)
Forrester Research says three out of every four employees want to use their personal mobile devices at the work place. While this may not be such a bad idea-it may, in fact, help cut costs-many companies are beginning to see the hidden security costs. Here we discuss how companies can reconcile the demand of employees with the needs of enterprise security
Define the limits of 'open' content
NARESH NAGARAJAN,
Senior VP, Enterprise Transformation Services, HCL Technologies
Bring Your Own Device (BYOD) has different connotations in terms of how the overall industry understands it as a practice, and how those closer to the subject and its actual implementation understand it. It doesn't mean just bringing your own device to work but it more about organisation workflows, security solutions and policies.
There are four towers for managing mobility: First pertains to the device and policy. Some standardisation is required in that regard. Next, draw out a two-fold security policy, addressing corporate and regulatory security concerns. The device itself should be secured to ensure there are no risks to any data. Define the limits of the content that can be rendered 'open' and make provisions for check in and check out services. There must be some level of compliance each time the user moves in and out of the corporate networks.
Companies are often wary of the regulatory challenges required for a BYOD policy. There are complexities with regard to the kind of information that can be displayed. For example, a medical professional with access to patient history and data that cannot be shared or shown to anyone else. Also, as devices move across geographies, laws governing data sharing will change. The BYOD policy must factor in this possibility.
Aim for a granular access policy
Geo-Lead, Borderless Networks (Sales), Cisco India & SAARC
In terms of adoption, clients leaning heavily on technology in their business have obviously been the first ones to shift gears. But as far as applicability goes, BYOD is really for everyone. We notice, however, that mid-sized clients are more receptive to the practice. They have been quicker in noticing the business value in allowing employees to bring their own devices in the workplace.
With increased mobility and productivity requirements, mobile devices becoming more powerful. Take businesses that require multiple approvals. A decision maker can speed up the process even while she is on the move so that transactions may be closed as soon as possible.
However, CIOs may not be very keen on putting the idea to practice. Since BYOD translates to supporting many more devices, this means additional burden on their networks. So if IT budgets are not rising, CIOs will not be in a position to set up the infrastructure.
But then there is no getting away from it. Each employee today has at least two to three personal devices. These devices may be moving in and out of your networks, nonetheless. You need to, therefore, put in place network infrastructure intelligence that helps you detect which devices are strictly for personal usage and which can overlap in their usage.
The multi-screen environment poses a problem to the IT teams who cannot keep track of each device individually. The username-password regime, for example, can be flawed in this situation, as the same account can be accessed from multiple devices. Organisations must work towards a more granular access policy. Employees can access all the reports and data via their iPads while within the corporate network. But as soon as they step out of it, their access is restricted. Or restrict the number of devices that one can use for the same login details. Companies need to have additional controls in place for the type of devices and their location.
Protect data with desktop virtualisation
Director, IT, Citrix India
The benefit of BYOD is employee satisfaction and the smiles you'll see on people's faces at the prospect of using just one device for personal as well as professional use. From an IT standpoint, the number of breaks and thereby fixes needed have come down considerably. Employees feel more responsible for any hardware failure and take requisite care.
We first introduced BYOD as a practice in our company about four years ago. A pilot study was first conducted to test the waters. Questions about how the IT team can best support those members of the staff who opted for BYOD were addressed. We tried to maintain some parity in terms of our policies related to corporate devices and BYOD. For instance, we get employees to sign a declaration for corporate devices saying they won't install any illegal software therein.
We don't have any specification with regard to operating system. Desktop virtualisation can be used with most of the operating systems. This also ensures that any corporate data stays within the virtualised environment. In case employees are moving between devices, the virtualised desktop can be locked down on request to avoid any download to the local desktop. Would-be practitioners of BYOD should bear in mind that employees move between devices regularly. We offer a stipend of $2,100 (taxable) to employees opting for BYOD, which is valid for three years. We encourage them to get products with a warranty that covers this period. We also keep standby devices for employees who may not have one for an extended period.
Secure the devices from malware
Managing Director, McAfee India & SAARC
The conversation around BYOD started about four years ago within organisations and has come a long way since then. Companies are less apprehensive today about opening the enterprise up to unknown devices. BYOD is more a human resource issue than an information technology issue.
The entire discussion on BYOD from an organisation standpoint centres at one question: what do I 'allow' and what do I not. It is a common misconception that allowing users to access their company emails on their own devices means opening up the company's networks. BYOD goes beyond that, making numerous enterprise resource planning solutions available on personal devices.
This is a good point to begin for companies looking at introducing BYOD option: define the boundaries. What are the functions that you want to offer to your employee on her personal device and what are the ones that you would want to restrict to organisational devices only. This is important as based on the boundaries you set, you can proceed to secure the devices. Since with BYOD, enterprise applications and personal applications run on the same devices, one needs to secure 'containers' (meaning devices).
Get out of the mode of standardisation of devices. Of course, some standard requirements will have to be fulfilled, with devices conforming to a specific level of functionality. Organisations must be prepared to manage varying devices. A list of acceptable devices, possibly not too restricted and at the same time not too vast could help.
