Webinar Recording

How to Prepare for BYOD (Bring Your Own Device)

Log in and watch the full video!

Kuppinger Cole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentlemen, this is Tim Cole. Welcome to our webinar on how to be well prepared for B Y O D, which in industry parlance is the abbreviation for bring your own device, but smart ass people are actually translated into bring your own disaster, which brings us very quickly to meet of the entire discussion. We want to explore in this webcast, whether BU I D is in fact, a nightmare in the making or a, a productivity tool. How can we make it secure? How can we make it more productive? If I could have the next slide, please? Yes, I will be the moderator. I am one of the two of the three co-founders of KuppingerCole and the Cole in the name. I am currently head of the north America organization. We recently opened an office in north America. I will be joined by my alter Eagle Martin.
Kuppinger the other half of the name. He is our lead Analyst, and I'm very happy to greet Craig Burton, who recently joined us as distinguished Analyst. Craig is joining us from salt lake city, Martin from Stuard and I'm in Munich. I would just like to do some housekeeping. First. The webcast will be recorded and will be put online on our webcast tomorrow as a podcast. So if you miss something want to check, please feel free to do so. We also invite questions. I will add to a formal Q and a session at the end of this se session. But if you have any questions you want to ask first, there is a chat function on your go to meeting set screen, and feel free to introduce your subjects and your questions at any time. Possibly a couple of words. First mobile working workers have been an it concern for decades.
They've been using PDAs pagers notebooks for years. There's an entire cottage industry. That's sprung up to figure out how to support them. But the smartphone revolution of the last couple of years has really changed how mobile workers operate. I was recently talking with a vendor from the states and said, this very goodly. The laptop is the new desktop and the smartphone and the iPad is the new laptop. So yes, the scenario is changing. The landscape is changing and much to the chagrin of many it departments because they would, of course, like to be able to force a particular set of mobile solutions on the workforce, but employees are not buying that they are bringing their own. And that was one of the big subjects at our recently concluded European identity conference, where we talked about this in great detail. There is a survey by the Aberdeen group stating that 75% of enterprises now have bring your own device policies in place, how successful or unsuccessful that will be something we would like to discuss today.
Agreeably, this can have huge benefits for productivity. As more employees decide to stay connected away from the workplace. It also lowers support costs as employees log on with relatively simple devices, they already know how to use rather than the more complicated laptops that require patching and everything. However, it also opens news scenarios of threat dangers that we were, did not have before in a tightly controlled it security environment. And so I think we have ample subject map to talk about if I could have the next slide, please. There are a couple of basic questions to ask such as who pays device, who own the device, who can manage the device, et cetera, et cetera. And we will go into these in detail, but I would like to start out Martin with asking you the question is D Y O D in fact, a disaster, or is it something that we should be enthusiastic about?
I, I don't think that we should be enthusiastic about the question is, has it to be a disaster or how can we arrive the disaster? So I'm, I'm not enthusiastic about bring your own device, given that I'm more, more the guy who likes a very controlled environment. However, I'm also a pragmatic guy, which means if you think about things like bring your own device, I don't think that there's any, any value in, in fighting against something where you fighting a war, you definitely have lost. So I think it's about accepting, bring your own devices increasingly effect. You have to deal with it. And then your trouble is to avoid the disaster by doing, bring your own device. Right? I think that's really the point, which is important if you don't have it. Okay, fine. If you have it, then it's about how to best deal with it and how to ensure that your corporate information isn't at a higher risk than it has been foreign at is at only at the risk you can accept. I think that's what it is about
Craig. Maybe you can add your experience. I mean, you talked with the, it people all the time, are they potentially worried? And are they sort of wishing the old days were back when they had complete control and they can tell the employees what to use?
