Employee demand is compelling organisations to make a decision on ‘bring your own device' – but despite some big-name cheerleaders of the trend, there is a danger that others might rush in before weighing up the pros and cons, writes Jessica Twentyman.
“I'm a big believer in BYOD. For me, it's all about enabling people to choose the way in which they can be most productive,” says Matt Peers, CIO of Deloitte. What a ‘bring your own device' programme should not be about, he says, is cutting costs. “I would never subscribe to that point of view. If you allow yourself to fall into a short-sighted, cost-reduction mentality, it could be quite counterproductive.” In information security terms, he adds, it could be downright dangerous.
On the face of it, that might seem a contrarian position to take, at a time when many business leaders cite cost reduction as a reason to allow employees to bring their smartphones and tablets to work and use them to access corporate systems. It stands to reason, they argue, that as the number of employees who purchase their own mobile devices increases, the expense associated with procuring and managing a corporate ‘fleet' must necessarily fall.
But those with experience of implementing such programmes tell a different story. In the first quarter of 2012, Trend Micro commissioned Forrester Consulting to survey 202 BYOD decision-makers in enterprises in the UK, US, France and Germany. It found that while the cost of procuring and replacing devices is likely to decrease when BYOD is implemented, the expense of application security, back-end infrastructure and regulatory compliance tends to increase.
The key benefits of BYOD, the survey found, include its positive effect on worker productivity and revenues. More than 80 per cent of respondents reported an increase in productivity following the introduction of BYOD, “as employees use their mobile devices to communicate with other workers more frequently, from any location, at any time of the day”. In addition, more than two-thirds (70 per cent) of respondents attributed an increase in revenues to BYOD.
In other words, companies that go for BYOD may have to accept some short-term pain in pursuit of longer-term gain – and information security is one of the first issues they must tackle.
That puts CISOs right in the line of fire, says Greg Day, EMEA security CTO and director of security strategy at Symantec. He explains: “The number-one concern of every CISO I speak to is information loss: is corporate information going to be lost if a device goes astray? Is it going to fall into the wrong hands as a result?
“They're telling me that, in just a few years, they've gone from having to worry about supporting and controlling BlackBerry, and maybe Apple, devices to potentially having to support multiple different flavours of Android and, increasingly, Windows devices as well.
“And they're under pressure to secure data across this range of devices in a way that doesn't upset users by interfering with their experience and doesn't upset the business by adding costs.”
MDM to the rescue
It's a tall order. In recent years, mobile device management (MDM) software has emerged as a primary solution to this problem, albeit one that comes at a price. In May, a Gartner survey of MDM vendors revealed that the average cost of software totalled around £40 per user per year, although its analysts expected this to drop to £25 by 2015.
Despite the costs involved, however, Gartner reckoned that MDM is “the fastest-growing enterprise mobile software ever, in terms of number of suppliers, revenue growth and interest from clients”. Security is a big part of that – Gartner's evaluation only included products that supported the following functions: enforcing passwords; remote wiping of data; remote device locking; creating a centralised audit trail for tracking device logins and device configuration changes; and detecting jailbreaks and rooting. Other required security components included support for anti-virus software, encryption, firewalls and mobile VPN.
Of the 20 MDM vendors evaluated, five were ranked as ‘leaders': MobileIron, AirWatch, Fiberlink, Zenprise and Good Technology.
One major user of MDM software is Good Technology client Deloitte. In September last year, it implemented a mobile device policy to allow all of its 1,500-strong UK workforce to use either a company-owned smartphone – BlackBerry, iPhone, Android or Windows Mobile – or a device of their own choosing, which they must pay for themselves. To date, around two-thirds have opted for the former, with the remainder going down the BYOD route. All tablet computers must be self-provided, meanwhile, and Deloitte employees are increasingly bringing iPads and Android tablets to work (the company expects an influx of Windows tablets after Microsoft Windows 8 is launched later this year).
Either way, MDM software enables Deloitte's IT team to administer all devices, whether owned by the company or by staff, from the same centralised system – with the exception of BlackBerrys, which are managed from BlackBerry Enterprise Server.
