Posted by: Dan Kirsch | May 2, 2012

Device Management Strategies Must Adapt to New User Expectations

The Rise of BYOD Workplaces

Bring your own device (BYOD) to work is a growing trend across all industries.  The idea that an employee, customer, or partner will access your network with any device they choose was unheard of only a few years ago it wasn’t long ago that companies had strict policies on what devices could and couldn’t connect to the company’s network.  Today many companies still try to enforce these policies without much success. Now the tables are turned, when executives or partners want to use their iPads or smart phones on the corporate network, IT is forced to adjust so that it is easy to use those devices. Case in point, when the newly elected President-elect Obama decided that he wanted to use a mobile email device, IT had to find a quick and secure way to enable this.

There is no doubt that the movement to BYOD will continue.  The two main drivers for the growth of BYOD policies are:

  • Streamlining process — Organizations that used to purchase and control devices for employees are getting out of the business.  It costs far less to decommission Blackberry servers and get out of the cycle of purchasing new hardware for employees.  (I have had direct conversations with companies who have saved thousands of dollars per a decommissioned Blackberry, but there is some debate as to the real cost savings: http://www.cio.com/article/703511/BYOD_If_You_Think_You_re_Saving_Money_Think_Again).

  • Supporting employee choice — At the same time that management wants to save money, employees want a single device based on their preferences for both personal and corporate use.

A generational divide for mobile device management expectations

In a BYOD environment, companies must balance corporate needs, such as compliance with HIPPA and PCI DSS, with employee expectations of privacy and independence.  A new generational technology divide has emerged in the workplace.  Early Blackberry users were given the company owned device by their employer.  Although the device may have been used for some personal calls or email, it was clearly a corporate asset.   Today, new employees have been using a smart phone for years.  Younger employees expect to control their own device.  These same employees would be horrified to learn that many current acceptable use policies (AUP) give employers virtually all control over a device. With changing employee expectations, organizations will be compelled to adapt the way they manage mobile devices.

BYOD software solutions and corporate policies must address the following issues:

  • Device wiping.  Most current mobile management platforms allow an organization to fully wipe all of the data and applications from handsets.  An employer must have good procedures in place to not mistakenly wipe handsets or delete personal data.  Full wipe policies are commonplace however because corporate data could be stored in different areas of the phone, for example the onboard memory or on the SD card.  A theoretical case study of the implications of device wiping is as follows:

An employee is hired and is told that he can use his personal mobile device for work.  He downloads the appropriate apps and his device is now on the corporate network.  Unfortunately, after several months the employee is fired.  Through an automated process, human resources decommissions the employee’s credentials.  As a part of this automated process, the employee’s mobile device is fully wiped and restored to factory presets.  Although upon hiring, the employee might have signed a contract that in small print permitted the device wipe, he was unaware that it would happen.  He loses valuable personal pictures and data that can never be replaced and had nothing to do with his employment.  The employer may face a costly lawsuit for destroying the data.

  • Jail broken and rooted devices.  Jail breaking an iPhone or rooting an Android allows device users to gain functionality that may be disallowed by a handset carrier or manufacturer.  Online guides and free software make this process straightforward and easy for people with moderate technical know-how.  Many current endpoint management solutions allow companies to ban jail broken and rooted devices from the corporate network.  A full ban is an easy policy decision, but may fail to increase security and could only alienate tech savvy, valuable employees.  Organizations and vendors should investigate the full implications of a blanket ban.
  • Web traffic, geolocation and activity monitoring.  Traditional lines of what an employer can and can’t monitor are fairly straight forward and understood.  An employee using a corporate owned mobile device understands that their web traffic and other activities might be monitored.  In a BYOD mobile environment, when does the monitoring end?  It is in both the employer’s and employee’s interest to prevent 24/7 activity monitoring.  Collecting mobile device web, relocation and other activity information could expose a company to liability or drag them into other legal proceedings.  At the same time, employees have a right to shield purely personal activities from their employer.
  • Illegal content.  If an employee stores or downloads copywritten material on a corporate device they can clearly be disciplined and reported to authorities.  With BYOD, companies risk employees connecting devices that contain illegal content to the network.  Does the company have an obligation to report the content if they find out about it, or so long as corporate resources were never used, does the employee have a right to privacy?  Organization will need to create unambiguous policies on how they will treat these situations in order to limit risk.

The reign of the corporate owned Blackberry has clearly fallen and creating consistent policies to address device management and governance of BYOD devices is still evolving.  Most current software device management solutions are either monolithic and destroy the native device experience, or are point solutions that lack full security or compliance capabilities.  Corporate risk must be reduced through new offerings while at the same time meeting the expectations that employees have for privacy and control over their device.

About these ads

Responses

  1. It’s possible to address security concerns and still implement BYOD. What’s needed is to separate the Enterprise apps and data from the personal devices. This can be achieved with a solution like Ericom’s AccessNow, a pure HTML5 RDP client that enables remote users to securely connect from various devices (including iPads, iPhones, Android devices and Chromebooks) to any RDP host, including Terminal Server (RDS Session Host), physical desktops or VDI virtual desktops – and run their applications and desktops in a browser. This keeps the organization’s applications and data separate from the employee’s personal device. All that’s needed is a HTML5 browser. No plug-ins or anything else required on the user device.

    AccessNow also provides an optional Secure Gateway component enabling external users to securely connect to internal resources using AccessNow, without requiring a VPN.

    For more info, and to download a demo, visit:
    http://www.ericom.com/html5_rdp_client.asp?URL_ID=708

    Note: I work for Ericom

  2. Rover Apps solves the BYOD dilemma with a simple-to-deploy solution that delivers thoroughly secure access to enterprise resources without the need for VPNs or mobile device management. The Rover solution has two components: Rover Gateway and Rover Retriever.

    The Rover Gateway publishes existing intranet sites (such as SharePoint), line-of-business applications, documents, and internally developed apps to any popular personal device running Rover Retriever. Publishing can begin within minutes of installation, and IT has full control over policies and which devices are allowed to connect.

    Rover Retriever is an app that mobile users install to access information published by Rover Gateway. Retriever is a “container” solution that doesn’t affect the rest of the device, and communications occur over a private communications link with high levels of encryption, with all mobile devices kept off the enterprise network.

    This scenario empowers IT to easily extend application access to any personal device while retaining full control over the “secure island” of corporate data. With company information Isolated from other mobile device information and settings, users are free to use their personal apps at will.

    For more info, and to download a demo, visit http://www.roverapps.com. Note: I work for Rover Apps.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.