The bring-your-own-device (BYOD) movement has proven to be both a godsend for workers and a nightmare for CIOs, especially when it comes to securing the data they carry.
Allowing workers to have greater choice in the tools that they use has undoubtedly raised employee satisfaction levels and — in theory at least — their productivity. But for CIOs it has meant ceding control over their organisation’s standard working environment, and ushered in a range of new concerns regarding how to secure those devices and the systems that they access. Reports of numerous incidences of notebooks and smartphones being left in taxis and airport lounges have only served to highlight the potential dangers of employees carrying critical information outside of the boundaries of their work environment.
A report released in March of this year by Web security company Websense found that in the previous 12 months more than half of the Australian organisations surveyed had experienced data loss resulting from employees’ use of insecure mobile devices, while 48 per cent reported an increase in viruses or malware infections because of mobile devices. The Global Study on Mobility Risks report also found that 61 per cent of 300 Australian respondents believed that the use of mobile devices in the workplace was important to achieving business objectives, but 85 per cent believed that these tools put their organisations at risk. Only 36 per cent had the necessary security controls to address the risk, and only 45 per cent had enforceable policies.
“Two years ago you couldn’t easily get people around a table to talk about these things, whereas now you are turning people away,” says Alison Higgins-Miller, vice-president for APAC at Websense. “If you are a CIO of an organisation, regardless of size, you are extremely concerned about your ability not only to protect those devices that you might be able to have some control over, but about all those ones that you have absolutely no control over.”
Despite these concerns, the march towards greater mobility seems inevitable, and it is being driven very much by users. In 2011, Optus surveyed IT and HR managers across 320 organisations. The results revealed that the take-up of tablets outside of executive management ranks was accelerating much more quickly than thought, particularly with field based workers, with organisations expecting adoption to leap from 4 per cent to 35 per cent over the next three to five years. Optus’ general manager for product marketing in mobility and convergence, Philip Parker, says the other key trend identified was BYOD.
“In a lot of organisations we are seeing staff pushing organisations to allow them to bring in their own devices,” Parker says. “The number of organisations that are going to allow their staff to bring in their own tablets is going to increase from 23 per cent to 55 per cent.”
Parker says there has been a corresponding increase in interest in mobile device management (MDM) tools, to ensure that sensitive information is managed and secured appropriately. Often this starts with implementation of a virtual private network, followed by the securing of the device itself through deployment of MDM.
“We don’t suggest one solution fits all, but with this proliferation of BYO devices it is increasingly more important that, if we are going to allow these devices to access the corporate network, they look at a mobile device management solution.”
But a divergence is opening up in the approach that CIOs can take. The first choice is to pursue the ‘app’ model popularised by smartphones, where large amounts of data are stored on the device itself. This leads to reduced reliance on connection to the organisation’s resources, and while more convenient in some circumstances, dictates a security model based on securing the device itself.
The alternative, however, is to follow the ‘Cloud’ model, where the intelligence resides within the network, and the remote device is primarily a smart browser that is heavily reliant on constant connectivity. This predicates a security model based on authentication and securing access through the device to corporate resources.
The proliferation of devices in the field has led to a similar explosion in the number of companies lining up to help secure them, including Good Technology, AirWatch and MobileIron. For the Bank of Queensland (BOQ), its implementation of BYOD was designed to provide better support for mobile staff by enabling them to use a wider range of devices. The bank selected a security solution from US company Good Technology to secure its access to corporate services such as email.
According to BOQ’s group executive for IT and operations, Chris Nilon, the new implementation replaced a regime that was too restrictive with regards to both security and the types of devices supported.
“We needed a solution that didn’t restrict or secure the device — it needed to provide users the freedom to use the devices as they were intended,” Nilon says. “Our focus was to secure our data and control what matters to our business the most — our information. We also needed to support a reasonable range of market leading devices, so it needed to have support for both Android and iOS.
“Ultimately, the device cannot be 100 per cent secure. It is the data that is critical after all.”
Nilon says the majority of users can now support themselves, which has effectively removed the need for his IT department to provide a comprehensive support model for them.
“Generally speaking, most users today are comfortable with mobile devices, and they require minimal support for the mail application itself, which is a bonus,” he says. “Handing staff the control and responsibility over the device’s use has been overwhelmingly appreciated.”
