Today, whether you like it or not, whether you allow it or not, every organization has employees accessing office information via BYODs (“Bring Your Own Device”). Allowing access obviously opens up security flood gates that many IT may not be aware of at all. Let me discuss a bit about what is happening in the world today and briefly touch upon visibility of BYODs, talk about the new trend what is called BYOA and COPE, and then talk a little about the security for these BYOds.
A survey conducted by B2B International in July 2012 reveals that 33% percent of companies allow their staff unrestricted access to corporate resources from their smartphones or tablets. 38% of companies apply some kind of restriction on smartphone use: these include bans on access to certain network resources. A further 19% have a complete ban on the use of mobile devices for work activities. But only 11% of companies currently use some kind of BYOD management tools to ensure compliance with corporate security policies. 34% of those surveyed think that the use of personal devices presents a threat for business, and another 55% frequently think about how to reduce the risk. This increased focus on mobile devices from IT specialists is probably explained by the fact that 23% said they had faced the loss of business data due to the loss or theft of mobile devices.
Despite all the risks involved, only 9% of companies are planning to introduce a strict ban of their usage (and another 91% will be looking at solutions on how to manage these BYODs and the risks and the security issues better). . Interestingly, 36% of the IT specialists surveyed are sure that, irrespective of any new measures, the number of user devices in the workplace will only increase.
If this is all about BYOD, there is a new thing coming up called BYOA or what is called “bring your own applications”. BYOA cuts costs, reduces training requirements since users already are familiar with their apps and it will be relatively easy to integrate the apps into the organization's IT infrastructure. Agrees Edwin Schouten, IBM's Cloud Services Leader for Global Technology Service and sees lots of positives. Whether the IT likes or not there will be a plethora of applications running on corporate network driven by the employees or the consumers rather than IT – something IT needs to adopt, accept and move on and work more on how to secure my network inspite of BYOD and how to integrate user apps into the IT infrastructure securely rather than trying to put restrictions on the usage or option of the software or the apps. Basically consumerization of IT will be an unstoppable of change. This (BYOA) will be very familiar to the original impetus of BYOD. Infact the BYOA trend also is getting traction in Europe. The Telegraph takes a look at the issue. To quote telegraph on this, “Bring or choose, the trend is for employees to use such tools for storage note-taking and free apps such as Skype for voice communications. The numbers are already impressive. Yammer has more than five million corporate users, Google apps has 40 million active users and Dropbox has more than 50 million users”
While we are still digesting the BYOD and BYOA, another new concept is coming up which is called COPE or what is “Corporate Owned Personally Enabled”. In this scenario, the device itself is owned by the organization, but apps come from the employee. COPE , ReadWrite Enterprise has a story essentially works like this: the organization buys the device and still owns it, but the employee is allowed, within reason, to install the applications they want on the device, be it smartphone or traditional computer.
Basically general consensus in the CIO world is that IT should stop controlling BYOD or BYOA or COPE but start working on how to take advantage of this to reduce costs and bring in new tools to make sure the organization is secure and the consumer apps are well integrated. Many IT organizations probably can say that employees are not allowed or not deploying their personal devices (BYOD) on company’s network but according to the survey, 84% of smartphone users are also using their devices at work. While BYOD could mean increased productivity for your employees, it also is a potential threat to your overall network be it performance or security or the delivery of the applications running on it. According to ESG, 88% of enterprise organizations today allow for BYOD and personal use of devices while at work. Also mobile workforce enablement was ranked as a top ten IT priority by respondents to the ESG 2012 IT spending intentions research survey. Furthermore, additional ESG research shows that 88% of enterprise organizations with BYOD initiatives surveyed allow for mixed personal/work use on employee owned devices.
So what are the effects of allowing BYOD without checking? Yes there is a huge gain in productivity, drastic cut is costs, employee friendly etc. but leaves open a huge security hole, huge risks, excessive bandwidth load and in all impacting performance and security of business critical applications. If you are not ready for this additional network bandwidth consumption, these devices will actually start impacting negatively on productivity and revenue. Imagine all of your employees watching Netflix, or YouTube or downloading video or books or music or watching anything live at business hours. Due to this, performance of the corporate network can drastically come down impacting the performance of the corporate applications and employee productivity. For example, just one employee watching an HD Video (streams at 1.5MB/sec) could consume an entire T1 link.
Equally problematic, these BYOD devices have the ability to transfer items out of the enterprise. Not that it cannot be done via other computing devices but just the way apps are integrated into BYODs and the ease of use has made life much easier and sharing that much simpler. New applications such as Dropbox or iCloud enable employees to share files and content outside of the enterprise. This represents a potentially serious security threat depending on who is sharing information and what information is shared. Organizations need to get a handle on what is going on in their BYOD environment be it related to risks, network and application performance, potential data breaches, or lost employee productivity.
Some of the things NOT recommended are first to blindly upgrade or double your bandwidth and second, to buy any security tools without knowing where the hole is. When applications run slowly, the network typically gets blamed. Without any visibility into the network, and hence not knowing what actions are performed and by who etc., organizations tend to increase the bandwidth and hence run into higher operating costs. Worse, it does not take much time to clog the new bandwidth!! Without visibility and a baseline network performance, BYOD initiatives could prove to be detrimental to the network and the business.
Same goes with BYOD security too. Without visibility that is without the info such as what is happening, who are accessing what, how many devices and what types and who have access to what and what devices are connected via corporate network and what security holes they are creating, don’t deploy the tools else you will be band-aiding the wrong places. You need to know many things such as where are your sensitive files are, who are accessing them, who are accessing cloud services, who are using services such as Dropbox and what files are loaded and shared, is someone or some device accessing sensitive information etc. Visibility gives you the power of quickly identifying all these and the problem sources, data security holes and can make informed intelligent decisions on how to protect and what tools to buy. Once you are monitoring the environment, administrators will know exactly what is happening, organization can intelligently implement policies to ensure right people have access to right sites and files and effectively enforce and monitor the access.
The summary J
To handle various computing devices (BYOD) and numerous apps (BYOA), organizations first need to have visibility into the network and on these devices and the apps that are running on them. This granular information will enable organizations to understand which users, which apps, what access are being used or abused across the corporate network and corporate resources. Based on this visibility, organizations can implement policies regarding the right usage of recreational and business use of these devices and also get in the right security tools to ensure corporate critical info is protected. Failing to gain this visibility could lead organizations to unnecessarily overprovision network capacity to support employee recreational use or put tools which might not really fix the underlying security issue. As they say “knowing is everything”.
There are many companies that offer BYOD visualization and security tools (both intrusive agent and also non-intrusive agentless) and by deploying such tools, organizations can say yes to BYOD & BYOA and still retain control, ensure higher employee productivity, lower cost and make sure no productivity distraction happens nor any security holes left.
“Happy BYODing” J
Manjunath M Gowda
“Got BYOD? Get control of it”