As people lobby to take iPhones and laptops into work, should business embrace or ban consumer technology? By Andrew Donoghue.
On a visit to the US shortly after the civil war, Oscar Wilde was asked why he thought the country was so violent. “I can tell you why America is so violent,” Wilde replied, “it is because your wallpaper is so ugly.”
That might sound like a typical Wildean witticism, and it is, but what Wilde was really expressing was the importance that he and others in the aesthetic movement attributed to beauty and good craftsmanship and its impact on how people behave. To be surrounded by ugliness, the Irish writer believed, led to ugly thoughts and ugly actions.
It might sound like a stretch to apply this philosophy to the current popularity of devices such as the iPhone, but there is a link between good design and productivity, according to some experts. “Although it would be difficult to quantify through a cost-benefit analysis, a happier user is generally considered to be more productive,” analyst group Gartner claimed in a 2008 report on employee-owned technology schemes.
At least some of the momentum driving staff to want to use consumer technology in the workplace is that on the whole it not only looks better but, crucially, is a lot more user-friendly than the “good enough” approach taken by many business-technology makers.
The idea that good design leads to greater productivity is a message that companies are beginning to embrace – or forced to accept by their own staff. Other research by Gartner has revealed that by 2010, end users, not the IT department, will decide 50 per cent of enterprise IT procurement decisions.
A recent survey by management consultants Accenture of young office workers in the US – a group it calls “millennials” – revealed that more than one-fifth of them stated that the technology provided by their employer did not meet their expectations, while one-third said they expect not only to use the computer of their choice, but also to access the applications they want.
This kind of picky attitude to technology is not something IT managers have had to face on such a scale before. It's fair to say that aesthetics has never really ranked highly on most corporate IT hardware tenders. Cost, performance and security are usually the main considerations. Of the main hardware makers, only Apple has ever really embraced the concept of design and styling as being essential to IT, but for years that philosophy, combined with higher prices, meant Apple kit was only attractive to a niche group of design and media types.
The launch of the iMac in 1998, and of the iPod in 2001, designed by British designer Jonathan Ive, helped to popularise Apple's aesthetic approach to IT. The launch of the iPhone in June 2007 had an even more disruptive effect on the smartphone market, forcing consumer handset makers such as Nokia, Samsung and LG to follow Apple's lead not just on the touch-screen interface but also the styling of the iPhone.
More fundamentally, however, the rise of the iPhone has also impacted on previously enterprise-focused mobile players such as RIM, maker of the BlackBerry – the de facto leader in mobile email for years. RIM has had to update its line-up of handsets with increasingly sleeker models in order to keep pace with a trend that industry analysts refer to as the “consumerisation of IT” – quite an ugly word for a trend towards better-looking devices.
The movement towards the use of consumer technology in business hasn't only been shaped by the fact that consumer technology is prettier, however. The rise of the internet has played a major role in popularising technology – making it fun – a trend that has accelerated, given the emergence of social networking and online gaming.
Some industry experts would argue that consumer technology competing with business-focused technology isn't a new trend at all – with some of the earliest PCs developed in the 80s occupying a limbo between fledgling business and home use. But it's fair to say that the integration of IT into almost every aspect of our personal lives – from online dating to in-car satellite navigation devices – has fundamentally changed expectations of technology design and user-friendliness.
The implication of this trend for IT departments is profound, not just in terms of procurement but, more importantly, for security. Enterprise networks used to be effectively ring-fenced by the fact that for a long time consumer gadgets were expensive, rare and, crucially, not mobile. Now the average staff member could bring tens of gigabytes of storage into the organisation in the form of their MP3 player, USB stick or mobile phone, storage that could be used to steal corporate data or upload malicious code.
“Offices are full of employees' personal technology, such as iPods, laptops, mobile phones, Bluetooth headsets and USB drives. This is in contrast to ten years ago, when technology tended to travel from the office to the home, and to some extent it still does,” says former National High Tech Crime Unit detective Geoff Donson, now security manager for hosting company, Telecity Group.
Confronted with the reality that, gigabyte for gigabyte, company-owned IT could actually be equalled or even outnumbered by the amount of consumer devices in the average office, traditional ideas of how to secure corporate networks are being forced to react and evolve.
