Establishing a realistic BYOD governance policy
BYOD—Bring Your Own Device—is becoming a reality of office life these days. It's a natural consequence in a world where people are bringing iPads, iPhones, Androids and Blackberrys to work.
"As a result, organizations have been compelled to open up their networks to a wider variety of these devices that their employees want to use," says Apoorv Durga, senior analyst with Real Story Group.
For corporations trying to save IT dollars, BYOD is good news. Employees are now paying to acquire and maintain smart phones, tablets and laptops that were once funded by the IT budget. "These organizations have realized that encouraging employees to bring in their own devices can be a win-win situation for them, as well as for their employees," Durga says.
On the downside, the ever-growing variety of BYOD devices—and the fact that they are owned/controlled by employees—poses serious security, workflow and IT management issues for employers. Among those concerns are hackers accessing corporate data through relatively insecure consumer devices, the challenge of integrating BYOD platforms with enterprisewide corporate software, and extra IT funds being required to support a myriad of BYOD platforms.
"This is why it is vital for employers to establish a realistic, comprehensive BYOD governance policy," says Christian Kane, an infrastructure and operations analyst with Forrester. "Properly handled, BYOD can be a benefit to your business. But mishandled, it can compromise your security, reduce your productivity and cost you money."
The fundamental issue associated with BYOD is the transfer of device responsibility and control from the enterprise to the employee. No longer can the employer dictate which devices are used, in which security parameters and under what conditions. Under BYOD, the most they can do is to define and control what levels of access BYOD equipment has to their networks, applications and corporate data.
The challenge doesn't end there: IT managers must cope with the fact that popular BYODs may not be well suited for the corporate environment. That is because businesses have typically purchased smart phones, tablets and laptops based on a combination of job functionality, security and ruggedness. Employees, on the other hand, tend to buy those devices based on fashion, peer pressure and even downright whim.
This is not to say that all employees lack "due diligence" in selecting their BYODs. But the fact is that style rules in consumer technology. Employees are more likely to choose a device that makes them look cool, rather than one that guarantees the security of the data stored onboard.
Add the weak password choices people often make for their own technology—which explains why celebrities' supposedly private smart-phone photos keep turning up on the Web—and one can see why BYOD could drive an IT manager to drink.
Even if every BYOD smart phone, tablet and laptop were secure, the sheer volume of options also provides headaches for IT departments. "The diversity of devices and platforms to be supported is a major challenge," says Aravind Ajad Yarra, lead architect at Wipro (wipro.com) and a member of the team that devised/implemented the company's BYOD governance strategy. "This is especially an issue with Android devices, because there are multiple versions with multiple capabilities, made by multiple manufacturers," he says.
Finally, there is the issue of access: Who gets access to what data, and who should be blocked? And should a vice president using a BYOD that is known to be secure have more access than a VP with a relatively insecure BYOD?
Step one: Meet with stakeholders and get them involved.
Once upon a time, the IT department could manage IT issues on its own. But such is not the case in today's BYOD world. The devices employees use impinge on the work they do, the corporate secrets they keep and the content that the firm could get sued for. Inappropriate behavior by such employees could be a cause for dismissal.
"This is why you need to bring in the relevant departments, plus HR and legal, when you put together a BYOD governance strategy," says Kane. "You need the big-picture view at the outset; not after the fact when things have gone wrong."
"I think first and foremost is to put together a strategy around adoption," adds Yarra; "not just limit it to communication and messaging areas, but broaden it to key enterprise applications. In my view, traditional device management approaches don't work, as those doesn't look at applications and use cases. Because of the investments needed and security-related concerns, the strategy should consider the business use cases, applications and data involved."
Step two: Limit access to deter hacking.
Just because employees are using their BYODs for work, doesn't mean they need access to every element of the enterprise on those devices. In fact, it is prudent to decide what applications they really need access to, and then limit their BYOD access to those.
By doing that, IT can beef up the verification and firewall protections around those apps, to deter hacking. They can even run those apps in a separate virtual WAN, keeping them isolated from vital enterprise data. In the same vein, it may make sense to have BYODs operate on a separate e-mail system, with access to separate Wi-Fi networks on the job.
Savvy IT managers will want to talk to mobile device management (MDM) vendors to see which of their software products will work within this new BYOD world. Those vendors include BoxTone, MobileIron and SAP (Sybase).
Step three: Think beyond the network.
At first glance, one might think that BYOD issues end when an employee leaves the workplace. But they don't.
A case in point: If an employee uploads corporate data in a consumer-based public cloud, "they could be putting your proprietary data into a situation where the cloud operator gets defacto ownership of it," warns Hormazd Romer, Accellion's senior director of product marketing. "Meanwhile, although file transfer services such as Dropbox don't make these claims, your data is still under their control once it's been uploaded to them." In response to that threat, Accellion markets secure cloud-based file transfer services for business, ensuring that proprietary data stays proprietary and secure through the file transfer process.
This is just one way BYOD can hurt a corporation. Another is through uncontrolled costs. Once the company has agreed to let a employee use a BYOD while on the road, it has made itself liable for roaming charges. Those can be huge if the employee hasn't taken steps to keep his or her down-and many don't.