|Issue:||North America 2013|
|Topic:||What’s Next for BYOD?|
|Title:||Senior VP & Chief Technology Officer|
John Roese is Senior Vice President and Chief Technology Officer (CTO) at EMC Corporation; he leads EMC’s Corporate Office of Technology which is responsible for EMC’s technology vision and strategy, including for Cloud, Big Data and Trusted IT. Mr Roese has more than 20 years of industry experience, including executive leadership of large scale, complex, global R&D organizations. Previously, Mr Roese served as Huawei Technologies’ Senior Vice President and General Manager of the North American R&D Centres. Before that, he held a series of senior leadership positions including CTO at Nortel Networks, Broadcom Corporation, Enterasys Networks, Inc. and Cabletron Systems.
Mr Roese holds more than 18 pending or granted patents in policy-based networking, location-based services and security. He has served on numerous boards, including ATIS (ICT standards organization), OLPC (One Laptop per Child), Blade Networks, Pingtel (unified communications) and Bering Media, (location-based advertising).
John Roese earned a Bachelor of Science degree in Electrical Engineering from the University of New Hampshire.
Bring your own device means more than use your own tablet at work; it is the visible edge of a massive IT paradigm shift. BYOD pushed consumer devices into the heart of enterprise IT and accelerated the shift to the cloud and virtual desktop environments for all user IT interactions. It seemingly reverses the mainframe-to-PC movement by packing both applications and data in the cloud and putting an extremely high-tech can opener – with a screen – in the hands of the user.
What’s Next for BYOD?
by John Roese, SVP and CTO, EMC
Three significant trends driving IT transformation are the broad shift towards a mobile enterprise, the adoption of consumer technologies, and the shift to cloud topologies. These forces are disrupting IT architectures while enabling value creation. Enterprise IT is not accustomed to so much change in so short a timeframe.
One of the first tangible manifestations of these forces at work is Bring Your Own Device. BYOD is roughly described as ‘a diverse set of mobile devices (iPhones, Androids, iPads, Macs) no longer rigidly prescribed by IT’.
BYOD did not evolve organically; it was inflicted on IT. This is playing out not only in North America, but around the globe. Employees began using devices that outpaced the end device innovation of the classic enterprise. IT organizations had to adapt.
At its core, BYOD extends the enterprise experience. The availability of IT services to employees increases dramatically when personal use of mobile devices is allowed.
This converged experience is fantastic for making services available, but incredibly complex in terms of security, control and other assurances. Creating a model that is both flexible and secure requires much more than simply granting access to consumer devices.
Early BYOD deployments are far enough along to relate insights that may not be obvious:
The IT environment must transform
Adopting BYOD has a significant impact on the entire IT architecture, causing shifts in data storage and protection, application development and deployment, resiliency assurance, enterprise boundaries, and other areas unrelated to the device. IT architectures transform in three fundamental ways:
1. Shift to virtualized, information-centric data centres
Data sink locations will become as highly diverse as devices and the places they live (home, airport, office) expand exponentially. The location of the information and the way it is managed needs to become significantly simpler. Shifting to a centralized, virtualized data centre model causes the core IT system to become simpler to operate, maintain and adapt.
Data centre virtualization and information centricity offset the complexity of diverse devices. These new data centre models highlight the transformation of IT from app-centric to information-centric.
2. Placement of applications and information
The non-BYOD environment views the end node as a terminal where applications run autonomously, and information is stored in a protected manner. In BYOD, none of these assumptions are true. Early adopters treat the end node as a very lightweight entity.
Virtual Desktop Interfaces (VDI) and Enterprise Mobile Applications, instead, shift the role of the end node to an interface into the data centre. In situations where data and processing are deployed on BYOD devices (e.g. offline use), architectures assume that information could be lost at any time, requiring new models of backup and archiving.
New approaches are emerging to manage information on these mobile devices such as enterprise SYNC and SHARE (think dropbox for the enterprise).
3. Security architecture.
Traditional technologies such as VPN/firewall make little sense in BYOD environments. While technically possible, the user community would revolt if enterprise security experiences were significantly more complex than emergent consumer experiences. Launching VPN clients on mobile devices before doing ‘enterprise stuff’ would be a ‘non-starter’; no consumer experiences resemble that approach.
Early adopters realize that consumer mobile applications are often as secure as the enterprise experience. However, in the consumer / BYOD environment, security is embedded into the application and simplicity is the priority. Modern mobile application frameworks include robust, transparent security models with the most intrusive experience being limited to the PIN used to unlock the device.
