The Bring-Your-Own-Device (BYOD) era of corporate computing is here, and without a doubt, the demand by employees to use their own personal smartphones and tablets to conduct business tasks will continue to grow exponentially in the coming years. Businesses that do not meet this demand run the risk of data breaches and compliance violations.
BYOD is part of an evolution commonly referred to as the “Consumerization of IT,” where end-users insist on interacting with their business and personal applications their way—not as dictated by their corporate IT departments. Businesses must balance data security and compliance along with personaldevice management and employee eciency. However, relatively few companies have deployed mobile-device management platforms and policies that protect against lost or stolen devices, employee attrition, or malware. Without the proper measures in place, BYOD challenges can negate the multiple benets that can be gained. This white paper presents a framework for successful BYOD implementation and how CIOs and their teams can effectively deploy and manage BYOD platforms.
End Users Driving the Requirement for BYOD Platforms
The Bring-Your-Own-Device (BYOD) to work phenomenon is already prevalent in many businesses. Although the percentage of employees using personal smartphones and tablets to access corporate applications may still be relatively small, studies estimate personal devices are in use at approximately 75 percent of all companies. Whether or not your company has deployed a BYOD platform and developed usage policies, chances are good that many employees use their personal devices to tap into your corporate applications every day. This can happen via your wireless network, remote access or e-mail systems. In some cases, the IT department is not aware of all the personal devices accessing corporate networks. Such companies run a high risk of corporate data breaches and compliance violations. As the popularity of smartphones and tablets grows exponentially, and as employees realize the benets of instant access to the Internet and e-mail wherever they go, they now want to bring personal devices to work with the freedom to also interact with business applications. Employees also want to limit the number of devices they have to carry for business and personal use.
This trend, often referred to as the “Consumerization of IT,” has prompted many enterprises to create a BYOD environment so employees don’t have to carry separate devices for work and personal use. Many studies illustrate just how strong the movement is and why all businesses need to consider deploying a BYOD platform and policies—right now. For example, Aberdeen reports 75% of all enterprise businesses are currently in the process of deploying a BYOD platform and policies. Gartner predicts 90% of all large enterprises will have completed the eort by 2012. But at the same time, it appears many firms may not be ready for BYOD as demonstrated by a SANS survey of 500 IT executives to measure their comfort level in taking on BYOD. In the report, less than 10% of IT executives indicated that they can document all the personal mobile devices connecting to their network. 31% revealed that their companies don’t have a BYOD policy.
As shown by the data in these analyst reports, the time for organizations to prepare for BYOD has arrived. Those that act proactively before the number of personal-device users accessing the network increases substantially can protect their corporate assets while also capitalizing on the benefits that BYOD offers.
Justify BYOD Platform Deployment
The good news for businesses is that in addition to addressing the demands of end-users, adopting a BYOD platform with clearly-defined usage policies also generates multiple benefits:
- Productivity Increase: With the ability for employees to easily switch from personal applications to corporate applications, businesses are more likely to see increased productivity at night and on weekends outside of traditional working hours—especially if the mobile platform creates an easy-to-use, interactive environment.
- Total Cost of Ownership Decrease: Many employees will opt to use their own personal devices for business purposes; enterprises thus reduce capital expenditures since fewer devices need to be purchased. Businesses also avoid mobile device usage and Internet-access data plan costs. End users with their own devices also typically understand how the devices work to a greater degree; they thus do not require as much technical support.
- Morale Improvement: Giving employees the freedom to bring their own device gives them more control over their computing environment and acknowledges the fact that business life and personal life both sometimes need attention. In addition to keeping current employees happy, the BYOD approach facilitates recruiting and employee retention.
Business Challenges Require Specific Controls
Along with the benefits of BYOD come several challenges that businesses must address. This is particularly true of companies at which employees have already started using their personal devices before a platform with documented
usage policies has been deployed. The problem may be much bigger than companies realize because it’s almost impossible to restrict access without very specific controls. Many businesses don’t have mechanisms in place—with both the visibility and access—for the following areas:
Policy to Clearly Define Privileges and Expectations
The creation of a detailed policy is important so the company and all users are clearly aware of what’s allowed and the consequences for violating policies. This includes specifying which devices employees can use and the permission the company retains to wipe corporate data and applications should devices be lost or stolen, or should employees leave the company. At the same time, the policy also needs to clearly state how personal applications will not be accessed and to what lengths the company will go to avoid wiping personal files.
Creating BYOD policy can be particularly challenging because many companies are not sure what to allow users to do and which restrictions to deploy. Many policies start out weak because BYOD privileges are usually first granted to senior managers who resist restrictions. This may be good for these end users, but it leaves the network vulnerable as other users are given privileges. Businesses need defined, role-based access rules that provide a framework against which security controls can be built to enforce the policy.
Technology to Allow Access While Maintaining Security
This involves investing in the design, configuration and deployment of technologies to support BYOD, such as a mobile-device management platform, which allows employees to access data and applications while giving IT control over the devices. The platform must also keep corporate data and applications secure should a device be hacked, stolen or lost
Compliance with Industry Regulations
For those companies in heavilyregulated industries, such as healthcare and financial services, the BYOD platform and policies must also ensure compliance with industry and government regulations when allowing personal devices to access corporate data— particularly personal client information. Without a secure platform in place, users are likely violating regulations and subjecting their companies to major fines. Sufficient IT Resources Businesses will also need to augment their IT staffs with the necessary support across the wide range of devices that employees are likely to want. This includes iPhone and iPad devices from Apple; Android smartphones and tablets from a host of manufacturers; Blackberry devices; and Microsoft Windows Phone devices.
