Thoughts on BYOD

One of the current flavours of the month for IT (or at least IT journalists and pundits), is Bring Your Own Device (BYOD).  This concept involves employees using and provisioning their own computing devices (e.g. smartphones & tablets) for the workplace.   Colleagues of mine have suggested that as BYOD becomes more popular, employers would no longer have to supply their workers with computing hardware, but instead, the employee would provide their own devices. In another recent blog post on the CSfD website, Stephen referred to BYOD as ‘Bring Your Own Destruction’ referring to the security and network management problems IT departments are going to face as BYOD becomes more mainstream.

Will BYOD revolutionise the way hardware is purchased, supplied and managed? Will employees choose which devices (phones, tablets, laptops etc.) they want to use for work; and then also use the same equipment for their personal use?  Or will employers limit and control the use of personal devices on the company network, and continue to dictate what equipment can be used by employees?

Whilst at the recent IPExpo, I attended seminars concerning the use and security of BYOD and I was surprised to learn how much people are already using their own devices for work purposes.  Whilst I fully expected a large number of people to be using their own mobile phone, there are nearly as many using their own tablet computers.  One quoted survey result even had 70% of those canvassed using their own laptops (at least occasionally) for work. 

The main problems companies face (and this is not just their IT departments) when choosing to allow/adopt BYOD, are security and cost.  With no control over which devices are used or how data is communicated to personal devices, there is a risk that confidential data could be leaked (or syphoned by malware).  So the use of BYOD requires some form of control or security.

One method of controlling BYOD security is MDM (Mobile Device Management) which to uses a ‘must have’ security application installed on a device before it can connect to the company network. This acts as a security suite and enforcer of best practice on the device and user. Quoted as ‘disliked’ by 77% of users, it’s not a popular option, although it is the main method currently in use and is still the most favoured method.

The second method, while still requiring an application on the mobile device, doesn’t care what else is installed on the device or how the device is used except for when it comes to communicate with the company network.  We see this with now with VPN applications carrying out a ‘posture assessment’ phase as part of establishing a connection to the company network.  These applications from network vendors like Cisco concern themselves with communication encryption and detection of abnormal communication. The software filters the communication while at the company end of the connection, policies restrict what information is allowed to be sent to or displayed on the device. When done correctly, no company data is stored on the device, only displayed. In theory this can allow for a severely compromised device to still be able to communicate with the company network in safety (at least for the company).  In practice I’m sure that it’s easily possible for another application to capture screenshots of data with little trouble, as applications like Snap Save have proven­.

Where BYOD has been taken up quickly, it’s also becoming clear to users that they are supplying their own devices for work use (and therefore indirectly for the benefit of their employers) whilst paying the upfront costs such as purchase price and monthly contracts themselves.  Some employees will no doubt accept some of the cost they will have to meet for the flexibility it gives them, but others may well be put off by this idea.  Meanwhile, companies will hope to offset the higher management costs by reducing capital expenditure on hardware.

The cost per head of setting up and maintaining the infrastructure to support BYOD means that it scales better for a larger number of users to make it cost efficient. For smaller companies other alternatives can be found.  One such alternative is COPE (Corporately Owned Personally Enabled) devices, i.e. the company buys the devices and effectively uses MDM to manage them but the user can use the device for personal use as well (as long as the MDM allows).  But this is not a new idea in reality, just the extension of the company supplied mobile phone.

Chris Toms – Technical Developer for CSfD www.csfd.com

Links:

http://insights.wired.com/profiles/blogs/cope-the-secure-alternative-to-byod

http://readwrite.com/2013/06/03/bring-your-own-device-byod-good-for-workers#awesm=~olAjS3zfYYLvhO

http://www.zdnet.com/byod-10-reasons-it-wont-work-for-your-business-7000000050/