- Hiren Mehta and Srinivasan Viswanathan
For those who are unaware, Bring Your Own Device (BYOD) is a strategy that allows employees to use their personal devices to access enterprise data and applications. Majority of BYOD programs are tailored towards smartphones and tablets brought to work by employees, and less on PCs. According to Forrester Research, 53% of employees use their own devices for work purposes, and this trend is set to increase with the proliferation of cheap Android smartphones and tablets in the market. While email tended to be the main professional activity on the mobile device and with the advent of robust productivity suites that offered work, PowerPoint and Excel document editing, smartphones are now increasingly being used for on-the-go productivity.
The biggest difference in the BYOD situation of today versus that of a few years ago, according to Mrinmoy Purkayastha (AVP – Marketing, Calsoft Labs), is the astounding variety of devices and platforms being used in the workplace today. “Back then, BlackBerries were the first device to be used widely in the workplace, so enterprises were able to set up servers with access controls for BlackBerries. With the iPad and Android devices usage growing rapidly among consumers, there is now a challenge of managing a wide variety of devices, with a unique set of configurations needed for each one”, Purkayastha says.
Another challenge BYOD implementation faces now, which was not as significant a few years back, is the issue of device ownership. How much freedom will an employee have with a phone once it becomes enterprise-ready? As Surendra Singh (Regional Director,Websense) told us, “The challenge arises in the form of ownership issues. Different classes of employees would have a different level of need to use their own devices for official purposes while being away from office”. He added, “if you are planning to do whitelisting on an employee-owned device, while that may increase security, it will stifle the employee's freedom to install applications of his choice”. With the exponential growth of mobile apps, controlling an employee's device becomes a much tougher issue.
Technology is moving so fast in today's world that it becomes outdated within a few months. With the affordable prices of smartphones and tablets in the market, mobile devices have a relatively short life cycle, as consumers keep upgrading to newer and more powerful versions. On the other hand, enterprise devices have an extremely long shelf life, and businesses tend to be averse to changing their infrastructure often because of the investment and time required to do so. In an ever-evolving environment, businesses are being forced to embrace the dynamic technologies brought to work by its employees. BYOD could be an effective cost-cutting mechanism for enterprises, as it facilitates the productivity of the employee on the cost of the employee itself, as customers bear the expense of the hardware being used. Hence, enterprises only become responsible for the IT management of the device, to ensure the security of enterprise data. In our next segment, we will look at some principles of implementation a company needs to follow to implement BYOD.
Today's Threats Can't Be Avoided by Technology Alone!
Surendra Singh, Regional Director -India & SAARC, Websense, shares with us his opinion on what BYOD means for both the employee and the employer from a security standpoint.
How has BYOD as a concept evolved over the years?
Earlier, BYOD was just an idea. It was not the case that it was seeing widespread deployment as we are witnessing today. However, as time progressed and the scale of operations for many businesses became 24x7 , there was an increasing need felt for combining work and personal activities without using different devices. This gave rise to the phenomenon of BYOD.
What new developments in technology are supporting BYOD?
Security solutions which are being released in the market today address many of the concerns that orga nizations have while considering to allow BYOD. Personally, I feel that white-listing is not always a better alternative to blacklisting, in spite of the number of apps being launched everyday. If it's a corporate-owned device, then yes, white-listing would be advisable, but if you are planning to do white-listing on an employee-owned device, while that may increase security, it will stifle employee's freedom to install applications of his choice.
How can SMEs go about implementing BYOD?
I do not think the size of the organization will make a difference when it comes to implementing BYOD. The same concerns that an enterprise would have would also be applicable to small or midsize businesses. But yes, you do need to clearly differentiate between an employee-owned device and a corporate-owned device. In fact, as far as SMEs implementing BYOD is concerned, I think they will be better off having a cloud-based approach to implementing BYOD.
How can organizations be ready for coping up with BYOD?
Organizations should be ready for the increasing usage of e-mail on mobile phones. The ownership of the devices, as well as the data, needs to be mutually agreed upon between the employee and the employer, based on the specific needs. One of the key decision-making factors is the need for employees to actually use the devices while they are away from office.
What about the need to orient employees in order to make them aware of the security risks they face while enjoying BYOD?
There are two types of threats which they need to be aware of --the first one is legacy threats, which can be addressed using training. However, the second one, modern threats (such as phishing), would demand an approach that is not purely based on technology but develops good intuition. For instance, information available today about a particular person through social media can be easily consolidated and misused by spoofers to lure genuine people into disclosing information that they shouldn't otherwise.
