Bring Your Own Device Movement

From New Media Business Blog

Jump to: navigation, search

Bring Your Own Device (BYOD) is a general principle that allows employees to bring in their personal devices such as laptops, phones or tablets into the workplace. They are able to access company resources, applications and Ethernet through their devices alongside their own personal data and applications [1] [2]. One main reason behind the emergence of BYOD is the evolution of technology in which mobile platforms are now nearly as powerful as personal computers. The consumerization of IT is another factor that supports BYOD. Nowadays, individuals are having better hardware and software on the go, at home, or at work. Thus, the gap between technologies and people has lessened, driving people to enhance their work environment [3]. This enables employees to bring their own smart phone or tablet to work. Moreover, many companies are implementing BYOD strategies by offering every conceivable software via internet and allowing employees to have their own ‘personal’ cloud.

Another common principle used is Inverse BYOD [4]. Many corporate companies would issue devices such as company phones or tablets for business use.

Contents

BYOD in Practice

In order to understand some of the benefits, threats, security implications and privacy issues of BYOD, the current technologies used in industry should be understood. Though most technologies today that allow for BYOD to run seamless to the user in the background, an appreciation of how today’s technology works helps to pinpoint security flaws and can also shed light on how some BYOD technologies can be leveraged for business advantage.

Emails

The most prevalent form of BYOD in the work place is the issuance of corporate emails. BlackBerry has been a common method of email delivery. BlackBerry’s encryption security based infrastructure became the reason for its popularity amongst corporations and is even approved for its use by some government bodies [5].

Stivers, BYOD Email.
Image [6]- A hallmark of BlackBerry’s devices is the convenience of the Blackberry Enterprise Server (BES) compatible with email servers such as Exchange, coupled with RIM’s Network Operating Center.
Stivers, Microsoft Exchange.
Image [7] - Apple products shown here contain a Configuration Profile and Private Key to authenticate itself over several firewalls over the air to access corporate emails using Exchange ActiveSync

RIM’s Network Operating Center (NOC) for push email improves corporate email security because it does not require devices to access company firewall ports directly [8]. Though not to say that outages occur often in NOCs, it can demonstrate a possible single point of failure. On October 2011, a worldwide service blackout caused by RIM’s core switch failures in Waterloo, disrupted email delivery service [9].

Another popular device provider for corporate email is Apple. Their secure solution is a Private Key issued by a certificate server that is authenticated with a directory service, such as Active Directory. To configure policies, which may include requirements for passcodes or disabling screenshot features, a Configuration Profile is installed on an employee’s Apple product.

The control of a personal device is often done through a Mobile Device Management application, discussed in the next section.

Mobile Device Management (MDM)

MDMs are tools used to manage and configure mobile devices in an enterprise. Common features of MDMs include, but not limited to, over the air servicing (where devices are not required to be physically connected to the enterprise in order to be controlled), remote locking and wiping, policy provisioning and asset tracking and maintenance.

A vendor of MDM is Airwatch, who supports deployments of devices for a variety of industry sectors. Airwatch claims to centralize management of mobile platforms for company BYOD programs [10]. For example, Airwatch offers profiles to configure device settings to restrict app usage, set device lock/wipe policies and limit other device features of devices. Other common MDMs include Apple’s iPhone Configuration Utility or RIM’s BlackBerry Enterprise Server [11] [12].

Therefore, the most pertinent issue for companies using MDMs is whether should BYOD policies infringe on the freedom of an employee to fully use the features of their personal device in order to comply with control over enterprise information. For instance, a company may disable the function for a smartphone to capture screenshots to mitigate the risk of confidential information being saved locally on the device. However, the employee may use this feature for personal use. The company who restricts this feature can be said to have “locked down” the device and have defeated the original purpose of BYOD, which is to prevent employees having to be restricted from features normally found on corporate issued devices.

Applications

Stivers, Applications.
Image [13]- A simple representation of application virtualization.

A popular mean of delivering corporate applications to employee devices is through virtualization. Vendors such as Citrix and VMware offer a wide range of solutions for companies wishing to implement a BYOD program. As shown in the figure, a common infrastructure usually located in the company data center will have different physical servers (aka farms) to handle certain tasks. Some may load-balance network bandwidth for mobile devices while others may only handle application processes. The end-user will see on their devices a virtualized representation of their desktop or application but none of the data is processed on the user’s local machine. Instead, all the data handling is done back at the hub.

Another method of delivering applications that are developed in-house by companies is through a self-service app hub. This is similar to an “app store” made only accessible to approved employees. Companies create and store the application in their hosted server and distribute a URL to devices for deployment [14].