Technology Challenges Span Multiple Devices and Operating Systems
When deploying a BYOD platform, IT teams face technical challenges to ensure corporate data and applications remain secure; all compliance requirements are adhered to; and that applications perform sufficiently so that employees will want to interact often and not require frequent technical support. These endeavors are much easier said than done, because to truly embrace the spirit of BYOD, businesses need to allow employees to use the device of their choice. Only then can they generate the full extent of BYOD benefits—users spending more time interacting with corporate applications. The main technical challenge lies in deploying an environment that allows positive user experiences and enables sufficient application performance while also controlling corporate risk across all the available devices and operating systems. IT must deploy technologies that protect data if devices are lost or stolen, or if an employee leaves the company.
At the same time, IT must also respect the personal data and applications stored on employee devices. Without the proper balance, the company will be at risk, or employees will feel they are restricted and won’t use the devices to access corporate applications as often as the company would like. BYOD platform requirements also go well beyond the basic capabilities of wireless networks, which were first built primarily for corporate IT, guests visiting the company, or for the few people who needed to move around an office building. With an increasing number of BYOD users now connecting to the wireless network, it’s creating a big strain. Wireless networks thus need to be redesigned to handle the performance concerns as BYOD users increase.
Support for All Four Major Device Platforms
When building a BYOD platform, IT will most likely have to support all four of the major mobile platforms. This includes iOS (Apple) and Android devices, which have gained tremendous ground in the corporate space due to explosive consumer-driven adoption. And although BlackBerry has lost market share in recent years, it remains the leading enterprise-mobility platform. Windows Phone devices will also most likely have a strong presence in the mobile-device market. Blackberry devices, which are designed for corporate use, streamline the technical process for ensuring security, compliance and application performance.
Unfortunately for IT from the BYOD security perspective, most people now opt for Apple and Android devices, so companies will need to prepare for these consumer-grade devices, which don’t offer as much security.
For example, iOS and Android devices do not come with the same level of security as Blackberry corporate devices and traditional computing devices such as laptops and desktops. Both iOS and Android offer encryption and password protection, but these features are easy for users to turn off. Instead of the business having complete control, users can thus any downloads they want with various levels of configuration. Apple and Google (the developer of Android) will eventually offer devices with higher levels of security, but the market is already flooded with devices that do not stand up to most corporate security and compliance standards. While Google has released OS versions for smartphones and tablets that support full-disk encryption, the majority of devices deployed in the field have not yet adopted these new OS versions. It will be at least a year before this encryption enforcement is prevalent. Android devices present the biggest challenge for IT because Google created these devices with an open operating system. Thus, multiple variations exist across the many device manufacturers, their varying models, and the OS upgrades that occur on a regular schedule. These technical challenges can be overcome, but only if firms deploy an effective mobile device management platform accompanied by a clearly defined usage policy.
Five-Step Process for Deploying a BYOD Platform
Before deploying a BYOD platform, companies should first assess their current environment followed by establishing objectives—both from a corporate perspective as well as an employee perspective. This should be followed by the establishment of policies to support the desired environment and then the deployment of the necessary technologies and processes to support that environment.
Following is an outline of a five-step approach that many companies have adopted to successfully deploy BYOD platforms:
1. Determine Corporate Objectives:
This includes deciding which privileges and capabilities to offer to users and the expectations from users in return. Some companies may want to limit the types of devices to be accommodated or the applications that personal devices can access. Others may open the entire system to all devices in order to increase employee productivity to the fullest extent possible. Companies should also consider if they want to offer BYOD capabilities to vendors, business partners, and customers.
2. Create Overall Strategy:
This step includes the technologies to deploy and how to secure buy-in from all key stakeholders including senior management, IT and most importantly, the employees. Create a clear vision of the benefits the company expects to derive and the necessity to maintain security, compliance and application performance standards.
3. Assess Current Risk, Capabilities and Architectures:
This step should be conducted across all pertinent systems including wireless access, remote access and e-mail. This includes measuring the extent to which employee personal devices are already accessing corporate data and applications via these systems as well as the measures currently in place to ensure security, compliance and application performance.
4. Create a Policy with Standards and Procedures:
For this step, it helps to refer to best practices already developed by organizations such as SANS (See Appendix A). The policy needs to clearly communicate to employees which devices they can utilize and which privileges they are receiving. The policy also needs to clearly state the consequences of violating the usage guidelines and what will happen to personal applications and data if a device is lost or stolen, or if an employee leaves the company.
5. Identify Gaps in Security and Compliance:
Prioritize which technology and process gaps in these areas to close first. Then apply the necessary changes, such as the deployment of a mobile-device management platform, to close those gaps. One of the gaps to consider is the necessary technical support resources to help users with device issues. As is the case with most technology deployments, the process outlined above is one that companies will need to repeat every 6-12 months to verify if the security, compliance, application performance and technical support gaps have remained closed as well as to discover if any new gaps have occurred. Businesses will also find it necessary to react to the new mobile device technologies that will undoubtedly continue to emerge as Apple, Android, Blackberry and Microsoft release new operating systems and as mobile-device manufacturers produce new models.
Taking the First Step: An Initial BYOD Readiness Assessment
For more information on preparing your company for BYOD, contact Presidio at (800) 452-6926 or visit our website at www.presidio.com.
1. Aberdeen Group Survey, February 2011.
2. Gartner’s Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away, November 23, 2011.
3. SANS Mobility/BYOD Security Survey, March 2012