TMCNet:  Establishing a realistic BYOD governance policy [KM World]

[January 14, 2013]

Establishing a realistic BYOD governance policy [KM World]

(KM World Via Acquire Media NewsEdge) BYOD - Bring Your Own Device - is becoming a reality of office life these days. It's a natural consequence in a world where people are bringing iPads, iPhones, Androids and Blackberrys to work.

"As a result, organizations have been compelled to open up their networks to a wider variety of these devices that their employees want to use," says Apoorv Durga, senior analyst with Real Story Group (real storygroup.com).

For corporations trying to save IT dollars, BYOD is good news. Employees are now paying to acquire and maintain smart phones, tablets and laptops that were once funded by the GG budget. "These organizations have realized that encouraging employees to bring in their own devices can be a win-win situation for them, as well as for their employees," Durga says.


On the downside, the ever-growing variety of BYOD devices - and the fact that they are owned/controlled by employees - poses serious security, workflow and GG management issues for employers. Among those concerns are hackers accessing corporate data through relatively insecure consumer devices, the challenge of integrating BYOD platforms with enterprisewide corporate software, and extra IT funds being required to support a myriad of BYOD platforms.

Proper handling "This is why it is vital for employers to establish a realistic, comprehensive BYOD governance policy," says Christian Kane, an infrastructure and operations analyst with Forrester (forrester.com). "Properly handled, BYOD can be a benefit to your business. But mishandled, it can compromise your security, reduce your productivity and cost you money." The fundamental issue associated with BYOD is the transfer of device responsibility and control from the enterprise to the employee. No longer can the employer dictate which devices are used, in which security parameters and under what conditions. Under BYOD, the most they can do is to define and control what levels of access BYOD equipment has to their networks, applications and corporate data.

The challenge doesn't end there: GG managers must cope with the fact that popular BYODs may not be well suited for the corporate environment. That is because businesses have typically purchased smart phones, tablets and laptops based on a combination of job functionality, security and ruggedness. Employees, on the other hand, tend to buy those devices based on fashion, peer pressure and even downright whim.

This is not to say that all employees lack "due diligence" in selecting their BYODs. But the fact is that style rules in consumer technology. Employees are more likely to choose a device that makes them look cool, rather than one that guarantees the security of the data stored onboard.

More challenges Add the weak password choices people often make for their own technology - which explains why celebrities' supposedly private smart-phone photos keep turning up on the Web - and one can see why BYOD could drive an GG manager to drink.

Even if every BYOD smart phone, tablet and laptop were secure, the sheer volume of options also provides headaches for GG departments. 'The diversity of devices and platforms to be supported is a major challenge," says Aravind Ajad Yarra, lead architect at Wipro (wipro.com) and a member of the team that devised/implemented the company's BYOD governance strategy. 'This is especially an issue with Android devices, because there are multiple versions with multiple capabilities, made by multiple manufacturers," he says.

Finally, there is the issue of access: Who gets access to what data, and who should be blocked And should a vice president using a BYOD that is known to be secure have more access than a VP with a relatively insecure BYOD Those are the issues that have to be tackled when devising a BYOD governance strategy - an approach that the experts agree is a must for all GG departments. Here's how to do it.

BYOD governance Step one: Meet with stakeholders and get them involved.

Once upon a time, the GG department could manage GG issues on its own. But such is not the case in today's BYOD world. The devices employees use impinge on the work they do, the corporate secrets they keep and the content that the firm could get sued for. Inappropriate behavior by such employees could be a cause for dismissal.

'This is why you need to bring in the relevant departments, plus HR and legal, when you put together a BYOD governance strategy," says Kane. "You need the big-picture view at the outset; not after the fact when things have gone wrong." "I think first and foremost is to put together a strategy around adoption," adds Yarra; "not just limit it to communication and messaging areas, but broaden it to key enterprise applications. In my view, traditional device management approaches don't work, as those doesn't look at applications and use cases. Because of the investments needed and security-related concerns, the strategy should consider the business use cases, applications and data involved." Step two: Limit access to deter hacking.

Just because employees are using their BYODs for work, doesn't mean they need access to every element of the enterprise on those devices. In fact, it is prudent to decide what applications they really need access to, and then limit their BYOD access to those.

By doing that, GG can beef up the verification and firewall protections around those apps, to deter hacking. They can even run those apps in a separate virtual WAN, keeping them isolated from vital enterprise data. In the same vein, it may make sense to have BYODs operate on a separate e-mail system, with access to separate Wi-Fi networks on the job.

Savvy IT managers will want to talk to mobile device management (MDM) vendors to see which of their software products will work within this new BYOD world. Those vendors include BoxTone (boxtone.com), Mobilelron (mobileiron.com) and SAP (Sybase, sap.com).

