Commentary -The equilibrium between employees and the enterprise IT department has fundamentally shifted. Enterprise computing may once have been a command-and-control environment, in which IT dictated the image, configuration, and delivery model of technology for employees, but no more. Employee-owned smartphones and tablets in the workplace have fundamentally changed the balance of power. IT departments have to rewrite the rulebook as consumer technology permeates the workplace, one swipe at a time.
The Bring Your Own Device (BYOD) phenomenon, in which employees do company work on personal devices, is well underway at leading global enterprises. It’s now common to hear phrases such as “employee-liable” and “corporate-liable” in connection with BYOD. These terms are misleading, as they apply only to the mobile device itself. In fact, IT and employees are jointly liable for corporate data protection. It’s a hard pill for end users to swallow, but there is no chance of mitigating risk without their cooperation. That is why a solid partnership between IT and the employees they support is quintessential, and that partnership must be struck before personal devices enter the scene—call it the “zero-day preventative measure.”
BYOD will change your life here’s how The New Deal for IT and the employee: The new contract between employees and IT needs to sound something like this: “The employee can do anything they want with their personal data and applications on their iPhone, iPad, Android or BlackBerry devices, but IT reserves the right to stop access to proprietary applications or information if the device is out of compliance. That can mean wiping the device or placing it in detention until it is in compliance. Please sign this End User License Agreement.” When users understand that wide-ranging privileges come with a few responsibilities that can be managed with a high degree of autonomy, they are more likely to be cooperative.
IT becomes the Department of Motor Vehicles (no, really)
The Department of Motor Vehicles (DMV) issues licenses and checks paperwork, but the police enforces the use (or abuse) of those privileges, such as ticketing speeding drivers.
In the past IT has had to serve both roles as the enabler and the heavy hand of the law. In the new model, IT only needs to facilitate compliance (like the DMV), but relies on automation to enforce compliance (like the police).
IT simply can’t do it all anymore—the price for untethering information from corporate controlled devices is that IT must respond to non-compliance in minutes not hours. With BYOD, IT must become a rapid-reaction force at the device, application, data, and network levels to instantly respond to a new device entering the corporate realm, armed with a rational combination of policy and technology. Does the device meet security standards? If so, what applications are allowed? If not, does it need to be quarantined or issued a security policy? If it does, ideally that will be done wirelessly and automatically with minimal effort from the employee and from IT. Think of it as the DMV without the lines.
Detection & prevention
IT’s One-Two Punch: There are two basic sets of mechanisms available to the BYOD rapid-reaction force: detection and prevention.
Detection refers to IT’s monitoring of potentially troublesome activities or applications that are not actively malevolent—such as Angry Birds or Dropbox or a data plan about to cross an expense threshold due to video traffic. In this case, IT’s job is to let line of business accountants know that their cost allowance is close to the limit, leaving the decision about how to manage that situation in the business units’ hands.
Prevention refers to automated, proactive responses to dangerous conditions. Imagine a board-book app on a jailbroken phone poised to receive next quarter’s sales projections. In this case, detection will not suffice; immediate action is necessary.
Vigilance will only take you so far!
It seems like every week new updates for iOS or Android are being made available. With each new update an exponentially larger set of questions about vulnerabilities are added to the pile. The equation becomes even more complex, given the heterogeneity of device types and manufacturers. Once BYOD enters your business, change is the only constant one can expect. The enlightened IT leader understands that no policy will completely protect the organization, and no policy lasts forever. While IT leaders are vigilant, the management of mobile devices is a secondary or even tertiary responsibility–updates will fall through the cracks. Dynamic policy shifts rule the day. Vigilance about the risks of new applications, new data, and new devices is a job requirement for IT in the BYOD era. A cloud-based mobile device management service will help IT leaders deal with the onslaught of patches, upgrades, and possible malicious apps– ensuring compliance and increased end-user uptime. The speed of the cloud will allow the IT department to focus on policy updates and not maintenance windows.
Three rings to rule them all
As BYOD becomes a central part of the enterprise, the IT leader will need to become the Lord of the Three Rings for device protection and data security:
- Ring 1: Mobile device management best practices At minimum, the organization needs mobile device management best practices including: password enforcement, the ability to lock and wipe rogue devices, and over-the-air configuration of productivity services (email, WiFI, VPN, business apps, and important documents). This is as basic to enterprise mobility as air and water are to human survival.
- Ring 2: Policy enforcement The next level is a carefully written (yet dynamic) policy that relies on specific security capabilities. Take the staggering number of devices and multiply by the myriad of ways each employee requires specific and specialized access. This is requires more than dynamism; only a superhero would be able to keep track of so many moving parts without the ability to set granular level policies and continuously monitor devices.
- Ring 3: Advanced capabilities At the high end of the capability scale are comprehensive certificate management and event-based security. This way the devices themselves can automatically enforce policies based on time and geography as an example. Geo-sensing can shut off certain capabilities, such as the phone’s camera or email if a user takes a phone into an unsecured WiFI zone, a particular country, or a room with sensitive prototypes.
In the face of change IT must be a like a dove, taking a Zen-like stance of peaceful observation, but must also be prepared to swoop in like a bird of prey, ready to snatch rogue devices from the network if necessary. Ultimately, in the age of mobile consumerization, cooperation is key. As long as employees understand the agreement and can use their own tools, with help from IT to keep corporate data secure, peaceful coexistence can prevail.
Chris Clark is president and COO at Fiberlink – a mobile device management company that manages more than one million endpoints globally.