The appeal of having the latest mobile device is irresistible for many business managers. So the rise of bringing your own device also looks unavoidable. As Peter Galdies, director of DQM Group, discovers, that does not have to mean loss of information security is inevitable.
Within ten years, most businesses will no longer supply staff with computers or mobile phones. Instead, they will provide a small monthly payment to allow staff to choose and maintain the equipment of their own choice.
Network infrastructures will focus on providing a strong wireless backbone with Internet-based connectivity so that staff can connect via their own wireless devices from anywhere. Staff will be using single devices, owned by themselves, to store and access everything they need to manage their day-to-day lives, both business and personal.
This is a prediction and vision that is already being fuelled, discussed and debated heavily within IT infrastructure circles. It even has a term: “Bring Your Own Device” or “BYOD”.
So what’s driving this change and why is it inevitable? According to various pieces of research, mobile employees of today typically carry three to four mobile devices capable of network or Internet access – these include smartphones, tablets and laptops.
To make matters worse, people are also buying their own personal devices (often better specified and more current than those supplied by work) and are often carrying these into the workplace with them. iPads and similar are fast becoming “must-have” personal accessories and devices like these have pretty much all of the functionality that mobile employees of today need to carry out their work duties.
That is a fact that’s not lost on people who are becoming increasingly frustrated with the differentiation between personal and work devices. So the reality for many businesses is that BYOD is happening by stealth – regardless of existing policy or other constraints - and business is already adapting to cope. According to a recent iPass survey, a staggering 73 per cent of enterprises have non-IT managed devices accessing corporate resources.
Getting information governance ahead of the curve
Some organisations are seeing this trend and asking the question, if individuals are buying and providing their own devices, why don’t we stop? One response has been for some companies to radically re-organise their approach, allowing the employee to provide their own device and paying a small, regular additional payment (typically £30 to £40) to help cover the additional costs to the employee. Of course, this lowers the IT and telecoms expenditure of the organisation considerably, producing a financial incentive and benefit for some businesses.
How real these cost benefits actually are is still an open debate. Industry analysts Gartner estimate that the rising bandwidth and technical requirements for modern devices, in part stimulated by BYOD, will lead to 80 per cent of today’s wireless networks being obsolete by 2015. However, it looks like this considerable investment for businesses is unavoidable due to the explosive growth of wireless devices and that BYOD is only formalising the need, not creating it.
From a data governance perspective this look like a retrograde step, increasing, rather than decreasing the risk of data compliance failure. Indeed, according to the same iPass Enterprise Survey, 46 per cent of IT respondents admitted to experiencing a security problem related to an employee with an unprovisioned device.
However, there are strategies that can make the introduction of a BYOD scheme more viable from a governance perspective. Jonathan Wagstaffe, managing director of networking sepcialists Project Vision, points out: “Data managers will need to encourage and support users proactively to think about device security. Educate them about password strategy and mobile device risks. Simply publishing a corporate information security policy won’t do any more. You need continuing education of your users to change their behaviours and so be part of the solution.”
Controlled network access
Allowing any device to access the corporate network in an uncontrolled way would be a disaster for data compliance. So how do you filter access for unsupported devices and only allow approved devices to have access to data resources?
There are actually very many technical solutions on the market that already offer this sort of functionality, ranging from simple prevention to finely-grained, device-by-device access policies. The fundamental point is that devices should be properly registered or “on-boarded” into the network, allowing network managers to properly configure access and limitations. This on-boarding needs solid systems and robust business processes, combined with clear guidance to staff about the steps they need to take to get their devices registered.
Network gateways and other access points need to be properly configured and maintained, with the business ensuring that they keep pace with the evolving demands that BYOD will bring. Hybrid approaches, which allow staff to provide their own devices from a range of approved devices, should be considered. Be aware that such lists will be outmoded quickly, however.
Access rules should be role-based, with different privileges and technical policies for different levels of data access as appropriate.
Device security, control and safety
It is likely that the organisation should expect a minimum standard of safety from devices. Devices should only be allowed to connect when they provide sufficient levels of anti-virus and malware protection. Consideration should be given to the business providing and supplying such software onto the staff members’ devices (although this raises other issues about privacy).
Mobile devices are highly prone to loss, so controls that enable the remote wiping of corporate data should be considered and any such data should be held in encrypted partitions. Interactions with corporate data should be logged and controlled, with a clear understanding among data security and governance staff of what data is being made available and where.
It may be the organisation has rules relating to the use of cameras and other recording equipment. As many personal devices now integrate these functions, there should be mechanisms for altering and setting profiles in the workplace.
Leaving and joining processes require careful consideration with fine-grained removal of data from devices a necessity. New techniques for data partitioning and grooming from mobile devices are being developed to help with this.
Getting the balance right
Personal devices holding corporate information and data makes for some interesting privacy and policy challenges. It’s normal for employees to have to agree to information security and confidentiality clauses. But most of such policies currently would not allow the use of personal devices at all.
Policies and agreements will have to be extended to include the nature and extent to which organisations can inspect and delete data held on devices belonging to the employee. Financial services and other heavily-regulated sectors may require more complex solutions.
In the USA, the impact of e-discovery and litigation holds is also being considered, with the employee potentially having to surrender devices during legal proceedings. Shared use for personal and business makes these processes very complex, with employees having to release unrelated personal details in professional-related legal processes.
It’s not easy, but it could be good
BYOD is never going to be as straightforward as today’s IT service model where approved and known equipment is provided and data carefully managed in a controlled environment. It dictates a more complex IT backbone with greater management demands for network managers and more complex issues for management and individuals to deal with.
But the vision is clear, the cost and motivation benefits to employees and staff look likely to set the agenda, leaving compliance and IT managers with the challenge of providing the solutions. Having clear policies, training to ensure that employees understand their obligations and backing it all up with robust technology can all work to provide a solid infrastructure for BYOD.