Well, there are some that wish that, and there are those who are sort of in the middle and saying like, like Martin, that they're pragmatic. And I hate the things, but I have to do something. I may as well let 'em in. And then there's the extreme like me. And I say, go Anar that, that letting the employee do this and embracing it and figuring out how to protect your data instead of worrying about the device is the approach to take. And, and in doing that, and you know, this reminds me so much of, of the days when the land and before the internet, where I'd be standing at a conference and I'd listen to these it guys and says, man, those PCs, we gotta stop. 'em there. We can't let anymore PCs in. We can't control 'em and it's just not gonna happen may as well, figure out how to deal with it.
Yeah. And I think that's basically the same thing. I've mind, even while you are probably more enthusiastic than me, we have to do at the end. It's the same. It's about
And I think you've put, you've brought a very important point up. It's about not thinking anymore how to manage and control and protect the device, but how to protect our corporate information.
And how do you, what is the secret sauce? How can you actually make the data secure and still let the people play with whatever toil they want?
If it, if it were one, answer, one simple answer, then it would be probably the real great answer. I wouldn't sit here being only Analyst, but would've founded my own company, which then would be the multi billion dollar company providing the single tool to do this. Unfortunately, it's not, not as easy. I think it's a, what I always say is the first thing is you need to understand which requirements for protection of information you have, depending on the types of the devices or the classes of the device and the classes of information. So there are things are relatively low risk and other things which have a higher risk. I think that's important to at least at a course grain level, to understand this, you not necessarily need to end up with some multi man year project on doing this, but I think you need some understanding.
And then we have a lot of different options to do this, which means we can use some secure web access. We can use staff to virtualization. We can use tools which manage only the relevant portions, like corporate email on the smartphones and, and other things. So it's about then deciding on, on how to deal with, how do we deal with these things? So it's not a single answer. There are several things, but I think the very first thing is to understand what is, what information are we dealing with or are the users dealing with and what are the requirements to protect this information? And there might be situations where you say, okay, that type of information has higher requirements. I need a special app, or I need my employees. If they want to use this information to install a specific piece of software, or they are trust that allowed to do this, or use this specific piece of information using inherently insecurity wise, like virtually all of smartphone. So I think that's, it's, it's really a little bit more complex answer
To that. We're saying that you wanna protect the data at the same time. It's good to have an understanding about the platforms that we're talking about. And we're talking about mobile devices and handheld computers. We're, we're really talking about two platforms. I think one is the iOS from, from apple and the other is Android. And the, the, one of the things that apple has done, right, for example, with email is, as Martin brought up is that email is, is encrypted on the, the iPhone and the iPad. And if someone tries to get into that device, a password set and they do it too many times, you can actually set it so that it automatically delete everything on that device. Whereas with the Android, Google has been a little slower in providing the protection on the remote device than apple. So you're not, you don't even have the choice to encrypt the data in your email, on your Android device until Android 3.0. So, you know, you should be aware that if you're your employees have an Android device, that their email isn't encrypted until they move to Android version three, but they are on the iPhone. And as far as windows goes, I don't even know. So at least on those two, that's this the circumstance.
Yeah. But, but I, I wouldn't limit it to iOS. And I think that pretty,
But I'd say those are, those are the two biggest,
Yeah, I, I would say the sir, big one is still classical windows on the notebooks.
So because these are also devices, which you have to look at, or even desktop computers by peoples working sometimes from home and so on. So I think if you look at it, you should also add this part, this type of devices there, but you're right. If you look at the mobile devices, it's mainly about Android and about iOS, but there might be others over time. You never know in this very quickly moving market. So what you're doing is, is should always be, let's say, ready to support other types of operating system. Other types of device is because who, who of us knows, which will be the device of choice, some three or four years from now, if you go back some three or four years, we probably wouldn't have expected. Half of the people running around with iPads.
It, people worry about lack of control. Is there some way of controlling what actually goes on monitoring devices, making sure that they have certain patches and apps installed? Is there anything we can recommend there
For laptops or mobile devices or both?
