The Bring Your Own Device, or BYOD, movement is a reality for most IT departmentstoday. And it’s generally accepted that it was spearheaded by the tremendouspopularity of Apple consumer devices — primarily iOS devices such as iPads andiPhones.
Based on the Apple model, users are encouraged to purchase additionaldevices. And they do, with the expectation that they can use them in all aspects of theirlife, including professionally.
So it was no surprise when employees — and in particular, senior executives — begandemanding access to company resources, email and other data on their iOS devices.Because of the seniority of the early adopters, IT departments often felt constrained toprovide whatever was requested, and the trend began to snowball as it trickled down tothe rest of the workforce.
BYOD – What Next?
As a result, many companies found themselves with a de facto BYOD program — notreally a formal program at all — leaving networks, documents and other resources at themercy of unmanaged and often invisible devices.
It’s important to note that the devices themselves are not the cause of the problem, norare the users. This is because BYOD is not a technical problem; it’s a business problem,and it must be approached in this way.
The good news is — along with a shift in device ownership and usage — the technologyavailable to manage BYOD risk has also evolved, providing IT with the ability to limit therisk while empowering the user.
Here is what the typical BYOD environment can present to IT:
- The average user has multiple devices. Along with a smartphone andpossibly a tablet device, this usually includes a computer.
- Users have a high expectation of using their device of choice, be it Android,iOS or OS X, including the native UI and apps.
- It is the company, not the user, that is liable when resources and data arecompromised.
- With such a rapidly changing device landscape, it is likely that any existingmanagement tool will not remain valid for more than a few short months.
So what is the best approach? First, one must consider BYOD device managementsolutions beyond the available feature lists they provide. Gartner estimates that thereare approximately 100 MDM vendors on the market today. The majority of themdid not exist a few years ago and chances are many will not be around in the nearfuture.
That’s not to say startups should automatically be ruled out, but a company’shistory and commitment to endpoint management is an important consideration. If thetechnology becomes redundant or is acquired by a larger corporation, IT may find itselfback at square one.
BYOD and Laptops
One of the most common mistakes is to overlook the full breadth of the devices thatare user-owned. While Samsung, Apple, Lenovo, Motorola and others may be stealingthe spotlight in tech headlines with new and exciting mobile technology, laptops are notgoing away. And since most BYOD management technologies do not support thesedevices, IT will be forced to employ an additional solution to manage employee-ownedcomputers.
This is already happening today. Even if an existing BYOD program is built to supportiPads and smartphones, employees (senior executives at the top of the list) areexpecting similar accessibility for their MacBook Air or Ultrabooks.
However, the existence of multiple devices does not eliminate the company’s needfor a single standard, particularly a security standard. Securing devicesvia swivel chair management on multiple consoles only adds to the complexity thesemanagement tools were supposed to reduce.
User-Centric Management for BYOD
So what’s the answer? I believe it can be found in a user-centric managementapproach — balancing user empowerment with data security by leveraging native andexisting technologies.
For example, enrolling mobile devices into management should not require theestablishment of an entirely new identity management system for user authentication.Most companies already use Active Directory and should leverage this existinginfrastructure.
Substituting AD with a mobile-specific system would be likechanging the lock on your back door but not the front. Leveraging AD by integratingit with a management tool allows you to assign admin roles and user policies basedon groups, departments, operating units, and other directory information that is alreadyestablished.
Setting BYOD Boundaries
While the driver, multidevice and operating system landscape is much morecomplex than a traditional network of Windows computers, the fact is that most modernmobile devices are designed with management in mind. And while it’s true that someemployees may have older devices that do not support management, it is also true thatthe company is in no way obligated to support these devices.
A good example of defining limits would be the fragmented Android landscapewhich includes — by one researcher’s count — about 1,400 variations currently in themarketplace.
Beginning with Android 3, hardware-based encryption is supported,while Android 4 introduced additional device restrictions through the MDM API, suchas camera controls.
Additionally, several Android hardware vendors, such as Motorola,Samsung, and Lenovo, offer their own extended management APIs, providing ITdepartments with much greater control. IT should limit Android support to the versionsthat provide the organization with optimum management and security capabilities.
Apple iOS devices are a known quantity with a well-documented management API. TheApple ecosystem also provides for consistency, with every iOS device manufacturedwithin the past three years capable of supporting the latest release.
Windows Phone 7 management is limited to a subset of Exchange ActiveSync settings.Windows Phone 8 and Windows RT are expected to be similar, while Windows 8 x86versions (such as on the Surface Pro) should be manageable to the same extent as aregular laptop or desktop computer.
Similarly, the new Apple OS X Mountain Lion release includes an MDM-like API asanother management alternative on top of normal client management tools for thedesktop.
At the End of the Day, It’s All About the Data
Organizations struggling with a de facto BYOD program are beginning to realize thatsystems once trusted to disseminate documents are no longer acceptable. The biggestculprit is email. While early mobile management vendors tried to “sandbox” email toprotect the data, this approach really did nothing to safeguard it — though it did introduceadditional complications.
With or without a sandbox, email remains email: messages and attachments that can besent and forwarded. Nobody can stop this. Mobile devices may highlight this risk, butany company that allows Outlook Web Access has opened an even larger hole for datato exit.
By forcing workers into a non-native, sandboxed environment, whether for email or forthe entire workspace, the principle of user empowerment is violated and puts at risk theentire benefit of increased productivity and user satisfaction that BYOD is supposed toinspire.
The answer is not to reinvent email with a cumbersome and redundant infrastructureand UI. Instead, the focus should be on following best practices for data protection,practices that should have been in place before BYOD. This means managing the dataseparately — at least when the data includes highly confidential documents and mediafiles.
In the end, BYOD is just today’s term for an ongoing evolution from company-ownedtechnology to portable, user-owned technology. Properly managed, this transition canlower IT burdens while increasing user productivity and responsibility. This is the logical — and desired — outcome when you solve a business problem. The business will benefit.
I totally agree that one of the biggest challenges to BYOD implementation is getting the employees to understand the security goals and be a part of the program.
I work in hospital admin, and we rolled out Tigertext to all our doctors so they could send patient info and still be HIPAA compliant so the hospital wouldn’t get sued.
We had to bring each doctor in to show them how to install the app, and use it. It is very simple and easy to use, but the real challenge was that each doctor had all these reasons why they didn’t want to use it, or use it correctly.
The way we got them to really understand it, is our lawyer reviewed with them a case of a doctor getting sued for losing his phone, and the patient info stored in the text messages was released publicly (it was about a celebrity).
Make sure you reserve time to educating people as to why they need to follow the security procedure for BYOD, whatever it may be.