Each Deloitte employee has a secure, encrypted ‘container' on their device – they can have it on up to two handhelds – which they can only access when they have downloaded the Good Technology app from the relevant app store. Once they have entered their password, they can access their corporate email and calendar from within the container, as well as a secure browser that will allow them to access various back-end systems that are not accessible from their native browser. This gives them the ability to access, for example, the timesheets that consultants use to log hours spent with clients and which reside on their employee record in SAP.
“The beauty of the container is its simplicity for employees,” says Deloitte's Peers. “But it gives us the control over data that we need at the back end. The definition of passwords and their parameters are entirely configurable by our administrators. We have a password refresh policy and after five incorrect login attempts, the application will delete itself and all its data.”
Good Technology's general manager for EMEA, Andrew Jacques, says the benefits of the company's technology are two-fold – control for the IT department and freedom for users – and cites other clients, including Sainsbury's, specialist bank Investec and the London Organising Committee of the Olympic and Paralympic Games. “If you're a user, you don't want your device being controlled by corporate IT and you certainly don't want corporate IT wiping your personal data. If you're an information security professional, you don't want the liability that comes with tracking users and controlling what they do on their personal mobile phone,” Jacques says. “With our product, the user's experience with their personal data is entirely untouched by corporate IT.”
Square pegs, round holes
This issue of company liability for corporate actions performed on an individual's mobile device is a tricky one to address, says Quentyn Taylor, EMEA director of security, governance and risk at electronics company Canon. “A lot of BYOD policies simply can't cope with the regulatory environment across different jurisdictions. These policies often start falling apart when they try to extend them to other territories,” he explains. “When someone tells me their company has a multinational BYOD policy, my question to them is: ‘How?' And they'll often go on to admit that, in certain countries, it simply wasn't possible to enforce it.”
Containerisation, or ‘sandboxing' as other vendors call it, may be one way to address this in some countries, but not necessarily all.
Meanwhile, Good Technology is working to ensure that it isn't just corporate email, calendar and contact data that can be accessed from within the container. It recently unveiled the Good Dynamics platform, which allows third-party independent software vendors to build their own container-friendly applications. Jacques adds that in-house developers at some larger clients are using the platform to build bespoke apps; one example is Barclays, where software specialists are building time management and expense sheets for staff to use on their own devices.
At some companies, MDM is deployed more conservatively than at others. Take games company Electronic Arts (EA), where CISO Spencer Mott describes the technology as “effective, but a lot of work and pretty expensive”. He adds: “We're predominantly a tech company and we've got a lot of developers and engineers who like to use the latest and greatest cool gadgets and tools. They like to touch and feel the devices that will ultimately be a platform for the products and services we provide,” he says.
At the same time, Mott sees no clear business rationale for allowing all employees to bring their own mobile devices to work. “We've always had the approach that, as an employer, we provide the tools that a person needs to do their job,” he says. “To me, BYOD is a bit like a surgeon bringing their own instruments into the operating theatre. It might sound very efficient, but the flipside is that you need to have an extremely high level of trust. Who knows how those instruments are managed, whether they're hygienic, whether they're right for the job at hand? Who keeps a record of their use?”
Less than 10 per cent of EA employees are able to use their personal devices for work – but Mott insists that they are, on the whole, satisfied with that. “For BYOD, there has to be an agreement where the employee gives up a certain amount of control over their device and many don't want the monitoring and transparency that we require,” he says.
He adds that, while BYOD may sound very enabling, “when you get under the skin of it, it can be quite complex and very expensive”. The company uses MDM to manage those who are allowed to bring their own devices to work, but, Mott says, “It's been an awful lot of work [to implement and manage], even for less than 10 per cent of employees. For a number of my team, that's all they do.”
Mott's position is clear: a small number of personally owned devices, controlled by MDM, should be permitted, but only when a clear business rationale has been established. Other companies, however, continue to dither over the BYOD issue – even though, in many cases, employees are already using their own devices to log in to corporate systems.
