The Evolution of IT: BYOD and Consumerization
Jul 25, 2012 5:00 AM PT
The Bring Your Own Device, or BYOD, movement is a reality for most IT departments today. And it's generally accepted that it was spearheaded by the tremendous popularity of Apple consumer devices -- primarily iOS devices such as iPads and iPhones.
Based on the Apple model, users are encouraged to purchase additional devices. And they do, with the expectation that they can use them in all aspects of their life, including professionally.
So it was no surprise when employees -- and in particular, senior executives -- began demanding access to company resources, email and other data on their iOS devices. Because of the seniority of the early adopters, IT departments often felt constrained to provide whatever was requested, and the trend began to snowball as it trickled down to the rest of the workforce.
BYOD - What Next?
As a result, many companies found themselves with a de facto BYOD program -- not really a formal program at all -- leaving networks, documents and other resources at the mercy of unmanaged and often invisible devices.
It's important to note that the devices themselves are not the cause of the problem, nor are the users. This is because BYOD is not a technical problem; it's a business problem, and it must be approached in this way.
The good news is -- along with a shift in device ownership and usage -- the technology available to manage BYOD risk has also evolved, providing IT with the ability to limit the risk while empowering the user.
Here is what the typical BYOD environment can present to IT:
- The average user has multiple devices. Along with a smartphone and possibly a tablet device, this usually includes a computer.
- Users have a high expectation of using their device of choice, be it Android, iOS or OS X, including the native UI and apps.
- It is the company, not the user, that is liable when resources and data are compromised.
- With such a rapidly changing device landscape, it is likely that any existing management tool will not remain valid for more than a few short months.
So what is the best approach? First, one must consider BYOD device management solutions beyond the available feature lists they provide. Gartner estimates that there are approximately 100 MDM vendors on the market today. The majority of them did not exist a few years ago and chances are many will not be around in the near future.
That's not to say startups should automatically be ruled out, but a company's history and commitment to endpoint management is an important consideration. If the technology becomes redundant or is acquired by a larger corporation, IT may find itself back at square one.
BYOD and Laptops
One of the most common mistakes is to overlook the full breadth of the devices that are user-owned. While Samsung, Apple, Lenovo, Motorola and others may be stealing the spotlight in tech headlines with new and exciting mobile technology, laptops are not going away. And since most BYOD management technologies do not support these devices, IT will be forced to employ an additional solution to manage employee-owned computers.
This is already happening today. Even if an existing BYOD program is built to support iPads and smartphones, employees (senior executives at the top of the list) are expecting similar accessibility for their MacBook Air or Ultrabooks.
However, the existence of multiple devices does not eliminate the company's need for a single standard, particularly a security standard. Securing devices via swivel chair management on multiple consoles only adds to the complexity these management tools were supposed to reduce.
User-Centric Management for BYOD
So what's the answer? I believe it can be found in a user-centric management approach -- balancing user empowerment with data security by leveraging native and existing technologies.
For example, enrolling mobile devices into management should not require the establishment of an entirely new identity management system for user authentication. Most companies already use Active Directory and should leverage this existing infrastructure.
Substituting AD with a mobile-specific system would be like changing the lock on your back door but not the front. Leveraging AD by integrating it with a management tool allows you to assign admin roles and user policies based on groups, departments, operating units, and other directory information that is already established.
Setting BYOD Boundaries
While the driver, multidevice and operating system landscape is much more complex than a traditional network of Windows computers, the fact is that most modern mobile devices are designed with management in mind. And while it's true that some employees may have older devices that do not support management, it is also true that the company is in no way obligated to support these devices.
A good example of defining limits would be the fragmented Android landscape which includes -- by one researcher's count -- about 1,400 variations currently in the marketplace.
Beginning with Android 3, hardware-based encryption is supported, while Android 4 introduced additional device restrictions through the MDM API, such as camera controls.
Additionally, several Android hardware vendors, such as Motorola, Samsung, and Lenovo, offer their own extended management APIs, providing IT departments with much greater control. IT should limit Android support to the versions that provide the organization with optimum management and security capabilities.
Apple iOS devices are a known quantity with a well-documented management API. The Apple ecosystem also provides for consistency, with every iOS device manufactured within the past three years capable of supporting the latest release.
Windows Phone 7 management is limited to a subset of Exchange ActiveSync settings. Windows Phone 8 and Windows RT are expected to be similar, while Windows 8 x86 versions (such as on the Surface Pro) should be manageable to the same extent as a regular laptop or desktop computer.
Similarly, the new Apple OS X Mountain Lion release includes an MDM-like API as another management alternative on top of normal client management tools for the desktop.
At the End of the Day, It's All About the Data
Organizations struggling with a de facto BYOD program are beginning to realize that systems once trusted to disseminate documents are no longer acceptable. The biggest culprit is email. While early mobile management vendors tried to "sandbox" email to protect the data, this approach really did nothing to safeguard it -- though it did introduce additional complications.
With or without a sandbox, email remains email: messages and attachments that can be sent and forwarded. Nobody can stop this. Mobile devices may highlight this risk, but any company that allows Outlook Web Access has opened an even larger hole for data to exit.
By forcing workers into a non-native, sandboxed environment, whether for email or for the entire workspace, the principle of user empowerment is violated and puts at risk the entire benefit of increased productivity and user satisfaction that BYOD is supposed to inspire.
The answer is not to reinvent email with a cumbersome and redundant infrastructure and UI. Instead, the focus should be on following best practices for data protection, practices that should have been in place before BYOD. This means managing the data separately -- at least when the data includes highly confidential documents and media files.
In the end, BYOD is just today's term for an ongoing evolution from company-owned technology to portable, user-owned technology. Properly managed, this transition can lower IT burdens while increasing user productivity and responsibility. This is the logical -- and desired -- outcome when you solve a business problem. The business will benefit.