Nilon and his group are now investigating into expanding the solution to better enable secure file and document management. Technology services company CSC is another organisation that has pursued a BYOD strategy. CSC has historically been a user of Research in Motion’s BlackBerry devices, but its chief technology and innovation officer for Asia-Pacific and Japan, Bob Hayward, says that as its own clients started adopting other smartphones and tablets, so too did its workers demand the ability to use a wider variety of devices.
“It is rare to attend a meeting today with a CIO or board member who doesn’t refer to mobile devices as permanently changing the way their business works”
Hayward says workers had taken to carrying two or more devices in order to get around CSC’s locked-down devices. “It was a drain on productivity and people were getting confused by the number of different passwords they had to remember,” Hayward says. “And more worryingly, we were convinced that they were probably using their personal devices for a lot of work anyway. So the horse had already bolted, and we needed to reinforce policy in a corporate-sanctioned way rather than let it go feral.”
Eighteen months ago CSC undertook an extensive analysis of the players in the MDM market, and opted to introduce Good Technology. Hayward says that it is BlackBerry Enterprise Server (BES) that has been the jewel in Research in Motion’s crown, but MDM companies such as Good Technology mean that CSC can replicate that experience for Microsoft Exchange and Lotus Notes users on non-BlackBerry devices. About 5000 of CSC’s workforce are now using Good Technology solutions, and Hayward rates it as being at least as strong as BES in terms of security and policy implementation.
CSC has also deployed virtual desktop infrastructure so that workers can use Mac computers if they prefer. “I think MacBook Air is one of the most popular devices we see at CSC these days,” Hayward says. “Has this led to us being able to recruit more easily? Probably not. But it certainly makes people happier when they are doing their work.”
Hayward says CSC is also keen to explore an offshoot technology called Good Dynamics, which enables developers to integrate Good’s control, administration and security features directly into applications. CSC is also using BoxTone to provide management and device integration into CSC’s enterprise service management tools, including BMC and Tivoli.
Other MDM providers are finding fertile territory in Australia. The Sunshine Coast Regional Council (SCRC) for instance has deployed Optus’ MDM solution based on software from Californian company MobileIron. SCRC commenced deploying MobileIron to 100 users in August last year, and that number has since reached 800.
Optus’ MDM solution gives SCRC policy control on corporate and BYOD smartphones, along with visibility of what devices are attempting to access its Exchange environment and remote block and wipe of stolen devices.
The vice-president and managing director at security technology company Symantec, Craig Scroggie, says it is rare to attend a meeting today with a CIO or board member who doesn’t refer to mobile devices as permanently changing the way their business works.
“Mobility is a critical business tool, and we are talking about running line of business applications,” Scroggie says. “The stats we have from are that 60 per cent of businesses are running line-of-business apps from their handheld.” Scroggie believes the key consideration in security is authentication — ensuring that users really are who they claim to be. He says that in most instances customers are not keeping information on mobile devices, apart from a small amount of email that has been pushed down.
“That is one constant that every customer has today,” Scroggie says. “Identity verification, from outside the company or inside is absolutely critical. But there are more than 800 supported mobile devices today, and what most companies are coming to accept is they just can’t have a standard operating system anymore.”
Hayward expects many other Australian organisations to adopt MDM in coming years as they yield to user demand for more flexible device policies and working environments. “Senior executives never really took to desktops or laptops very well, but as soon as the tablet came out, it seemed to move into every boardroom in our clients globally in a matter of months,” Hayward says. “It has been the killer device for senior executives. And so in terms of visibility for the IT organisation, it is totally top of mind.”
According to Hayward, neither model of device-based or network-based security is winning out today.
“We’re seeing intensive interest in both,” Hayward says. “The really exciting features for enterprises of MDM are around encryption, enforced passwords, containerised apps within the device that prevent cut and paste and clean the device when lost. Those are the things that people are looking for in the MDM space.
“But they are asking what they need to move to server-based solutions, either internally or externally hosted.”
Hayward says the changes are in line with an evolution of the role of corporate IT from being a provider of solutions to become a broker of solutions.
“The modern IT environment should be somewhat akin to the experience you get when you walk into an Apple store, where you have dozens of people in blue shirts coming to help you,” Hayward says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.