What are the key challenges and opportunities with BYOD in your opinion?
As far as the challenges are concerned, I do not think that technology will be much of a challenge. The challenge arises in the form of ownership issues. Different classes of employees would have a different level of need to use their own devices for official purposes while being away from office. Their need to be compensated for this will be another key challenge.
As far as the opportunities are concerned, I think BYOD allows for a 24x7 scale of operations. Today I hardly see any clear distinction between a purely work time slot and a purely personal time slot since these activities are often found to be distributed throughout the weekly schedule of a person with no long-running batches. BYOD also makes it convenient for the user by having to carry just one device for all purposes. For the businesses wanting to adopt BYOD, MDM solutions by themselves are not sufficient but you need security solutions as well.
Bring Your Own Device: 5 Steps For A Successful Strategy
With both enterprise data and privacy at stake, there are some key principles that a business has to implement to achieve an effective and secure BYOD scenario at the workplace.
1. Mutually agreeable device policies
Setting up policies can be one of the most crucial preparations needed to adopt BYOD. As Surendra Singh (Regional Director, WebSense) puts it, “The ownership of the devices, as well as the data, needs to be mutually agreed upon between the employee and the employer, based on the specific needs.” When it comes to restricting content in a BYOD strategy, “whitelisting versus blacklisting” of apps is a key area of contention. As Singh pointed out, “If it's a corporate-owned device, then yes, whitelisting would be advisable, but if you are planning to do whitelisting on an employee-owned device, while that may increase security, it will stifle the employee's freedom to install applications of his choice”. In such a tricky situation, the business also needs to be considerate on an employee, who would desire some amount of flexibility in installing their own content. So how can this fine balance of control be achieved? Only through a policy that both employee and employer agree upon mutually.
2. Setting up access controls
With new smartphones coming out on a daily basis, the corporate environment needs to be ready to cater to a “jungle” of devices held by employees. As Mrinmoy Purkayastha (AVP – Marketing, Calsoft Labs) pointed out, “We are now looking at a variety of application servers to service all the different devices brought to the enterprise. Traditionally, the network administrator only had to deal with Windows operating systems. With Apple and Android devices, you need to set up access control policies so that the moment they connect to the network, their device is in a controlled environment. However, the challenge is in dealing with the continuous evolution of these devices”. Purkayastha added that the industry has still not come up with a “single management server”, that can dynamically allocate rules for new devices.
3. Infrastructure to deliver content
With the diversity of devices owned by employees, businesses have to set up servers to deliver content specific for the device. As Purkayastha noted, “When we want to serve content to a device, we need to test application servers for compatibility with devices. There needs to be consideration of what kind of information can be served on a device, depending on its screen size and resolution. The server needs to recognize prioritization of information, so that the user experience is not disturbed. The enterprise needs to ask what infrastructure is needed for a laptop, a smartphone or a tablet so that information is presented well”. He also added that in terms of media streaming, servers must be robust enough to cater to streaming in various protocols. “Android uses its own VP8 protocol for streaming, while Apple uses its Darwin protocol. Hence, if you are trying to give rich multimedia content to the user, catering to various protocols is a big challenge.
4. Set up layers of anti-malware
Another important strategy is to set up anti-malware on both the network as well as employee-owned devices. Rajesh Maurya (Country Manager, Fortinet Technologies India) said, “If employees download spam on their devices, as the anti-spam is on the phone and not installed on the network, malware can make its way to the network”. He added, “The network should not allow infected data to come in. If a device gets infected, the virus should not breach the private network”. To ensure this, Maurya said that anti-malware software should be a dual-layer strategy, installed on both the employee end as well as the network end. Maurya also added that a third layer of security can be applied, saying “service providers also operate solutions known as clean bandwidth, which filters data before transmitting it to the end user, which they offer as a value-added service”.
5. Understanding compatibility
It is also crucial that a business has a deep understanding of the applications and tools end users will try to access on their devices. As Amrish Goyal (Director, Windows Business Group, Microsoft India) pointed out, “Companies need to understand the kind of tools that users need to access, and whether they will even work on devices employees bring”. He added, “For instance, think of a CRM solution. Whether it is provided by SAP or other CRM vendors, those companies would want you to access the solution in its native environment. The solutions will also be reasonably closed to protect the integrity of data involved. In such a case, it would be a daunting task to create an app for it with the same level of security as the native form”. Hence, one of the first things a company will have to do is to identify if there is good compatibility between their programs and the devices they wish to support in the workplace. If there are going to be security problems catering to mobile devices, either those security issues have to be fixed or workarounds have to be arranged for a successful BYOD strategy to take effect.
