|Issue:||North America 2013|
|Topic:||The right time for BYOD|
|Author:||Dr Eshwar Pittampalli|
|Organisation:||Open Mobile Alliance|
Dr Eshwar Pittampalli is the Marketing Director of the Open Mobile Alliance. Prior to the Alliance Dr Pittampalli spent more than twenty five years with AT&T Bell Labs, Lucent Technologies and Alcatel-Lucent. Most recently, he served as a partner in the Alcatel-Lucent Corporate Marketing organization promoting the Internet of Things (M2M) market growth program. He also led the Alcatel-Lucent corporate market intelligence team as Senior Director, forecasting global telecom market trends, sizing and supporting the CFO throughout the world. In 2003, Dr Pittampalli was named a Bell Labs Fellow – Bell Labs’ highest honour for his outstanding technical contributions and leadership in advancing wireless communications technology and standards.
Dr Eshwar Pittampalli is a registered professional engineer with Master of Science and Ph.D. in electrical engineering from the University of Oklahoma in Norman, Oklahoma. He is also a Registered Patent Law practitioner with a Mini-MBA from the Wharton School of Business.
While there are clear benefits to BYOD, safeguarding corporate data accessed by a wide variety of employee devices is a major concern. A cloud-based platform with a virtual desktop infrastructure (VDI) separates users from the corporate data; only rigorously authenticated users can access corporate data. Since data remains in the cloud and never on the device, and one cannot transfer data to other devices, there is no risk when users upgrade their devices or when a device is lost or stolen.
As we look around, we see a changing workplace – enterprises are embracing new technologies, exploring new avenues to increase productivity and incorporating a wide range of their employees’ mobile devices into the corporate IT domain. There were days when the corporate CIO office never endorsed any device unless and until it had gone through an exhaustive testing and evaluation process to make sure it was safe and secure from the point of view of corporate data integrity.
There was never more than one mobile phone approved by any IT department and rarely more than two laptop computers for employees to use. Once employees became accustomed to using a mobile device, a laptop and particular operating system, they ended up buying similar hardware and software for home use because of their familiarity with these technologies at the workplace. In other words, the employees would bring the technologies from the office into the home.
But lately, the trend is reversing. People are bringing technology from home to the office. Although this transition is in its initial stages, in a few years, there will be one to one correspondence between the devices used at home to devices used in the workplace. This phenomenon is now being termed bring your own device (BYOD).
Dealing with the influence of smart devices is now among a corporate CIO’s priorities. Consumers, more than enterprises, are driving this mobile innovation. About 65 per cent of the U.S. population – over 200 million people – will have a smartphone and/or tablet by 2015, according to the research firm, In-Stat. Gartner’s research predicts that 1.1 billion smartphones will be shipped worldwide in the year 2015; the market is now ready for BYOD!
In the past, BYOD was an exception and corporate IT did not pay much attention to it. It was felt that BYOD distracted workers and would decrease employee productivity. Recent research has, on the contrary, demonstrated enterprise productivity will improve 1. The study, conducted by IDG Research Services, found that 85 per cent of companies support BYOD today, and more than 70 per cent of IT executives surveyed believe companies without a BYOD strategy will be at a competitive disadvantage. So IT departments are now proactively encouraging employees to bring devices of their own choice to work. Predictably, some companies might even pay for the devices employees choose to use at work.
The BYOD phenomenon brings IT departments a series of challenges. While there are clear benefits to BYOD, security risks are high; the major concern of IT is the security of sensitive corporate data.
When employees can freely choose their end devices, the variety of devices could easily exceed an IT department’s ability to manage, support and secure.
Challenges and solutions
Safeguarding corporate data accessed by a wide variety of employee devices will become the main focus for corporate IT departments. In addition to the applications that IT departments may want to install on the devices so employees can work and access corporate data, the devices themselves may have to be managed and configured as well.
There are a variety of approaches to addressing the challenge of accessing corporate data using diverse devices and operating systems. IT departments cannot rigorously test and qualify each and every device.