One option could be to erect a metal-detector in the company foyer and ban all non-approved gadgets from the office. “Some companies are simply banning the use of personal technology in the workplace for fear of the main concerns above. This is especially the case in many sensitive government premises,” says Donson.
Aside from the practicalities of policing such a ban, it's not really an option that most IT managers can resort to, given the obvious human resource, not to mention recruitment and marketing challenges that would be thrown up once the news got out that the company was clamping down on employee freedoms.
A less draconian step would be to just ban the use of consumer technology for business use – as opposed to banning devices from being taken into company premises altogether – but even this is a decision that should not be undertaken lightly, according to experts.
“Obviously it's not a good idea to take a ‘blanket ban' approach to the use of personal technologies within the workplace – it's a very Luddite approach to the future. The companies out there who do take this route, including those who have been hit by phishing attacks or data losses, will find they will come under increasing pressure to take a more open approach as the internet generation enters the work arena and demand for the use of Generation Y technology in the workplace soars,” says former counter-terrorist army officer Neil Fisher, now vice president of global security solutions for Unisys.
Michael A Mason, former FBI agent and now chief security officer at Verizon Communications, agrees with the view that a total ban on consumer technology would not only be hard to enforce but could actually have a negative impact in terms of productivity.
“I do not believe it is a good idea to summarily ban the use of personal technology in the workplace,” he says. “A better strategy might be to determine how this technology can be exploited to advance the objectives of the business. These devices are ubiquitous, especially with young people, and banning their use might not be the most effective strategy.”
If companies do opt to acquiesce and accept that consumer technology isn't going away, what are the steps that can be taken to make sure the devices are not only as secure as possible but can actually be harnessed to improve productivity?
According to Donson, companies should take a pragmatic approach, through sensible usage policies combined with proactive network monitoring and getting employee buy-in. “This is far more effective than confiscating mobile phones at the front door. Companies can implement a number of tools or tactics, monitoring software that takes consumer technology into the workplace. By effectively turning consumer devices into terminals that access a virtualised instance of the employee's desktop hosted on a server, along with central network drives for all company data, company applications and data can be accessed through a browser without any real interaction with the consumer device.
This approach is already being used internally by around 400 staff at virtualisation specialist Citrix. The company launched its ‘bring your own computer' (BYOC) to work scheme in September 2007 (see box, p28). It uses the company's XenApp technology to allow employees to access company applications while keeping the actual consumer device at a virtual arm's length from the corporate network.
Providing that this trend towards consumerisation continues – and there is nothing to indicate that it will slow down – what will the average corporate IT department look like in ten years' time – and what will it mean for those charged with managing IT security?
“In the future, I see security becoming more focused on the individual, with increased authentication of devices – we're already seeing some laptops requiring finger or face identification as proof of ownership and I expect enhancements in biometric technologies to fuel this trend over the next few years,” says Fisher.
Other developments could come in the shape of more intelligent networks that take some of the administrative burden off the IT department to manage an increasing range of devices, whoever ultimately owns them.
“The ability to provide instant awareness of the introduction of an unauthorised device to a network would make it easier to accept the use of personal technology devices,” says Mason. “If a desktop computer immediately shut down and notified network security of such an incident, the confidence with which companies could allow the use of such devices would undoubtedly increase.”
An act of cyberterrorism on crtical national infrastructure that resulted in deaths could of course set back smart approaches to IT security and provoke blanket bans on consumer technology, but, that risk aside, the future approach to employee-owned IT is probably a continuation of the series of compromises that have characterised progress so far.
However, as ex-White House CIO Carlos Solari points out, guessing how the IT industry will evolve is a dangerous game: “Predicting the future is a risky business – predicting how security will play out may be riskier still,” he says.
Citrix's ‘bring your own computer' (BYOC) scheme
Virtualisation specialist Citrix began a pilot scheme in September 2007, following numerous requests from employees, who realised the company's software would allow them to use their personal machines relatively securely on the company network. “We had employees asking about bringing their own computers to work, wanting to use the laptop that they were most comfortable with,” says Citrix CIO Paul Martine.
Following a survey of employees to discover the scale of interest in a ‘bring your own computer' (BYOC) scheme, Martine sat down with other departments to work out the ramifications beyond the immediate technical impact. “We got together with HR and legal to make sure that our existing policies inside Citrix satisfied the needs of someone who was going to bring in their own device. We found out that it didn't matter what the physical device was – all policies and procedures remain the same,” says Martine.
