Though we’ve started to see a small bit of retrenchment from the most extreme examples, it’s clear the BYOD (Bring Your Own Device) phenomenon in the workplace is here to stay. Younger and older workers alike have become accustomed to using their own devices to do their work, particularly when it comes to smartphones and tablets, and IT departments continue to refine policies and procedures to adjust to this new reality.
But one of the remaining debates within BYOD is determining what, exactly, IT needs to manage. Traditionally, IT focused on the management of the physical device, especially with PCs, doing everything from tracking the actual location and status of corporate-owned PCs, to ensuring all the latest OS, anti-malware and application patches were installed. BYOD adds several new twists to that equation, however, with a significantly wider range of device types and platforms to support, as well as potential differences in ownership. Toss in the increased mobility of many BYOD devices, and the growing usage of all devices for personal applications and you have the recipe for a very messy situation.
Not surprisingly, many IT departments, and vendors serving those communities, initially fell back on the types of solutions they were comfortable with: tight management of the device and everything on it. Large numbers of companies built MDM (mobile device management) solutions to essentially bring the kind of strict management policies commonly associated with PCs to the world of smartphones and tablets.
But several problems popped up fairly quickly. First, people change their smartphones and tablets more often than they do their PCs, making it virtually impossible on any given day for a corporate IT department to really know what types of devices were walking in and out of their doors (let alone what kind of information was getting copied onto those devices). Second, the need for more granular control became readily apparent. The notion of remotely wiping devices of all data on them—particularly those that may have been purchased by the employee—surprisingly (cough, cough) did not sit well with most people. In addition, many employees discovered they could use other types of mobile applications to open, edit and/or use their work-related data, making the range of applications in use tremendously more varied than it had ever been. This situation also created the need for yet another type of management tool: MAM (mobile application management). Topping things off is the fact employees have now become much savvier about how to work around any limitations IT might impose.
The end result is the somewhat chaotic mess we find ourselves in today. In fact, things have gotten so out of control in some environments, there are increasing reports of companies starting to reign in at least some of the BYOD freedoms they previously doled out to their employees. After numerous refinements to existing tools and a multitude of new products and concepts—including the appealing idea of separate work and personal “containers”, each of which can be separately accessed and managed—things do seem to be moving in a better direction.
I would argue however, that the real problem stems from looking at this challenge from the wrong direction—at several different levels. Instead of looking from inside IT out to these devices, the real answer is looking inward from the individual employees and whatever set of devices they happen to be using at a given time, to the corporate data and applications rightfully controlled by IT. The keys to the kingdom, so to speak, are access to the data and applications employees need to get their work done. By essentially assigning different “keys” to different levels of data and access, and then doling out those “keys” to the appropriate people, IT can focus specifically on the assets they really need to manage, while still giving the freedom to employees to use whatever devices they want in order to get their work done.[pullquote]The keys to the kingdom, so to speak, are access to the data and applications that employees need to get their work done.”[/pullquote]
Both vendors and IT have quickly learned that adding friction to a process employees feel they need to be productive is an open invitation for those employees to work around them. So, rather than creating unnecessary and unproductive tension between employees and IT, both solutions vendors and IT departments need to create solutions that keep things clear to everyone — it’s not about the devices, it’s about the data.
Bob, if an employee brings in a computer of their own and that person is given a “key” to proprietary company data, is that person allowed to copy the data to their own computer? You can see why I’m asking…they could walk out the door with it. If they’re not allowed to copy it, I assume the data would be like “in the cloud” and the person would do their work that way.
It varies tremendously by company. Most companies do allow active employees to have access to their data across a wide range of devices–either company bought or self-bought–so the answer would be yes. The concept of syncing it back to the cloud is a logical one and companies like DropBox, Box and others (as well as Apple, Google and Microsoft) are all actively pursuing that, but actually enforcing that is still a pretty murky area.
But are employees allowed to walk out the front door with sensitive company data? If not, how does the company prevent it?
In many cases, yes, they are. Some companies leave things wide open, some encrypt files, some only permit access from fixed devices (e.g., desktops or thin clients) from within their organization, etc. But you’re hitting on one of the key questions that plague organizations who are trying to deal with BYOD issues.
What about organizations which have to prove the integrity of their data management, and protection of personal privacy of their client base? One of the big issues with a personal device may be loss or theft, and exposure of personal information to inappropriate viewers. Does this mean you end up doing everything through a web app, so the data is ephemerally present on the device? Seems that reduces the supposed value of the BYOD.
Bob, Spot on. Way to many corporate IT departments are still thinking of the world as it existed in the 1990’s and 2000’s where you had to lock down users desktops because Windows is such a security nightmare that the only way you could keep your business working with minimal downtime on any system was to control it with an iron fist and treat your users like children. Things are different now and at least with iOS you do not need the same levels of control expressly if it is a device that the employee purchased with their own money. It really now is all about the data and not so much about the hardware and software. Control the data and the rest will sort it self out.
I tell companies they should focus on hiring quality employees and empowering them, as well as giving them pointers to best practices and tools that protect against malicious entities.
A determined employee can always steal data. Nothing can stop someone from taking a snapshot or video of the screen and running OCR on it. There’s always pencil and paper, silly putty, outright physical theft.
Trust your employees; treat them well; keep them as long as you can; verify as appropriate, with polygraphs and rewards for whistle blowers.
As intelligence agencies have noted, the threat of a regular polygraph for an employee who is happy about his position and intelligent is almost as good as having armed guards, but much cheaper. The biggest problem is employees who aren’t smart enough to understand how information might be compromised, and those who are apathetic about your company’s security concerns.
How can it be that you live under the threat of a regular polygraph test and be happy at the same time? I can only fathom it if it involves states secrets.
It takes all kinds, I suppose.
I get poly’d every 6 months because of particular work we do. They always include questions like “Have you been less than vigilant in protecting XXX data?” In a way, it’s a relief because my conscience is clean walking out of the exam and I know it, and everybody knows it.
Now, if I were doing bad things with the data I have access to, I would have left the country and pulled a Snowden by now…(nervous laughter)
Good post! We will be linking to this particularly great post on our site. Keep up the great writing
very satisfying in terms of information thank you very much.
This was beautiful Admin. Thank you for your reflections.