One of the key advantages of virtualization is that applications/desktops can be delivered to any hardware, even on ones that do not have extensive hardware capabilities. As a result, this scalability is a cost saving for both companies implementing BYOD because end-users do not necessarily require hardware upgrades. Therefore, virtualization, made popular by the BYOD movement, can be described as a driver radically changing the traditional personal computing landscape for these reasons:

  • Older hardware can have the same computing processing power as their up-to-date counterparts because application delivery is completed on back-end servers;
  • Mobile devices such as tablets and phones allow users access to corporate applications just as well as conventional personal computers.

Security

There is an array of security authentication methods to access company resources through mobile devices. One common security mechanism is 2-Step Authentication AKA Two-Factor Authentication. This can take the form of any two of these characteristics [15]:

  • Something you know (usually a password, answers to secret questions or PIN);
  • Something a user has (typically a token, a card or mobile device);
  • Something a user is (biometrics such as retina, fingerprints or voice recognition).

In addition to simply a username and password, many firms issue either a soft or hard token for authentication. Traditional hardware tokens run a clock/counter that runs an algorithm to generate a seemingly random set of numbers that users must use to authenticate. Mobile devices such as Blackberry and iPhones can also serve as tokens through an app and this is known as a soft token. However, the same device that serves as a token as well as used to access company resources is not necessarily considered by some as true 2-Step Authentication.

Risk-based technologies also exist for user access. A risk score is assigned based on how, where and what device a user authenticates from. If the risk score deviates greatly from normal authentication sessions, then a user is denied access. This technology is usually coupled with a token, a GPS enabled device or card that a user possesses. A prime example is credit cards, where a transaction, unless made known to the credit card issuer, may be denied a debit is it is made from somewhere not near the billing address.

Single Sign On (SSO) links together multiple systems and merges them under one login credential to gain access to all of these systems. Likewise, a single signing out by a user will terminate all sessions. The advantage of SSO would largely be a convenience factor for the user, where fewer passwords need to be remembered since, ideally, a single more secure password is used. A major criticism would then be that multiple systems become vulnerable if credential is compromised, since “the master key to all doors” has been given away.

Technological BYOD Implications

An issue is the shifting of the responsibility to provide technical support by companies for the vast variety of devices brought in to work by their employees. A driving force behind the BYOD movement is the employee’s willingness to provide the costs of supporting their own device. However, with company resources such as email, data or applications enabled on those devices, the problem arises when employees have difficulty deciphering, and especially less technologically inclined users, between what is corporately supported and what is not. For instance, an employee seeks help from the company helpdesk as to why he/she is unable to login remotely to the company virtualized desktop. The helpdesk discovers that a plugin, for example Java, requires an update in order for remote access to function. The company is not entirely responsible for keeping their employee’s devices up to date but indirectly they are indeed responsible to enable their employee for on the go access. As a result, there is an undefined extent a company is responsible for the personal devices of their employees.

Ideally, a secure and usable system using BYOD is essentially a balance of trade-offs. First is the matter of convenience. Users should be able to access company resources hassle free and not overwhelmed by the security mechanisms that are in place. As shown through SSO, the user only needs to authenticate once to access all systems without having to enter in passwords multiple times. However, this can be unsecure as intruders need only to know a single credential to gain access to all systems, and inversely can lock out the legitimate users from all access. Second is the matter of privacy and keeping the device personal. Companies may use MDMs to control the functionalities of their employee’s devices but employees should have the right to utilize all the features of their devices.

Industry Use

Citrix - TD Bank, Virtual Desktop

Finance: Financial giant, JP Morgan recently adopted a ‘bring your own device’ policy at their Sydney headquarters. Employee devices are now registered with BYOD security software from Good Technology [1] and they have access to corporate systems through Citrix ‘Virtual Desktop Infrastructure’ [2] which allows employees to have remote access to company systems and documents. If there is a lost or stolen device, all data is wiped through Good Technology [3].

Marketing: Many small start-up firms encourage a BYOD policy since they are smaller companies ranging from 10-20 employees. Being able to freely use a device that employees are comfortable with allows for better employee productivity. Especially in marketing social media companies, work and news change very quickly. BYOD is the standard for business mobility. Staying on top of the latest trends and news is important for marketing companies or E-businesses [4].

