Bring Your Own Device (or “BYOD” for short) is another IT hype word making the rounds nowadays, but it isn’t really all that new. Many employees have been bringing their smartphones or iPads to work for quite some time now, with the company’s explicit or implicit consent – at least as long as access with such devices hasn’t be fully blocked. IT departments worry increasingly about how to control the proliferation of privately owned mobile devices, but they’re missing the real point.
Of course, many people have been using private devices professionally for years, ever since laptops started to replace corporate desktops. And yes, IT departments have been complaining ever since about the danger of losing control. Some tried to block all access, but in many cases the users have “won”. In fact, though, they have proven quite adroit at reestablishing a tight grip on the IT environment in their enterprises, despite all the fuss about device anarchy.
But the new gaggle of gadgets from glitzy iPhones to sleek tablet PCs has created a new situation. As a rule, the enterprise neither sanctions such devices, nor do they often even know they’re being used. But used they are, for everything from business emails to mobile access to corporate applications, unless IT simply block off all access from any but approved devices. And even then, top executives may simple order IT to open the system up so they can get in, regardless of consequences.
Increasingly, companies are bowing to the inevitable and officially allowing their people to carry unauthorized equipment around. And as is often the case, the U.S. is leading the parade. Tax laws actual encourage the proliferation of private devices, and enterprises frequently offer their employees incentives to buy and use whatever fancy gadget that catches their fancy.
Not that there is any lack of diversity (some say: chaos) in Europe, either. IT departments on this side of the Atlantic, too, are asking themselves how to avoid losing control. Unfortunately, good answers are hard to find.
Monitoring and maintain a variety of different devices can be quite tricky for technical reasons, whether they are privately owned or provided by the company. However, privately owned devices cause the biggest headaches since there are limits to what device management functions the employer can impose. And of course apps are always a problem for IT security since they can be downloaded at will and are virtually impossible to control.
But there’s a bright side, too. However, seeing it requires IT departments to first ask the right kind of questions. Like: forget the devices themselves; instead, why not focus on information security? It’s about the “I” in “IT” – not about the “T”.
The emphasis should be placed on protecting sensitive information and making sure it isn’t leaked. The tools for achieving this are authentication, encryption, and virtualization.
IT departments must face up to the fact that they will never be able to control the devices themselves. What they can do, and do well, is to control who gets to access certain pieces of information within their systems and to govern the situations and types of devices employees are allowed to use for that access. Context is king in today’s Information Security world, and there are more and more solutions available for controlling and monitoring that context during the process of authentication and authorization.
There is simply no way to maintain tight control over end devices, much less to stop BYOD from happening. If the boss wants to buy a fancy toy like an iPhone, pity the poor IT admin who tries to stop him.
Anything spent on trying to secure your employees’ mobile devices is money down the drain. Instead, investment should center on securing the information itself. Strategically, this provides the added benefit of avoiding stand-alone point solutions that usually turn out to be dead-end streets. Keeping information secure, no matter where or how users choose to gain access, is the true answer to the BYOD dilemma.