CIO Magazine has an article out called “Leading from the front with BYOD“, which shows that thinking is getting past the shutting the gate on the bolted horse to leveraging a powerful tool. The article draws on Gartner information from a risk and security summit in Sydney recently. Gartner proposes a three-tiered approach to managing BYOD; securing the device, securing the data, and protecting the network.
Gartner suggest securing the device, with a policy. That is, a piece of paper, not an actual security policy or a piece of security software, but a written piece of paper. This is a refreshing approach that trusts the end-user to be careful with the device. Keep it up to date. Don’t jailbreak it. Keep it secure. And so on. As opposed to the usual hoary approach that you often see as a contractor or temporary worker. This involves you not only signing the agreement, in blood, but allowing the organisation you work for the ability to nuke your device if they feel so inclined.
Gartner says the data has to be secured. This is simple in terms of today’s technology, however a lot of people are yet to get there. The easiest way to do this is via some kind of virtual desktop (VDI) that the company owns and maintains behind a decent set of security. The desktop is then delivered with little or no touch on the device. However, this approach is still very limiting to the end-user and eventually will have to change. Their are plenty of private all the way through to public cloud offerings that can help here.
The last point Gartner makes is securing the network.
Unfortunately, a lot of organisations in New Zealand are behind the times when it comes to BYOD. If you are lucky, you might get email on your phone, but more likely you will be told that has to be a company phone, rather than yours. If it is yours, then people want the ability to be able to delete all the data on your device if you lose it, which of course, no sane person is going to give anyone permission to do when you have your personal photos, email, and other information on your device.
IF you are lucky enough to get access to some kind of VDI you need to go through a long setup process, have multiple layers of authentication, all for what generally can be a slow and painful end-user experience.
It’s about time organisations stopped trying to control the device and end-user and started to create an environment where a user can dictate and use their own tools to work their own way. The problem with trying to control the end-user is that they will simply find another way around you. Already people have hotmail accounts, drop box accounts, skydrive, iCloud, 365, Google Apps, Google Mail, the list goes on and on, and already they are well in use across organisations today. Even if those services are locked down, people just forward their email on to the outside world. The horse has well and truly bolted. It is like the 1980’s approach of putting limits on how much email you can have and how much file space you can consume; a ridiculous and expensive waste of time.
We still have, in the majority of places, this command and control type of behaviour over the user that is denigrating. It says that I don’t trust you to make a smart decision and take responsibility for things, so I will create all these tools and services to ensure that you do. At great cost I might add. This is one of those great unqualified risks. “It is far too risky for our users to have web mail access!” shouts security. Meanwhile, the user can put a USB stick into the device or forward their email to a hotmail account.
You have to trust people to make the right decisions and have a framework in place to help them out when they make a mistake.
There are significant cost reductions to allowing someone to bring their own device. For example, if I have my own laptop with the Office Suite, or access to Google Apps, or the Apple Productivity Suite then my organisation does not need to buy a licence. Nor do they need to buy an OS license. And so on. Further, I get to use the tools that I am most comfortable with, and so most productive with. The company is paying for less bandwidth, the user is now paying for their phone, data allowance, and their end device. Not the company.
The old approach simple forces you to keep doing computing the way you always have, without being able to leverage any benefits, in a world that had moved on in leaps and bounds in the past three years. The horse has bolted. It’s time we put some simple, easy, guidelines in place to allow full BYOD and leverage the benefits from it.