Bring Your Own Device (BYOD), Bring Your Own Cloud (BYOC), Bring Your Own Technology (BYOT) , Choose Your Own Device (CYOD), Bring Your Own App (BYOA), Corporately Owned Personally Enabled (COPE). Trendy acronyms and hype aside the fact is that mobility and cloud services are changing the way we work and IT organizations must adapt. If we must use an acronym to describe the new work environment, I choose BWTD (Bring Work to Devices) and managing and securing this world is the focus of this article.
Whether it’s VoIP, Unified Communications, Cloud Computing or Big Data, whenever there is an emerging technology trend we can expect the accompanying marketing hype, a multitude of definitions along with conflicting statistics and projections. BYOD is no exception and statistics and projections depend entirely on the context and how it is defined. For the purposes of this article I will limit the use of the term BYOD to describe mobile devices that are being used for both corporate and personal purposes, regardless of who owns the device.
Initially at least, BYOD was about non-corporately assigned devices being used by employees for work functions. So let’s address the question of device ownership first. Who owns the devices is of course relevant and the implications associated with policy, security, personal vs. corporate liability and compensation must all be addressed. Device ownership considerations must be part of an overall and well defined mobility strategy. However, in the context of managing and securing the mobile work environment, the question of who owns the device is a relatively minor aspect of a sound mobility strategy.
There are several ownership models each with their own pros, cons, and considerations. The most appropriate model depends on the specifics of the organization. Again, ownership is not the most significant issue. Rather, the management and security of mobile devices that are accessing corporate resources is what must be addressed. This is true even if all the devices are corporately owned and locked down for corporate use only.
There are many ownership options that can be applied with respect to device and service plans. Considerations include security, privacy, company policy, tax laws, company culture, demographics, and many more; the specifics of which will be discussed in a future article.
Many organizations initially embraced BYOD believing that it would lower costs. Many articles and papers on the topic still claim cost savings as a primary benefit. However, there are plenty of examples where the cost savings were not realized and many organizations have since retracted their BYOD program; that is, employee-owned devices for work.
Mobility Impact on the Enterprise
The bad news is that BYOD will add complexity and increase security risks in the mobile enterprise. The security risks are real and must be managed. On a couple of occasions clients have told me that “we don’t allow BYOD”. However, casual observations revealed that personal devices were being used in the enterprise whether they were allowed or not. BYOD is happening whether you like it or not. You can either embrace the trend or become a victim of it.
The good news is that BYOD can bring tangible benefits to your organization and its employees while adequately managing the associated risks. Over the course of the last few years multiple new Mobile Device Management (MDM) vendors have emerged that provide a rich set of management and security capabilities. In addition, mobile device manufacturers have acknowledged the corporate requirements and continue to integrate robust security and management functionality into their operating systems.
Enterprise Mobility Strategy
In order to reap the benefits of the mobile enterprise while managing the associated complexity and risks, a sound BYOD strategy is required. The goal of the strategy should be to balance the business benefits with the associated risks. This balance can be tricky. For example, a strategy that secures the device at the expense of ruining the personal experience will not yield the desired results. However, striking the appropriate balance is achievable with a well thought out plan.
BYOD should not be addressed in isolation. Rather, it should be a subset of an overall mobility strategy and should be treated like any other strategic IT initiative which includes discovery, analysis and implementation, and starts with identifying the vision and the business objectives. IT organizations that assume leadership and are proactive with respect to BYOD are more likely to be able to influence and control the mobile environment.
As with any other project one of the first and most critical steps is to identify your sponsors and stakeholders. When it comes to enterprise mobility, sponsorship can often be found with senior leaders who may already be pressuring IT organizations to deploy and support devices and applications before IT is ready to support them.
Stakeholders will likely include parties not normally associated with other IT initiatives. Enterprise mobility has the potential of impacting the entire organization and beyond. At the very least, you should consult: Users, HR, Finance, Legal, Operations and Support and Security. Also, don’t forget your customers and your partners who likely have expectations on how they will interact with your organization from a mobility perspective.
Your strategy should be based on a solid understanding of your current environment. With enterprise mobility, assumptions on your current state can be dangerous. While your organization may not have a BYOD program and perhaps prohibits the use of personal devices to access corporate resources, it doesn’t mean that it’s not happening; in fact it probably is! Begin by reviewing the devices, operations systems and Apps that are being used. Look beyond the corporately approved devices and Apps. If non-approved devices and Apps are being used, there may very well be legitimate drivers for their use that will have to be considered.