Having agreed that allowing staff to bring their own technology into the workplace could be done legally and securely, Citrix settled on a programme based around a $2,100 purchase grant, available every three years to staff members who signed up to the scheme. Staff had to be permanent employees and agree to buy a three-year warranty for their laptop. “If there were hardware failures, the employee could go back to the vendor they bought it from – anything else we would take care of at Citrix,” said Martine.
Another condition of the BYOC scheme was that staff had to hand in their existing company devices to ensure there was a pool of spare machines if any consumer-owned laptops failed. “If a BYOC device failed and they had to send it back to the manufacturer, then they could take one of these managed devices – it created a pool of reserve laptops,” he says.
For the initial 250 staff signed up to the scheme, Citrix enabled access to corporate applications via a software client called the Citrix Receiver. “Our core product basically delivers applications from a data centre to a user – we really don't care what the device is. The Receiver is the client component you download onto your laptop which brings in our SSL VPN and the XenApp plug-in which allow you to receive the applications,” explains Martine.
To secure the machines that didn't come equipped with any pre-loaded AV software, Citrix also provided access to McAfee anti-virus software. Protecting the devices was a high priority for the users, according to Martine, as many employees spent considerably more than the $2,100 grant provided. “A lot of people bought very high-end laptops. They could justify spending $3,500 on a Mac because of the extra money provided by the company,” he says.
The scheme has now proved so popular that Citrix is slowly expanding it to international offices, with the eventual aim of extending it to all permanent staff. While it might sound like the BYOC scheme was a piece of forward-thinking altruism, it also makes financial sense. The $2,100 grant was based on the fact that over a three-year period it cost the company about $2,600 to purchase and support a company PC – so across the 450 people already on the scheme, Citrix is making savings of $225,000 every three years. “What saves me time is that my IT team doesn't have to manage those devices – that was really the benefit to the company,” says Martine.
Top tips for securing consumer technology in the workplace
1. Companies must decide what their workplace culture will be; for example, the use of personal technology is fine as long as the work gets done
2. Choosing to ban consumer devices outright may sound like the most direct option – but consider not just the impact on security, but the effect on the image of the company that such a ban creates both internally and externally
3. Choosing to allow employee-owned devices into the organisation must be a conscious decision, accepted and planned for by the company. Embrace the change; avoid the ‘don't ask, don't tell' policy on consumer technology adopted by some employers
4. Assess how allowing staff to use their own consumer devices could actually improve productivity by making flexible working more efficient, for example
5. Make staff responsible for the repair of faulty devices by getting them to sign up to vendor warranty schemes when they purchase their own devices
6. Managers and supervisors must clarify their expectations, and develop clear written policies and guidelines which must then be enforced – an even bigger challenge
7. Work with employees to develop sensible and workable usage policies for consumer devices and make sure there is real input from staff to ensure their support
Making the iPhone business-friendly
When it was first launched in June 2007, the iPhone turned a lot of heads. Unfortunately for Apple, for many in the IT security community the head-turning was a vigorous horizontal shake. “An unproven device from a vendor that has never built an enterprise-class mobile device,” IT analyst Gartner said of it after the official launch.
Gartner's reaction typified the view that any attempt by Apple to position the device as anything but a consumer toy was going to get short shrift from business experts. The analyst put out a whole list of shortcomings with the Apple handset, including: “Lack of support from major mobile device management suites and mobile-security suites” and “feature deficiencies that would increase support costs (for example, no removable battery)”.
But with the release of the iPhone 3G in 2008, and some hard work by Apple on the technical and marketing front to try and position the iPhone as business-friendly, Gartner and other analysts appear to have softened their stance.
In particular, Apple gave developers access to the iPhone software developer kit (SDK), while also updating the iPhone firmware to version 2.0. Apple also licensed Microsoft ActiveSync protocol suite, as well as support for Cisco IPSEC, and the addition of WPA2 security for WiFi connections.
Kraft Foods, Oracle and Notify Technology have deployed the Apple handset; however, the report did point to some security shortcomings around matters such as password caching that could make it difficult to authenticate the device onto a company's VPN.