Some great industry examples are:

At Cisco, they cope with all tablets and smart phones by having a ‘virtual desktop’ to smooth out compatibility issues. It allows their employees regardless of their device to access office desktop applications. So if there is a lost device, there is still integrity because the applications are still running back to the data centre. The IT department traditionally pre-determines a standardized workplace device, whether they are personal computers or smart phones. By implementing a BYOD, IT must approach the problem differently. They may approve certain devices that allow access to company resources to ensure better security. Cisco provides a high-level solution architecture that must provide for wires, wireless, corporate LAN or mobile access to the network across all platforms and devices. As devices move from a corporate Wifi network to a public network, the BYOD solution music provide secure access seamlessly for the user. Cisco provides many BYOD solutions including Cisco, Jabber, Cisco Prime, and Cisco ScanSafe Cloud Web Security.

TD Bank implemented Citrix’ Virtual Desktop software. It resulted in a workplace balance, retention and productivity. Workers are more willing to conduct collaborated work since they are not stuck at their workstations to produce work and results. Employees are able to communicate on the go at any given time. They have access to company documents and applications remotely.

BYOD Impacts

Companies implement BYOD strategy to enhance productivity and employee morale. However, some issues such as securing confidential data, increasing data plan cost, and separating personal vs. working hours could be challenging for these companies.

Advantages

When employers decide to have BYOD as part of their company culture, the business can save money on infrastructure costs that is associated through constant hardware updates hosted at the office and rentals for server space [7]. The business may experience an increase of employee productivity through the mobility and newer technology of their employee’s device.

An employee who works under a BYOD policy is given more control on the device use and mobile access to corporate information. These may allow employees to increase moral and productivity. BYOD also enable employees to Bring Your Own App (BYOA) [8] .

Issues [9]

Leaked confidential data

Businesses that allow BYOD culture will face security challenges leading to increased risk of leaked confidential data. The confidential data can be obtained through hacking when employee’s devices lack proper mobile security. It can also be obtained when the employee’s devices are stolen or lost.

Costs

The business can incur phone and data cost for their employee’s devices. The return on investment for these costs can be low depending on how much employees will use phone and data service for personal reasons. Obtaining licences for software programs for each device is an enormous cost the business has to incur to avoid piracy lawsuits.

Challenges to the IT Department

BYOD poses a list of challenges for any IT department. There will be difficulties in troubleshooting technical problems when there are a variety of devices in the workplace. This becomes more difficult when the IT staffs are foreign to the devices. Maintaining compliance will require more work from individuals from the IT Department to maintain the BYOD policy. Employees

Tech savvy vs non tech savvy

Regardless of the organizational culture, there usually are non-tech savvy employees that will have to face a knowledge deficit and additional expenses for devices to catch up with company’s device choice. Less Control and Privacy

Employees can face less control of their devices when the company decides to add security measures. In order to ensure confidential information is safe, employers can use mobile device management software to monitor employee’s activities on their personal device. This can violate the employee’s privacy when the managers monitor personal information or activities. In addition, employee’s privacy can be breached if their device was hacked or stolen because of confidential data in the device.

Workaholism

The employee’s personality can determine the impact of BYOD. Employees scoring high on neuroticism have a tendency to experience more anxiety. These employees will use BYOD as a means to relieve their work anxiety. Eventually employees will form workaholic habits because BYOD enables accessibility of work files anywhere and anytime. In addition, the work environment can also determine the impact of BYOD on employees. Work environment that are highly stressful can influence employees to behave the same as a neurotic employee. Workaholics are frequently ineffective employees because of the stress level these employees face.

Implementation

MobileIron, a mobile IT solution for security and management, identified eight major component for successful BYOD strategies. These are the following[10]:

Device Choice

A company will first have to know employee’s preference and the existing devices in order to create a baseline for security and supportability features of the bring-your-own device program. Next is to see how the program supports the existing operating system and hardware of the company. A reassessment of the program is needed to account for variance in the service that the program provides in the different branches of the company. Once there is an acceptable standard, a certification plan then has to be created to evaluate the validity of future devices in the program. Users will then need to be notified of which devices are allowed in the company. To ensure the IT team stays up-to-date to the device choices used in the company, they’ll also need to be provided enough bandwidth.

User Experience and Privacy

A BYOD privacy policy will need IT to identify the activities and data that can be monitored as well as the appropriate action they have to take when certain circumstances occurs. The policy will then have to be critically assessed for its security and restriction component to ensure the policy’s sustainability. IT will have to ensure core services (i.e. email, critical apps, WLAN access) are given to the employee as well as preserving the user’s experience. Lastly, employees will have to be notified of all compliance issues clearly to the employee.

Trust Model

The company has to indentify and assess risks on personal devices so that they can come up with remediation options (i.e. Notification, access control, quarantine, selective wipe). A tiered policy has to be set up for existing users and devices. Critical assessments have to be made to the suitability of security policy being instituted.

