Are your users banging down your door demanding that they be able to bring their own devices to work?  
Has the Chief Executive brought his iPad to you and told you to “put my email on it”?
Tired of being the department of NO?!?

Whether BYOD is a fad or a trend remains to be seen however, it is creating real challenges for corporate IT today.  The technical response to BYOD has been patchy at best and woeful at worst.  The typical approach is to deploy an MDM and ask users to sign an Acceptable Use Policy (AUP) that has significant implications for users.  Even the legal experts that write the BYOD policy would not be comfortable signing it. 

On the one hand users are saying “do it already” but on the other hand there are all the security risks and potential threats associated with BYOD.

Managing Behavior and Securing Data

There are two critical considerations when implementing BYOD. 

Behavior relates to what behaviors you want your BYOD user to exhibit.  Deploying a mobile device management (MDM) tool will help with behavior but does a relativley poor job of securing data.  MDM will allow you to limit access to applications, networks and device features but in the BYOD context, the MDM value proposition is reduced simply because it isn’t your phone to muck with.  Users want to use their device, not be locked out of Facebook, YouTube or be forced to user their own device a certain way.  Behavior requires more than just a technical response. There is a need to educate users on the importance of the data they have access too.  As one large mining organization realised, their supposedly ‘dumb’ users were particularly ingenious when it came to circumventing mobile security.  In fact one in three users will by-pass corporate mobility security mechanisms.  To address the gap, the company created a training program that explained the effort expended in creating intellectual property and the importance of keeping the ‘secret sauce’ secret.  Users brought into the program and device compromises dropped significantly highlighting the need for a cultural and technical approach to the issue.

Another aspect of behavior that Enterprises need to monitor is what impact employee behavior has on the organisation’s brand.  Poor employee behavior has always been a consideration for businesses but with mobile devices which can access all kinds or content it is important that employees are aware of the implications of their behavior in public when using mobile devices.  Again this is a training/cultural issue as much as a technology one.

The biggest issue with MDM tools is that they don’t address the issue of data particularly well.  Access to email is an example of where things can go wrong quickly.  Drop a certificate onto the device that provides access to ActiveSync and we’re done… right?  Not so much.  Although information on the device is encrypted there is little MDM can do to prevent copy and paste out of email into other environments like Gmail, Facebook etc.  When a user opens an attachment it is now on the device ‘in the wild’. Attachments can be backed up to iCloud or DropBox, effectively removing them from company controls.  Sure MDM's can turn off iCloud and restrict DropBox but now in the BYOD use case you are treading a fine line of how much 'control' you can reasonable expect to assert on a personal device.

One answer to this challenge has been deployment of container technologies.  Although containers provide promise, often they become a higher cost to purchase, install and maintain making the entire BYOD promise of cost saving evaporate into thin air.  Containers add additional processing overhead due to encryption which impacts battery life.  Lastly, the familiar and clean iOS or Android experience is eroded because users have to learn to use the container interface.  

A new trend we are seeing emerge is the ‘if it isn’t there I don’t have to secure it’ approach to data on mobile devices.  Essentially the model works on the ‘in memory’ principle whereby as soon as the email, attachment or document is closed it is gone from the device.  Imagine being able to use your native smartphone's email, contact and calendar but with the data effectivly loaded on demand.  This model obviously requires a constant connection however there are policies and capabilities that new and innovative products that follow this trend can provide for offline access so substitute as needed.  

The model focuses on the data rather than behavior – after all, a lot of the behavioral dynamics are data related.  Secure the data in a way that it can’t be ‘on the device’ and many restrictions that drive behavior disappear.

BYOD introduces another aspect to the historical IT dynamic of control vs flexibility.  BYOD users want maximum flexibility i.e. the ability to use their own device any way they choose.  Enterprises need to maintain control of their data and brand.

 

Depending on where the organisation is on the Control vs Flexibility continuum, certain technologies will be more relevant than others.  Policy requirements will also need to address what is allowable or expected for what type of user making user segmentation an important analysis exercise.

To address BYOD organisations need to address the fundamental issue of data security.  Addressing behavior via an MDM platform leaves to many gaps for data to escape the organisation.  Securing data does not have to impact the users experience of their device greatly however any technology deployment needs to be tailored to the user’s needs (user segmentation) and organsiational objectives.

MSC Mobility has a number of technologies and enterprise strategies for making the most of your mobility investments.  For further information contact us today.

About Justin Roche