By now, you know that we are pretty good with network engineering, and cloud computing, and data and internet security, and managed services, and systems integration.
The same experience in the markets that got us good at those things is getting us pretty good at BYOD and MDM, and in helping people figure out how to implement a corporate policy and computing environment that will accommodate their employees’ own devices.
For those of you who are new to this blog, you will simply have to trust us. We know from whence we speak. And, here are 4 things we know about BYOD, that you need to know as well:
1. It is here to stay. It is not a fad, and it has nothing to do with the iPhone (specifically). We see this clear trend that employees in high-growth markets are very happy and open to using their own devices for work 24 hours a day, and don’t see it as an imposition on their time.
They see it as a way to advance their careers, be more productive and efficient, and are demonstrating a more flexible attitude toward working hours. This bifurcation in behavior will shape not just future patterns of enterprise mobility in high-growth markets compared to mature markets, but will also dictate which markets, structurally, are going to benefit the most from this revolution in how and where we work.
So, get used to it, and do something about it. What to do? Do policies, but don’t expect them to be followed any more than your other policies are. Do security, but expect that it will be breached. And do an architecture that will accommodate any device, used by anyone, at any time, in any location, for any purpose, and a monitoring, alerting and reporting system that will let you know when things go bump in the night.
2. Policies and Education – employees love policies. Sort of like texting while driving, or drinking while driving. Or, dress codes. Really? Your employees will abuse whatever policies you put in place, so at least try and make them reasonable. Like, a bad policy would be to insist that the company owns all of the content on your iPad, or that it has the right to wipe any content it chooses at any time it chooses, without prior notification. A reasonable policy might be that the company owns any company-data that is stored on your iPad, and that it has the right to wipe that data at any time.
A bad policy would be that no personal computing devices can be shared with other family members or friends, and that any personal content stored on these devices somehow becomes the property of the company. While it may indeed be true that these devices will be made available in discovery in the event of litigation, a reasonable policy might be that any shared use becomes the employee’s responsibility, and that the company is not liable for the loss or destruction of any personal content stored thereupon.
All policy decisions should be considered carefully and reviewed in light of (already growing) litigation surrounding the BYOD space, but a generally good rule of thumb is to review your current security policies for web applications (CRM, email, portals), VPN, and remote access, and consider applying the same principals to your mobile devices. You should also craft them with input from your employees, who will be using the systems and working under the policies. Their involvement will go a long way toward insuring compliance. After all, they are their own policies. And, be reasonable; if the policies are too draconian, your employees will ignore them or intentionally violate them, even if they helped craft them.
Then, once you have them, make sure that your employees understand them. This means training and education. Spend the time and invest in a professional trainer. This is too important to entrust to whomever it is you usually entrust these things to. Make sure that no employee is able to enroll his or her personal device onto your network until and unless they have passed through your training process and signed all of the appropriate acknowledgments your legal department deems necessary. Any screw-up here WILL come back to haunt you.
3. Security – most companies have approached security by creating an application that will run on the mobile device that needs to be downloaded and installed. This security application will have a certificate authenticating the device with terms and conditions to connect to the company network and run the corporate programs, and provide access to the corporate systems and data. This security application should also have the ability to locate a mobile device if it’s lost or stolen via the device’s GPS, and lock it locally within 1-5 minutes. It should additionally be able to wipe the device, and have encryption, antivirus and firewall software to protect company data and programs.
Part of your BYOD security initiative should be to determine which devices you are willing to support – not all devices will meet the security requirements of your organization. Also, each device being enrolled into the network should be physically inspected to be sure that it hasn’t been jailbroken or rooted. A personal identification number (PIN) should be mandatory and you should enforce encryption of data at rest – any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected. A well-designed corporate app-store is a good way to approach the distribution of applications to mobile devices.
One of the main security challenges lies in the dual-use nature of mobile devices – a stolen or lost corporate laptop, on the one hand, will probably already have security measures built in such as whole disk encryption and authentication requirements. But smartphones and tablets, especially personal devices, eschew these added layers of protection in favor of ease of use, simplicity, and quick access.
One of the biggest new dangers of BYOD is the latest crop of Dropbox-style synchronization applications. By poking a hole in the corporate security fabric to synchronize files to a mobile device, the user is potentially creating a new channel through which confidential corporate information could leak. Many companies have decided to shut off access to these synchronization tools until there’s a way to manage them as enterprise applications with centralized control, granular permissioning, and integration with directory authentication services.
Security considerations are serious and are by themselves, the single biggest challenge you will face when implementing BYOD. Take special care here.
4. Network Management and Control – while this may appear to be a shameless plug for Netswitch, it is not. It is simply identifying the other main challenge that companies will face when implementing BYOD, and they should address their current ability to manage this new mobile environment with their existing network infrastructure.
Companies should have a plan to create a network environment with software that assumes these personal devices will ultimately be the access points to the company’s data and applications, and that they must all be controlled, monitored, and their corporate use analyzed and reported on. Such architecture should be able to enroll and engage these devices through a single sign-on mechanism that will enable the network to track its use and alert administrators when anomalies occur.
You should create or purchase a product that will work within your existing Network Access Control (NAC) and Mobile Device Management (MDM) architecture to provide monitoring, logging, alerting and reporting on all mobile activity within corporate networks. If your current network environment does not include NAC or MDM software, make sure you upgrade it. The alerting should notify system administrators when an unusual event occurs that is caused by the behavior of a mobile device, and the reporting should enable IT Managers to optimize their network infrastructure to better serve the rapidly growing requirements of personal mobile devices being incorporated into your corporate IT network.
You should consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring, and remote wipe capability. Note that some providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the solution you choose. An ideal MDM environment will contain a software development kit (SDK) that includes APIs for all popular enterprise software and the ability to create specialized APIs for your own proprietary and/or legacy applications.
Your IT management team should concentrate serious effort in planning for this new computing environment, as it will impact your IT infrastructure in some serious ways that may surprise you.
As technology evolves, so will BYOD policies and practices. And, just when you think you’ve covered all your bases, a new “must have” application will be demanded by your user population, which will test all of your planning assumptions – and you’ll have to find ways to accommodate that application.
But, by carefully defining your overall goals, thoroughly addressing the considerations around security, network management and control, and setting up an architecture with guidelines and policies early, you can lay the foundation, as well as provide an infrastructure, with the flexibility you will need to meet your security requirements, and to keep up with the changing BYOD requirements over time.