End user behaviour is different in BYOD
In traditional enterprise IT, the end user behaviour is very one-dimensional.
In BYOD, the end device has multiple personalities. For example, an engineer in BYOD has at least three personalities: non-business, corporate employee, and IP generator.
By using a wide range of IT models, and by adopting the changes discussed above, the BYOD engineer is possible. Virtualization can provide multiple-personality experiences on BYOD systems. If an engineer wishes to use a MAC instead of a traditional Windows PC, the system can be configured as follows:
1. The MacOS system contains normal consumer protection (standard anti-virus and firewall).
2. The MacOS system will have a local virtual machine (VM) running the corporate IT image. A full set of IT security, auditing, backup and monitoring tools would be present. The image can be backed up with snapshots and easily restored if the device is lost. Since VM access control is tied to corporate AAA services, the data would be encrypted.
3. R&D tools and data must be accessible by the user. Early adopters deploy a second but remote VM accessible on the device using VDI into a data centre where the OS, applications and data of the R&D tasks live.
In all of the above personalities, choices can be made about backup and archiving if the end device is lost or fails. Policy choices and tools can dictate how much information can flow between different personalities on the device (e.g. disabling screen capture tools)
BYOD may not be ‘bring your own’
If the device is not company property and an employee leaves, he or she is taking a physical asset with them. In many cases you cannot be sure whether or not the employee is bringing information, access or other risks outside of your view.
Many early adopters have modified BYOD to become PYOD (pick your own device). The difference is found in who owns the device. PYOD policy allows for selection of a broad number of devices and doesn’t try to over-engineer their operation. The ability to better manage the device and retain it when an employee exits is possible.
Early insights into PYOD have uncovered one major challenge. IT has to resist the urge to overly manage and configure the devices and lose the flexibility and value of BYOD. A lightly managed, open-minded approach to new platforms is necessary. The goal of PYOD is to mitigate a number of real risks that are present when the company does not own the asset.
An important key is to define a risk profile that delineates when asset ownership is really necessary to meet compliance obligations or address a critical security risk. Only implement a PYOD model above that threshold.
What’s next for BYOD?
IT professionals know that there are two kinds of technology trends: short-lived fads and industry-changers. Enterprise adoption of consumer-originated technology is not a fad. The shift to a diverse and mobile set of end points with multiple personalities and complex ownership models is transformational. This shift has just begun and there are a number of paths forward.
First, the enterprise end user will continue to increase mobility and expect their enterprise services to adapt. IT organizations will need to develop a new set of competencies, including:
1) Internal mobile applications development – You will need HMI (human machine interface)and UX (user experience) skill sets for developing IOS or Android applications.
2) A stronger understanding of cellular/mobile broadband – Understanding how cellular networks operate and their strengths and weaknesses as a part of your extended infrastructure is important. Mobile operators are currently active in opening up APIs (applications programming interfaces) and interfaces for enterprises. You will need cellular experts that understand the value-added services provided by mobile operators (such as achieving predictable SLAs – service level agreements).
3) Security processes that address a new class of situations brought forth by increased mobility and diversity – remote tracking, recovery, wiping and reconfiguration of devices.
Over time, the value of connecting intelligent devices to a network will expand the supported device count dramatically. This ‘Internet of Things’ will be the next phase of BYOD challenges. Examples of this are:
1) Cars will become connected – meeting appointments will be sent directly to in-car navigation systems and automatically adjust travel. Your company scheduling system might pull data automatically and estimate time of arrival to dynamically adjust meeting start times.
2) Sensors will track biofeedback, monitoring the health of employees and gathering data to better customize health care options and create incentives. The sensors are unlikely to come from traditional enterprise suppliers. There is already a thriving innovation ecosystem for such sensors (e.g. Nike).
Finally, without care and effort, BYOD can become ‘Bring Your Own Danger.’ Mobile devices are far more likely to be lost, stolen or sold than traditional IT assets. Attackers get more face time with mobile devices than laptops, so a new attack vector emerges. Employees in search of a ‘frictionless’ mobile experience notoriously disable security controls that affect usability. These controls must be carefully evaluated in controlled areas via early BYOD trials to ensure they improve security postures while not causing real-world users to disable them. Data loss prevention and chain of custody software will become more prevalent. Organizations must also plan for the inevitable security events that originate because of BYOD.
The enterprise is becoming dependent on mobility beyond its network and cannot thrive without including innovation from the consumer ecosystem. It is critical for enterprise adopters to recognize that BYOD is not an isolated scenario, but must be tightly integrated with information-centric cloud architectures that enable asset protection and fluid consumer interfaces.