Windows to Go – Perfect For those “on-the-go”
Many enterprises may not be entirely comfortable with the concept of aligning various devices to suit their environment. Instead, why not give employees a fully managed operating system, that they can use on whatever device they choose? Windows to Go is Microsoft's latest pitch to its enterprise customers, tailored to their needs for a secure corporate environment wherever they may be. Windows To Go is an image of Windows 8 enterprise which runs off a mass storage device, completely representing your own corporate desktop. We spoke with Microsoft's Amrish Goyal, Director, Windows Business Group, Microsoft India to find out all about this exciting feature.
What can Windows To Go offer to enterprises?
Goyal: Windows To Go was designed with mobility in mind, catered towards enterprise users in the marketplace. We wanted to take mobility to the next level, and enable computing for end users who do not have a PC around with them all the time. Windows To Go gives you the ability to access company information and applications from behind the company's firewall. Using a minimum 32GB USB drive, you can store your primary system's image in the bootable USB. You can transfer your credentials, account, corporate information to the USB, so it boots up exactly like your primary system. At the end user experience, there will be no difference between using it on a host system versus using it on your office primary system.
What's the big difference between Windows To Go and using VPN to log into your corporate network?
Goyal: For VPN to work, you still need to have a specific device with a specific VPN application residing on it provided by your company, which is used to connect to the network. With Windows To Go, you don't need any particular device. It will work independent of the operating system, on any hardware which can boot a USB drive. The point is, we are trying to address the situation where you can be without your own hardware, and still do the needful. For example, this would be very useful for a sales guy, who needs to log in his sales numbers for the day. The scenario for a company now would involve giving him a tablet or PC to do it on the spot. With our solution, companies can spare a higher cost by allowing him to do it from any guest machine.
Can Windows To Go work on smartphones and tablets?
Goyal: There are two basic requirements for it to work. The device must have a USB port and it must be able to boot from the USB drive. Windows To Go was not designed as a solution for people who had second devices. It was designed as a solution for people who don't have a secondary device on them. For example, if a company wants to provide a corporate device for an employee, they have to invest in the device and many additional features for it. With Windows To Go, they can save costs by not having to provide a full blown hardware solution to everyone.
What are the security features in Windows To Go?
Goyal: The security features are going to be the same as the ones available on your primary device at work. If you have some passwords set up, or BitLocker encryption set up, the same policies will be applied on the image of the USB drive. The manageability of Windows To Go is also the same as your primary device, which means that the IT department can lock it or delete the data present, just like they can do with your office workstation. There is also no connection between the local hard disk of the system you are using and the Windows which is booted up. This means that whatever data is used is being used on a temporary basis, and work has to be committed to your office network to maintain its persistent state. However, the disconnect is also good for security as it ensures no viruses or malware can find its way across to your corporate network.
There are reports that say Windows To Go has no recovery mode! Won't this mean data might be lost unexpectedly?
Goyal: If you're working off the drive, the data will persist on the drive as long as the session is not shut down. If you're working off the company's shared folder, you should save it there first. However, the predominant situation we are looking at is to work on documents in the company network, so all the data gets saved back to the network. If the USB drive is unplugged for more than 60 seconds, it returns to its default natural state, and this is a security feature more than anything. It ensures that no leftover data remains on the host computer which could be vulnerable to hacking.
How many Windows To Go USB drives can be allocated in an enterprise?
Goyal: There are licensing requirements around that. For every license for Windows 8 enterprise that the business has, they can produce one Windows To Go bootable drive. For example, a company with 500 licenses for Windows 8 enterprise, they can get up to 500 Windows To Go USB sticks for employees.
From our interactions, Microsoft claims that Windows To Go will be an extremely valuable addition for their enterprise customers. While a bootable USB OS is not groundbreaking news, having a fully functional Windows 8 Enterprise version in your pocket could be invaluable for employees who need secured access to their enterprise networks from any host computer.
Do you have any other tips to share that ensures the success of BYOD? Please share your suggestions with us at firstname.lastname@example.org!