Identify and categorize your mobile user population and identify the resources they require. Identify the user roles and the sensitivity of the data they will be accessing. This exercise will help to determine who is allowed to access what resources, from what device and operating system and from where. Yes, we are talking about mobile devices here so the location from which corporate data is being accessed may indeed be a factor. For example, it may not be acceptable to allow a mobile device access to schematics associated with a nuclear facility outside of specific confines within the campus.
Example User Matrix
A solid understanding of your user population and the access they require will play a role in determining which devices and operating systems you will support and for which purpose. For example, a clerk that needs only email access may be allowed a broader range of acceptable device choices than a salesperson that needs direct access to sales and financial databases.
Other considerations for supported devices will include:
- The capabilities and limitations associated with your management tools.
- In-house expertise and the level of support you will provide.
- The ability of the device to support the specific Apps that will be required to access the corporate resources.
Contrary to what many believe, according to Cisco IBSG Horizons Survey Report, more than 80% of BYOD cost is not related to devices . Your financial analysis should consider all of the capital and operational costs that will be required to support your mobility strategy. Considerations will include:
- Infrastructure which includes wired and wireless network capacity (bandwidth) and capabilities such as VLAN segmentation and Wi-Fi Access Point density;
- Management tools including MDM, and detection and enforcement tools to control devices at the network access layer;
- Operations and Support;
- Training; and,
- Devices and service plans.
One of the most important aspects of successfully deploying BYOD is the mobility policy. To ensure success the mobility policy must precede the technology decisions. Defining the policy will require consultation with your users, HR and Legal among others. The key is to strike the right balance between user demands, cost and risk while ensuring that it protects the organization from liability and litigation.
Your mobility policy should define “Acceptable Use”. This aspect of the policy should spell out personal use restrictions which could include rules with respect to voice and data usage, travel plans, SMS and Apps.
The policy should spell out user responsibilities with respect to reporting a lost or stolen device. On the topic of lost devices, the policy must make users aware of the actions that will be taken when a device is lost. For example, will the organization perform a partial or full wipe of the device including any personal information or media? Even if the policy states that a device-wipe will delete personal data and the user has agreed, it doesn’t mean that such an event won’t cause a problem. Therefore serious considerations should be given to the ability to support dual persona and selective wipes.
Payment and reimbursement policies for devices, service plans and personal use must be part of the policy. In addition, define your replacement policy and related financial aspects if a device must be replaced because it was lost, stolen or accidentally damaged.
The mobility policy will help to guide many of the technology decisions that will follow. From a user population perspective, the policy will set the proper expectations and define rules which can then be monitored and enforced, and if necessary, used to justify corrective actions. All of the users should understand the policy and agree. Keep the acceptance document simple with a few checkboxes and ask your users to sign it.
Any strategy or policy that doesn’t account for human behaviour is flawed. Policy and user agreements are not enough and you must have the tools to monitor and enforce compliance. You will need tools to manage these aspects at the operating system, App, and network layers. While this may change in the future, today a variety of tools will be required to manage these different aspects.
Enterprise security features continue to be incorporated into devices by their manufacturers. However, for the foreseeable future, MDM solutions must be considered as part of an enterprise mobility strategy if you intend to allow personal and corporate use beyond simple email and web access. Even in simple and low sensitivity environments, MDM solutions may offer beneficial security, monitoring and compliance functionality.
According to IDG Enterprise’s 2013 Consumerization of IT in the Enterprise survey, only 28% of 1,621 IT leaders have invested in an MDM solution. In my view, this means that many enterprises are at risk of experiencing security breaches or data loss. MDM solutions are available in both premise and cloud based service delivery models. However, owning an MDM solution is only part of the story and these platforms must be properly configured and managed.
While ActiveSync is good start for many organizations it is not enough and lacks some of the features that are considered basic with MDM products. For example, with ActiveSync it is not possible to perform a selective wipe, so that if a device must be wiped for some reason, all of the data on that device will be deleted, including any personal data. There have been examples where the deletion of personal data has resulted in litigation.
For more information on the potential shortcomings of ActiveSync relative to MDM products, you can refer to this paper by MaaS360: Understanding the Role of Exchange ActiveSync in Mobile Device Management that can be found at http://content.maas360.com/www/content/wp/wp_maas360_mdm_roleOfEAS.pdf. While the paper is promoting a specific solution, it nevertheless provides an excellent summary of what ActiveSync can and cannot do.
There are currently many MDM vendors and there will likely be further consolidation in this space over the next couple of years.
