System Admin Issues Subject: Some interesting thoughts about network security http://www.brianmadden.com/blogs/brianmadden/archive/2013/04/15/rethinking-network-security-all-your-on-premises-wifi-users-are-actually-quot-remote-quot-users.aspx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