It is this ‘under the radar' BYOD that potentially poses the greatest risk to information security, says Glyn Owen, portfolio manager at ICT service provider Damovo UK. And at some companies, IT teams are enabling BYOD on an ad hoc, user-by-user basis, without having any firm policy in place.
“Before an organisation does anything, it needs to consider its policy – even if that policy is to ban personal devices in the workplace. Otherwise, [BYOD is] entirely driven by the employees themselves, rather than sound business strategy,” says Owen. This problem, he suggests, may be a throwback to the days when IT would be expected to support the CEO's new executive gadget when he demanded it, “but that's totally unsustainable on a company-wide basis”.
At MobileIron, meanwhile, VP of strategy Ojas Rege believes that BYOD should be about “philosophy first, and policy second” – and says companies should not be afraid to experiment with the different models of BYOD that are emerging. “There's no single path, there's huge variation. For example, some companies are turning their back on true BYOD in favour of ‘CYOD' – choose your own device. These companies present employees with a list of device options, but the company continues to own these devices.”
What such companies might want to consider, however, is the aggressive refresh cycles associated with the new generation of mobile devices. “User expectations of technology refresh are completely different from corporate expectations,” says Rege. “IT people are used to refreshing laptops every three to five years, for example, but when a new iPad comes out, employees will want to use that, even if they've already got last year's. If a company is in a BYOD programme, they're giving the user the choice to move to a newer device whenever they want.”
There is much to consider, but the bottom line, according to Gartner analyst Michael Disabato, is that companies are being compelled by the rapid consumerisation of IT to make a swift decision on BYOD. “Not all enterprises are accepting of the necessity for such access,” he concedes, but those that are, and there are many, “need to develop solid BYOD policies based on their business requirements and risk profile”.
They also need, he says, to keep a close eye on changes in MDM, “in order to protect corporate information on a wide variety of consumer-class endpoints”.
Case Study: Leeds City Council
BYOD presents a tricky challenge for those organisations charged with handling sensitive citizen data. At Leeds City Council, however, ICT resources manager Marcus Hunter has found a way to satisfy both the Communications Electronics Security Group (CESG), which governs information security in the public sector, and council employees.
When Hunter began his research into MDM back in 2010, his initial target was securing the council's ageing estate of 800 Windows Mobile devices. Up until that time, management was a largely manual process. The logistics involved were complicated, with IT staff spending time to configure each phone and then deliver it to the user and provide the necessary training. A more efficient approach was badly needed, he says.
But a new problem quickly became clear: the corporate estate couldn't be upgraded to Windows Mobile 7 in line with CESG requirements. That prompted a shift to Samsung Galaxy W Android devices. “At the same time, users were becoming more adept at configuring devices, so we decided that a self-service approach for those that could manage it would save time and costs,” Hunter says.
These considerations led Leeds City Council to MobileIron. While the corporate estate of mobile devices was first to be tackled, the council now offers BYOD to employees as well. “MobileIron allows us to split the estate between council- and employee-owned devices. We can tag them so administrators know what they're dealing with and which policies apply,” Hunter says.
With the corporate estate, the council offers two options: full service and training from IT, or self-service, which most staff pick because the cost to their department is far lower.
With the BYOD estate, IT will support devices across the Apple, Symbian, Windows Mobile 6 and Android 2.2 (and upwards) platforms. It doesn't support BlackBerry or Windows Mobile 7, but will consider Windows 8, Hunter says. When employees download the MobileIron app they are able to access their email, calendar and contacts. Leeds' IT team can enforce its policies through MobileIron, and devices (and their data) are protected with a pin code and locked after inactivity or incorrect access attempts.
The cost of BYOD – £66 per user, per year – is covered by the employee's department and represents a £400 first-year saving on equipping them with a council-owned device, Hunter says.
However, there are some council employees who still opt for the council to supply them with a phone, while access to some applications – such as the council's housing repair system – can only be offered on council-owned devices.
“We continue to see growth in corporation-owned devices, but for employees who just need email and calendar on a mobile, BYOD is increasingly the way to go,” says Hunter.