App Design and Governance

In order to control the app use, companies are suggested to design their own mobile apps to match the trust level of personal devices. The app catalog available to employees will be based on the device ownership. An app acceptable-use policy will have to be created, and regularly updated. Violation of the policy will have to follow a remediation option (i.e. notification, access control, quarantine, or selective wipe).

Liability

A baseline protection for enterprise data on BYOD devices has to be developed after assessing the liability for usage, costs, and data lost. Below are examples of each:

  • Usage: Personal web, app usage, usage onsite vs. offsite, and usage inside work hours vs. outside work hours.
  • Costs: Partial stipend vs. full payment of service costs, monitoring, enforcement and audit costs of BYOD compliance policy.
  • Data lost: Risk and resulting liability of accessing and managing personal data (i.e. full instead of selective wipe by mistake).

Economics

Companies should shift the cost of device hardware to user and move to a stipend model for service charges. Once the stipend model is being implemented, promote responsible usage to employees to control excess services charges. Employees must also be assessed with the productivity impact with using their desired platform. Costs associated with tax implication, compliance and audit should be reduced if legal assessment shows lower liability with personal device.

Sustainability

To ensure suitability of the BYOD program, the company has to secure all corporate data, minimize cost of implementation and enforcement, preserve the native user experience, as well as staying up to date to user preference and personal devices.

Internal Marketing

To influence employees to buy into BYOD, the company has to communicate the benefits of BYOD to the employee and that it’s a HR initiative as much as an IT initiative. Defining and reinforcing IT’s role as well as branding will help employees know where to get help.

Future Implications

According to Jupiter Research [11], employees who will use their own device at work are expected to double in the next several years. This significant issue will require companies to focus more at security concerns due to connectivity issues and device loss.

Virtualization

Citrix - Xendesktop

To prevent corporate data loss, companies have developed many solutions. the most common ones are [1]:

  • Virtualization: Corporate data, even the applications are stored in the cloud. Employees cannot store corporate data on their personal devices. Everything is conducted/accessed through a virtualized platform. Application such as Xendesktop provides this service for corporate use.
  • Walled Garden: Employees can monitor or process corporate data through a secured application installed on their personal devices. For example, a person has a CIBC app installed on the smartphone, and he/she can access the bank information anytime and anywhere as long as this person knows his/her banking username and password.
  • Limited Separation: Both personal and corporate data can be stored on employees' personal device, and employees are allowed to process corporate offline. Companies do not implement this strategy nowadays unless those data are not related to corporate core business.

Virtualization is a increasing trend selected by many companies for its convenience and high security. Even an employee loses his/her personal device, corporate data will still be stored securely in the database, and if the outsider does not know how to access the database, files stored are still safe. Moreover, limited separation approach does not solve security issue when the device is lost, and walled garden approach becomes vulnerable when an outsider knows an employee's password and for some reason, has access to the employee's personal device.

Chief Mobile Officer (CMO)

Some companies have created a new "C" suite position called Chief Mobile Officer (CMO) [2] to manage connectivity issues and mobile devices management solution. Some of the responsibilities include:

  • Ensure global connectivity;
  • Monitor mobile security;
  • Stay connected with the internal corporate departments and external clients.

While this position is relatively new to many industries, it is reasonable for companies to consider mobile strategies seriously where more employees are indeed using their own devices in an environment which BYOD practices are not mature.

Challenges

BYOD is a still a very young topic in the business world, and to include BYOD into corporation's value chain, companies continuously create, fail, and attempt to implement a proper and secure BYOD strategy without a clear sense of industry practices benchmark. Some companies tried to ban or limit the use of personal devices, but with the advance of technology where most mobile devices nowadays can detect and connect to a wireless Internet, such practices seem unrealistic. These companies still have to consider risks due to increased connectivity and personal data breach.

For companies already implementing BYOD strategy, some of the cost structures, as mentioned in the previous sections, are unclear and could potentially become a burden. More serious problems such as internal hacking, employees owned mistakes, and device loss negatively impacts companies' image and productivity. The recent FBI/CIA email investigation case [3] is a great example of how employees could mistakenly use the wrong communication channel.

Companies should always plan first before diving into BYOD, to evaluate the company's current performance and consider if it would actually benefit them. In fact, if the risks of implementing a BYOD strategy is indeed costly and exceed the benefits received, companies need to reconsider whether such strategy is worth the effort and time sent. Lastly, companies should also look into different mobile device management solutions and remember to always monitor their mobile security.



References

  1. Approaches To Protect Corporate Data
  2. BYOD Trend Highlights Need for Chief Mobility Officers
  3. FBI probe of CIA chief David Petraeus's emails led to affair discovery
Personal tools