Step three: Think beyond the network.

At first glance, one might think that BYOD issues end when an employee leaves the workplace. But they don't.

A case in point: If an employee uploads corporate data in a consumerbased public cloud, "they could be putting your proprietary data into a situation where the cloud operator gets defacto ownership of it," warns Hormazd Romer, Accellion's (accel hon.com) senior director of product marketing. "Meanwhile, although file transfer services such as Dropbox (dropbox.com) don't make these claims, your data is still under their control once it's been uploaded to them." In response to that threat, Accellion markets secure cloud-based file transfer services for business, ensuring that proprietary data stays proprietary and secure through the file transfer process.

This is just one way BYOD can hurt a corporation. Another is through uncontrolled costs. Once the company has agreed to let a employee use a BYOD while on the road, it has made itself hable for roaming charges. Those can be huge if the employee hasn't taken steps to keep his or her down - and many don't.

This is where iPass (ipass.com) comes in. "We provide connections to commercial Wi-Fi networks around the globe for business," says Chris Witeck, iPass's senior director of product marketing. "Our plans provide IT departments with reliable, fixed-rate costs that minimize roaming by their employee's BYODs." Step four: Start small.

Supporting BYOD on a corporate level does not obligate an IT department to suddenly support all platforms at once. Instead, it is logical to select a few platforms at the outset - both to allow the rollout of BYOD to work at a reasonable and affordable pace, and to allow IT staff a learning curve to become accustomed to the new way of working.

"Many organizations start small," says Durga. "Instead of allowing employees to bring in just about any device, they give them options from among a set of devices. So, for example, employees can use an iPhone or an Android device. As they mature, they add more device types (like Windows) to the mix." "You have to understand that moving to BYOD is a really wideranging initiative for any IT department," adds Kane. "As a result, you need to take your time. Find out which BYOD is most in demand at your workplace, and start with that one. And don't roll out to all users. Select a few executives as a pilot group, and begin with them. There is so much riding on doing BYOD well that you don't want to rush it." While you're doing that, consider limiting all other BYOD access to core functions, such as e-mail word processing and Web browsing. "But don't go too far, to the extent that you risk alienating your user base," Kane advises. 'There always needs to be a balance between security and accessibility." Step five: Probe for vulnerabilities.

The push for BYOD workplace adoption is being driven by employees, not IT managers. Employees want to use their own devices for the sake of convenience and familiarity. IT managers would likely prefer them not to do so, sticking instead to one corporatetested and approved device whose weaknesses are well understood and anticipated.

Like it or not, the employees are in the driver's seat on this issue, in part because many BYOD users are executives with the power to override GG. So the smart way to deal with this reality is for IT managers to implement a limited BYOD rollout, and then to do their best to hack it, however they can.

It is better for serious flaws to be spotted and remedied by IT than for them to be discovered as the result of a hacking attack. Besides, if one particular BYOD platform proves to be seriously insecure, IT will have enough proof to convince management to keep it off campus.

Step six: Prepare for problems.

Employees lose their own devices all the time. If you are going to provide their BYODs with access to a business WAN, you must be able to deactivate that access easily and quickly. BYODs with network access should be capable of being wiped remotely, so that sensitive data can be removed.

As for the thorny issue of personal content: The same management system that restricts employee access to all network resources should also be used to prevent employer access to the employee's personal content. This will likely involve setting up some sort of password protection on the BYOD, to ensure that unauthorized users cannot access an employee's personal emails and photos.

"You may want to consider having separate data silos on BYODs, so that the employee has one set of passwordprotected apps for business, and another for personal use," says Kane. "This is one way to protect confidentiality on both sides - and to prevent any legal issues arising from employers looking at employee's personal data." The time to act is now BYOD is here, and business knows it. This is why "almost all the organizations that have a reasonably sized IT budget are already rolling out BYOD strategies," says Yarra. Unfortunately, most of those are limited to e-mail and other messagingrelated apps: "Very few have gone beyond these basic apps to business applications," he says.

Harnessing the full power of BYOD will require businesses to take this next step, and to back it up with sufficient safeguards to protect their data and intellectual ownership rights. One thing is certain: The sooner IT departments come to grips with BYOD, the better ... for employers and employees alike.

"Properly handled, BYOD can be a benefit to your business. But mishandled, it can compromise your security, reduce your productivity and cost you money.' "Almost all the organizations that have a reasonably sized IT budget are already rolling out BYOD strategies." James Careless is a freelance writer who has covered business processes for a number of publications, including Streaming Media e-mail pmesc@tjtdesign.com.

(c) 2013 Information Today, Inc.

[ Back To Cloud Computing 's Homepage ]