Securing the BYOD transformation
By 2017 half of all employees with be required to bring their own device to work. Yet around a third of enterprises have yet to implement a BYOD security policy. David Goldschlag, SVP of Strategy for Pulse Secure looks at the security challenges and best practices needed for successful BYOD deployment.
Three decades ago, the IT and communication departments within enterprises held responsibility for all technology services. Everything from telephony connected via ISDN leased lines, through desktop PC and even the small but growing estate of laptops. The complexity of technology within that era made centralised responsibility and control absolutely critical. With the internet revolution and the consumerisation of IT came powerful new portable devices and capabilities delivered by software as a service (SaaS) that help to empower the employee. The result is an increasing realisation that IT when placed more closely into the hands of users on devices they are familiar with can lead to a more productive working environment.
Today, BYOD has become mainstream with 60 percent of companies already using it with an additional 14 percent in the process of planning their BYOD initiative. The concept has moved beyond just a tactical cost-cutting tool, with around 60 percent of companies viewing BYOD as a strategic way to mobilise more workers and improve productivity. Across many facets, organisations are benefiting from giving knowledge workers access to mobile applications such as email, browser, collaboration tools, document management and remote desktop access. However, there are still a number of challenges facing wider BYOD adoption.
Fragmentation and complexity
Across countless surveys the number one perceived inhibitor to widespread BYOD adoption is security, followed closely by compliance issues. Security is not an ungrounded fear as the use of enterprise apps on employee-owned mobile devices may lead to new data leakage and connectivity issues. The relative immaturities of some mobile security solutions that rely on native security enforcement tend to displace current network security solutions with unproven security gateways. This fear is further compounded by the fragmentation of the mobile operating system market. In stark contrast to the current desktop PC landscape, of which Microsoft Window’s has over 90% market share; the mobile space comprises of roughly 50 percent Google Android, 40 percent Apple and 10 percent other including Microsoft, Blackberry and other smaller niche players. However, the release cycle of new versions is measured in months instead of the average 3 year refresh cycle of Windows.
This pace of change and fragmented market makes it very difficult for IT to establish a consistent standard for security and support without being prescriptive in what devices an employee can bring to work. This dominion placed on an employee is a barrier to acceptance of BYOD policies with Gartner estimating that by 2016, 20 percent of enterprise BYOD programs will fail due to enterprise deployment of mobile device management measures that are too restrictive. Security also covers the enviable loss of devices. Although all the major device manufactures now include optional encryption across smartphone and tablet devices, there is still uncertainty over managing BYOD.
Uneven adoption of policy
Another area of concern is the lack of BYOD policy. Surveys run in 2014 by Millward Brown and Intelligent Defence found that between 30 percent to 40 percent of enterprises don’t have a formal BYOD security policy. This unexpectedly high number stems from two key areas. The first is a significant number of organisations don’t officially support BYOD but turn a blind eye to the practice. However, as it is not officially allowed, IT departments may refuse to support users own devices leading to a head in the sand security situation. The other reason for lack of a dedicated BYOD policy is the perceived complexity. As the BYOD concept is still relatively new and evolving quickly, some organisations have simply not adapted to the changes and simply categorise BYOD within existing security policies designed for desktops, laptops and traditional line of business applications residing behind the firewall.
Yet for all the challenges posed by BYOD, it is still flourishing with estimates from Gartner suggesting that half of all employees will be using their own devices by 2017. For organisations still struggling with BYOD there are some best practice guidelines.
Head out of the sand
The first is recognition that BYOD is already probably happening even if it’s not officially endorsed. In many organisations, this will start at the top with senior executives demanding access from tablets and laptops. For IT departments facing the challenge without support, this concern needs to be raised with focus on security issues to encourage senior executives to accept that at the very least the enterprise needs to secure devices against potential data loss and compliance breaches.
Next, organisations need to build a sensible BYOD usage, management and security policy that are enforceable and meet the demands of end-users. A BYOD policy is comprised of several aspects. The first is compliance with any key industry requirements such as regulatory issues within healthcare, financial services and public sector. The policy also needs to meet the underlying application and business processes that employees need access to. Lastly, any policy needs to be backed up by enforcement and management tools. In some cases, these tools which sit under the broad category of enterprise mobility management (EMM) solutions will actually help in defining what can be enforced within a policy and help create processes for dealing with issues such as when devices are lost, stolen or misused.
EMM is increasingly a core component of every BYOD solution. Yet, like much of IT, not all EMM solutions are equal. Again in broad terms, best practice would suggest that having an EMM that supports the widest range of devices and places the least restriction on the user as possible. For example, some EMM solutions use container security that fully separates enterprise and employee data, apps, communications and networking, giving IT complete governance over corporate information on an end users BYOD workspace while not infringing on their personal privacy.
Another consideration is flexibility. With the BYOD concept less than a decade old, it is critical that anybody heading down this path consider technologies that are relatively open and able to support the widest ecosystem of applications. Organisations should also make sure that end-users are given access to the right applications and an example of this is including access to any built-in, public app store and custom-built apps including leading ERP, CRM and collaboration apps from key vendors like Microsoft, SAP, Oracle and IBM.
The last area is education. Both user and technical teams need to help in understanding the BYOD transformation. Having a sensible and enforceable BYOD policy backed up by strong EMM tools is only half the battle. Considering over half of security breaches are the result of human error, a successful BYOD transition requires enterprises to often evangelise the benefits and promote use to deliver the increases in productivity.