One option is to separate the user’s identity from device’s identity. This means authenticating the users instead of the devices they use. This approach sometimes involves a cloud-based intermediate platform that separates the user from the corporate data and rigorously authenticates the devices or users prior to permitting access to corporate data. This can involve creating a virtual desktop infrastructure (VDI) in the cloud that provides a shield between the end device and the corporate data.
This shield keeps rogue end devices from accessing corporate data and makes it easier for the IT department to manage a multitude of devices. Other solutions include partitioning the device’s storage so that an operating system in one partition can be allocated for personal use and another in a separate partition secured for enterprise use only 2.
A cloud-based shield facilitates the employees’ BYOD practices, and helps the IT department safeguard corporate data, while managing multiple end devices that use a variety of operating systems. In fact, the cloud makes accessing the corporate data device-agnostic, thus the management of end devices becomes more practical. Additionally, IT has to divide corporate applications into silos with separate layers of authentication depending on the nature of the data these applications are accessing before the data is exposed to the user.
One of the other challenges for IT is to ensure that the sensitive data is not transferred from one device to another device when the employee goes through a device upgrade. Since it is the user who is authenticated before the device accesses the data, the abandoned device will never get close to the corporate data without its lawful user.
In order to get these solutions up and running, the corporate IT department will have to configure the device (policies, settings, applications, etc.). To do that, the corporate IT department will need a mobile device management (MDM) tool. MDM is a software tool that monitors, secures, and manages mobile devices owned by both enterprises and consumers. MDM uses over the air (OTA) procedures for configurations, firmware upgrades and application revisions.
Are enterprises ready?
Given the wave of BYOD, enterprises do not have much choice other than to embrace the phenomenon and make the transition from corporate controlled end device management to employee controlled end device provisioning. The longer a corporation waits to implement the BYOD policy, the more likely it will lose employee enthusiasm and productivity. Once implemented, BYOD facilitates a seamless handoff from one device to another making the employee satisfaction index jump higher, creating a friendly environment to participate and produce more.
It must be clear to employees which devices are excluded from the program. All employees need training and must take personal responsibility for backing up their personal data such as music, photos and videos on a regular basis. Before Employees can participate in BYOD programs they should also know that corporate IT has the authority to wipe out or erase the entire content of the device if it is stolen or lost. Employees should complete a mandatory training program before taking part in a BYOD programme. This training program should cover the employee’s responsibilities and the stringent security requirements that IT has put in place to support the BYOD policy.
What can a CSP do?
A Communication Service Provider (CSP) provides a vehicle for accessing and implementing the BYOD policy. One of the access channels provided by the CSP is the physical layer from the end device to the cloud platform and the other is from the cloud platform to the corporate infrastructure. There is no specific measure that a CSP needs to implement to support these access channels. However, it is good preparation for a CSP to devise a special wholesale data access package that would attract an enterprise to select a specific CSP over another.
The CSP may offer a MDM tool as Software as a Service (SaaS) or through the cloud. In this way, the CSP’s device management system can reliably and securely manage and configure the employee owned devices. Moreover, if the applications installed in the devices were developed in a way that can be managed by the CSP’s MDM ( using management objects), then the corporate IT departments will be able to rely on a comprehensive and standards-based framework, such as OMA Device Management 3, for device and application management.
Now is the time for companies to embrace BYOD policies. Once BYOD is fully implemented, the infrastructure becomes end-device agnostic and transparent to any operating system. The system authenticates the user not the end device to access sensitive corporate data,. The fact that the US Department of Treasury Alcohol and Tobacco Tax and Trade Bureau (TTB) rolled out a virtual desktop that allowed a BYOD program with almost no policy or legal implications indicates that it is time for BYOD to take centre stage. For enterprises, the benefit of requiring fewer IT personnel and potentially faster response times for meeting user needs will result in happy and satisfied employees.
After BYOD deployment, we can expect bring your own information (BYOI), and bring your own applications (BYOA) policy definitions. While the BYO movement in general has risks, it cannot be stopped, so IT departments must manage it correctly.