For the past few years BYOD – Bring Your Own Device – has been a hot topic, often leading to shouting matches between IT and users who want to use their own mobile devices to access corporate assets. Lately, it’s been a more generic “BYO” (Bring Your Own) them with the aforementioned D (device) but also A (apps), I (identity) and P (platform) as well as countless others churned out by a vendor’s marketing machine.
In fact, little of this is new. Over 30 years ago users were bringing their own device (PCs) and apps (Visicalc, Lotus 1-2-3, etc.) into the office for better control over the corporate data. And IT (called IS, or Information Services in those days) was just as irate then.
IS lost the fight then, IT is losing that fight now. IT is always going to lose these fights.
Departments that generate revenue (sales, marketing, etc.) are always going to have more clout than those seen as a cost center, such as IT. Clients and customers will always have their issues addressed, no matter what IT says. Some issues, such as compliance (with a risk of fines or jail for senior execs) or security (with its risk of loss to both assets and reputation) can provide a temporary boost for IT’s arguments but, in the end, revenue and customer service will win out.
The rise of smart mobile devices, the coming dominance of cloud computing, the Internet of Everything and Everyone (IOEE) and ubiquitous published APIs for access to all those things requires different thinking on the part of IT.
Too often IT thinks like in terms of fighting “the last war”; they want to build “bigger and better” firewalls without realizing that getting around a firewall is child’s play these days.
Instead, IT should be concentrating on providing platforms that most can reach while concentrating on Access Control (AC), the means of Authentication and Authorization that allow the right people the right access to corporate data at the rate time and place, whether it’s employees, contractors, vendors, clients, customers or partners. Dynamic Access Control and Attribute-based Access Control (see Leadership Compass: Dynamic Authorization Management - 70966), Context- and Risk-based Access Control (see Getting the security you need) are what IT should be concentrating on.
Traditionally, IT liked (and in many cases, still likes) to provide static AC – network login accounts with hard to change attributes, permissions based on Access Control Lists (ACLs) that are also difficult to keep updated and firewalls with hard-and-fast rules for who (and what) can pass through. Spending time with those things is like trying to design better buggy whips for automobiles.
When properly implemented, RiskBAC (Risk-Based Access Control) collects context data from the transaction (Who, What, When, Where, Why, Which, How) and then can either:
- Approve authentication;
- Deny authentication;
- Request further authentication factors.
If the authentication is approved, the RiskBAC system assigns – or causes to be assigned - authorizations dynamically consistent with the risk associated with the authentication and the context. If the authentication isn’t approved, then a different reaction can occur depending on the perceived threat.
For now, we recommend that you define a BYOx strategy that is open but risk-based, allowing graded access based on the level of trust and risk. This is where risk- and context-based, versatile authentication and authorization comes into play. We cannot overstress the importance of hybrid solutions which account for all platforms, even those not yet delivered. And while often overlooked, they should have choices available for your users that are better – perhaps more integrated with the enterprise – than those available as BYOA.
This article has originally appeared in the KuppingerCole Analysts' View newsletter.