The leading MDM vendors offer a host of rich features that allow organizations to effectively secure the mobile environment while preserving the user experience while allowing simultaneous corporate and personal use. When selecting an MDM platform, organizations should look for these basic capabilities:
- Dual persona (sandbox / containers);
- Ability to encrypt all traffic in transit and at rest;
- Prevent exporting documents to other Apps;
- Prevent copy and paste (for example from a corporate email to a personal App);
- Self-service features such as provisioning and device wipe;
- Automated enrollment;
- Full and selective device wipe;
- Control over device functions such as Bluetooth, cameras, cell or Wi-Fi radios;
- Ability to integrate with existing directory services;
- Support for multi-factor authentication;
- Over the Air (OTA) configuration; and,
- Enforcement of geographic and network restrictions.
Apps management will be a key component of any mobility strategy, and the world of mobility raises many new issues that must be considered.
Let’s start with the question of how to distribute the Apps. If your MDM platform has advanced dual persona capabilities you may allow users to install any App they choose for personal use. However, you will likely want to control the source and type of Apps that users can install for corporate use. One option is to host your own App store with corporate Apps that you have approved.
A second issue is the security implications of the allowed Apps. If you choose to permit consumer Apps, make sure that you understand the security implications. For example, many Apps will collect data of one form or another, so ensuring that Apps used for accessing corporate resources do not compromise security will require a fair amount of due diligence in order to understand what the App might be doing in the background. Apps may introduce unanticipated risks. For example, if you ask SIRI on Apple’s iPhone to read your email, the content of that email is uploaded to their data centres where it is processed and then played back on the device. What happens to the data? Is the information stored? If so where, for how long, for what purpose and who has access? While you may not care if the read email is an invitation to the Christmas party, these are legitimate issues that must be understood before you allow SIRI to read emails with high sensitivity. The same applies to Apps that access contacts, calendars or any of the functions on the device such as cameras and microphones.
Another issue is cost. With some recent exceptions, App licenses have not been transferable, and while most mobile Apps are relatively inexpensive, the costs can still add up quickly. Recently, Apple introduced “Managed Distribution” for App Store Volume Purchase Program (VPP) for Business and Education which, among other things, allows purchasers to revoke Apps from users when no longer needed, and reassign the licenses to different users.
Apps and App development may also influence the types of devices you will allow in your mobile enterprise. Some corporate services may only be compatible with Apps on specific operating systems. If you will be developing your own Apps, will you create Apps that can work across multiple platforms such as HTML5 or will you develop Apps for a single operating system?
Finally, there is the topic of App development. There likely will come a time when there will be a need to create an App for a specific purpose that can’t be sourced off the shelf. The mobility strategy must consider the organization’s capabilities in this area and whether it will develop in-house or outsource.
Operations and Support
The number of mobile devices, operating systems and Apps entering the enterprise environment will likely continue to rise. This proliferation of devices has the potential to substantially increase the effort required to support and administer mobility. Assess your support and day to day administration capabilities and consider these in the context of your mobile strategy. You may have to limit what you allow and the speed of deployment based on your support capabilities. Look for ways to limit the level of support you will need to provide by encouraging a self-service model. Some things to consider include providing training and associated documentation, a mobility webpage with a corporate wiki, FAQ and links to vendors’ sites and other external resources.
Day to day administration of the mobile fleet can also be a burden. Activities such as provisioning and decommissioning devices, importing and exporting numbers, replacing broken or lost devices, device repair and first level support may require a full time resource for organizations with a large number of mobile devices. Considering these aspects as you formulate your mobility strategy may result in a decision to outsource some or all of these aspects.
As stated earlier, most of the cost associated with BYOD is unrelated to devices. Unless you have the appropriate tools and resources or assistance from an expense management firm, your mobility costs may quickly spiral out of control. In addition, managing the associated reporting and accounting aspects may consume the time of skilled resources that should be focused on more strategic activities. The challenges associated with managing expenses include: contract compliance, detecting errors and retrieving the associated credits, and detecting inappropriate usage charges.
Depending on the size of your organization it might be a good idea to start with a proof of concept or a deployment that is limited in scale and the associated services. If you elect to limit the initial deployment make sure that you select a representative sample of the user population, the devices, operating systems, Apps and the information that will be accessed. Whether you fully deploy or not, ensure that you have identified the metrics by which you can measure success.
Finally, mobility is changing at a rapid pace. Thus it is important to periodically reassess your enterprise mobility environment.
Whether we are ready or not, BYOD is a growing phenomenon in today’s organizations. However, as I hope the above article shows, who owns the device is not the most important factor. It is simply one aspect to be considered in developing a comprehensive approach to the management and security of any mobile device that accesses your corporate resources.