Must Read: Google Glass jailbreak: Let the evil commence

Topic: Security

BYOA should be encouraged, but within limits

Summary: More employees bringing third-party or homebrewed apps into corporate space without permission, which companies should provision, instead of restrict, as it boosts productivity and innovation, observers suggest.

Ellyne Phneah

By |

The bring-your-own-device trend (BYOD) has evolved to a point where employees are now bringing their own mobile applications to be used at work too. But instead of clamping down on this practice over fears that data security may be compromised, companies should harness the benefits brought by these apps, one industry player says.

According to a Fortinet survey in June, 69 percent of respondents indicated that they are interested in bring-your-own-application (BYOA) whereby workers create and use their custom applications at work. When asked whether companies have policies banning the use of these non-approved applications, 30 percent admitted they have or would contravene office policies.

Commenting on this, Marc Bown, managing consultant of SpiderLabs at security company Trustwave Asia-Pacific, said the BYOA trend, like BYOD, represents a loss of control on the part of IT and risk departments.

Organizations would previously manage data security by enforcing security measures on devices that were preconfigured to access the corporate network on certain parameters, but in the BYOA era, the data is likely to be stored on a mobile device and in a cloud-based service somewhere else, Bown noted. There's also the likelihood that the data stored on cloud services may be lost should the service provider fail to sustain its business, he added.

This means corporate data could potentially end up everywhere and be replicated on several mobile devices, rendering IT staff without control over the use of external applications such as Dropbox and Evernote, Guido Crucq, general manager of security solutions at Dimension Data Asia-Pacific, noted.

Crucq said it will be worse if employees bring their own code and applications into the organization as these put client data compliance and confidentiality, as well as general productivity, at risk.

Benefits outweigh risks
However, Karim Mohamad, head of database and technology marketing at SAP Asia-Pacific and Japan, pointed out that enterprises should understand the benefits and risks of BYOA before clamping down on this practice. Mobile apps are an important asset and opportunity that companies should leverage, he stated.

Through these apps, employees can more easily collaborate by sharing presentations, video files, and other media assets, he noted.

Homebrewed apps or even unauthorized apps developed internally are also a "great source" of new ideas and approaches that can add significant value to organizations, Mohamad said. Should these apps take off in a big way, they might generate significant internal demand or even be spun off into new companies like in the case of SuccessFactors, the executive added.

Terry Smagh, vice president of Southeast and North Asia at QlikView, added companies can provision for the BYOA trend by offering a controlled environment that empowers business users and encourage innovation yet still safeguard their IT environments.

Bown pointed out that many third-party, consumer-grade apps do come with features intended for use in environments which require higher security standards. Evernote, for example, has the ability to encrypt users' notes so that even if the cloud-based service is compromised the information stored on its platform remains safe, he said.

Thus, he urged companies to learn from the unsanctioned apps end-users are bringing into the enterprise as it would help improve their security posture. "Closing the door on BYOA will stifle innovation while learning from it can help make enterprise security stronger," he said.

Topics: Security, Apps, Enterprise Software, Mobility

About

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues. Elly enjoys growing her already-huge wardrobe, flexible sports and planning her travel escapades.

Google+ Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion

  • horrible idea

    support, security, manageability, legal issues.

    What happens when an employee brings in a pirated app, the employee puts company into it, then company is now sued by the owner of the application when they find out.
    tiderulz
    Reply 5 Votes

    • We had a few

      users syncing their work documents with Skydrive recently. After we noticed it via proxy logs, we shut it down. They actually complained....LOL. HR asked them to wipe the corporate documents off their Skydrive....or lose their job.

      I get that is probably made life easy for them, like having access to their files without having to use VPN etc but if they quit or get fired or Skydrive has a "account" issue where a few million accounts are hacked then what happens to that corporate data???
      JeveSobs
      Reply 1 Vote

      • alternatives

        Strong file-open passwords or encryption could reduce or eliminate concerns about others stealing company IP.

        However, the main reason storing company IP on non-company media is the risk that fired employees would still have access to it after they're fired. Of course, this problem also exists for employees allowed to work from home accessing company files via vpn.

        Note, however, that the article isn't so much about using company data on other devices as it it using apps on other devices. It may be possible for HR departments to oblige any employee wanting to use their own apps to sign hold-harmless agreements whereby they'd have to indemnify their employer for any damages arising from using unlicensed software.
        hrlngrv 
        Reply Vote

  • If employees are skirting IT...

    that means that IT is not providing the service that is required for maximum efficiency. Leaders of a company should use the prevalence of outside software in their review of the IT department. If more work is getting done outside of IT, and it's more profitable, then fire the entire IT department and get new people who understand that the business comes first!
    Tony Burzio
    Reply 1 Vote

    • not always

      it also could mean that a user is comfortable with their own app, and dont want to learn to use a different way. neither one is really wrong, business needs to come to IT if they have a problem with the current approved apps.

      Oh, and IT's job usually isnt to provide service for "maximum efficiency".
      tiderulz
      Reply Vote

      • so what's IT's job?

        It's to optimize cost-benefit for the IT infrastructure, that is, provide the most IT services and products for the least cost.

        But if employees are providing their own software (assuming they're obliged to hold their employers harmless if they use unlicensed software), that'd seem to be cost-free for their employer, so any increased productivity from such software would clearly be a net benefit to their employer.

        I've been on both sides of this issue. Some employees can go overboard with additional software, but companies which provide people with MBAs or graduate degrees in technical fields with just Microsoft Office and Notepad and expect them to do technical writing are being at best obtuse and obstructionist. I've heard an IT analyst tell an economics PhD that he didn't need a TeX editor because Word had an equation editor.

        In my experience there are proportionally more overly bureaucratic IT departments than there are wild-eyed rogue users.
        hrlngrv 
        Reply 1 Vote

    • Why hold IT the blame?

      Often the cause is budgetary, and most organizations I've been a part of barely budget enough for Band Aids that keep old equipment running. Often it is isn't even the IT department, but the user's department that must pay for such software from their budget. If their request is denied by their supervisor, it is hardly an IT issue.
      jvitous
      Reply Vote

  • It's not like I'd remove apps on a personal device . . .

    It's not like I'd remove my own apps on a personal device if I were to bring it to work.

    If they don't like my apps - well, they can pay for me to buy a separate business phone.

    I'm personally not really seeing the benefit of this whole BYOD thing.

    "Homebrewed apps or even unauthorized apps developed internally are also a 'great source' of new ideas and approaches that can add significant value to organizations, Mohamad said."

    It doesn't have to be "BYOA" to allow this. You just need to set up an app approval process that's open to your employees.

    "Bown pointed out that many third-party, consumer-grade apps do come with features intended for use in environments which require higher security standards."

    Right, but it's hit and miss. Many apps have security features scattered around a bit, but may not have a holistic approach that covers every aspect of the app.
    CobraA1
    Reply 1 Vote

    • Not only is the app's security hit or miss....

      ...the employees knowledge of what security features need to be in place and how to use them even if they are is hit or miss too and about 90% miss in my experience.
      cornpie
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close