Well, laptop is a mobile device. That's the, that's the problem. Of course, when we say mobile device, we are talking laptops, smartphones, pads, anything that people want to bring anything they use?
Well, I was referring more, I guess, to the handheld, the iOS and Android versus windows or Mac, you know, one. So maybe that's how we would refer to them as something with a PC operating system versus a, a handheld operating
System. Well, it's bring your own device. If I wanna bring a Blackberry or something else or even, oh, God forbid a NOIA. Nobody's gonna be able to stop me.
You got it.
The question was, is there any way, do you think that development will proceed in a direction that will reestablish at least a certain degree of control over what goes on with a mobile device and how would, what would the approach be that we would have to use there? Would it be monitoring of application and device security, making sure that the right patches are installed, you can do that remotely. Should that be something to see that it people are concerned about?
I think there, there are different types of doing these things. So when I look at the classical, the, the bigger mobile devices, so the, the notebooks and, and everything above notebooks, so it could be a, an own device, which is not mobile, could also be a desktop computer in that case. I think that when it comes to managing these things, desktop virtualization technology is probably the, the choice of many organizations because you then provide the corporate desktop as a virtual machine to the employees. And then you have relatively high amount of control about this thing. And then it's mainly depends on the security. If, if someone is able to sort of attack these virtualized environments, these virtualized desktops, if you look at the, the entire smartphone and let's say related technologies like the tablets based on Android or an iOS or other things, then I see difference things.
So there are vendors out there which provides management tools and management technology for heterogeneous environments. They're supporting virtually all of the M and even some of the, not that relevant operating systems for mobile device, like, like a company mobile iron, which has such technologies, which then can, for example, say actively manage only to corporate email, but doesn't touch I things which also could show the information about what is managed and what not to the, to the end user. So for, for a privacy privacy of reasons, you could also think about just saying, okay, you use simple web access, or you could also start creating on apps. So in some cases it might be, if you have sensitive things, it might be the best way to say, okay, I built a, an own app and which also might lead to a limitation of the appropriate device then because say, okay, I offered the app only for, let's say iOS mantra between the, the, the flexibility of your employees for bring your own device. Selections are somewhat limited. So there are different ways to do it. And I think that the, the question is always, if you say, okay, allowed the people to bring this wise, shall I start struggling with them about what can I manage or not? Or will I try to use only approaches which, which I fully have under control? So my virtual desktops, I have them under control to a very high degree.
If I have my own apps, I have a relatively high level of control when I do web applications, which can be access. Then it's little bit different because I don't know what are the process settings. So if I use access, like, like some based access or other things to my email servers, things are again pretty different because then I have even fewer control. So I think it's always about, again, what I've said at the beginning, balancing what are my protection needs and is it worse to, to have discussions? And in some cases I might say, okay, you might use this access path, but only if you accept that level of management,
It appears to me that whenever we talk about technical protection of dev on the device side, we wind up with sort of bring your own device. But only if I allowed this device kinda strategy, you can build apps for, for Android. But what about iPhone? Apple wont allow you to just simply build apps. So possibly actually apple
Will let you build a corporate app and have that only for the company and give you a license to let you do that. So
First they want to see it and approve it and all that. I mean, that's a completely different subject. No, but I was just going to suggest that maybe this, if you can't feed them, join them approach. Mike mark was that Martin was talking about at the beginning is probably the right idea. Sort of forget the devices. You're gonna have to live that anyway. Start protecting your data in a intelligent fashion and your equipping, your coal in the past are advice has always been to start out by sort of doing a security review, an Analyst of analysis of your data and finding out what actually do we have to protect and what possibly do we not have to protect because it's public information. Anyway, that sounds always sounds like the field to do your homework before you start, is that appropriate here too? Martin? Possibly. That's been your, one of your pet subjects in the past. Maybe you'd like to expand on that.
So, so, so information protection. I think that the plan is that we are technology wise, most cases, not, not good enough today in really protect the information itself. So, so if you look at the state of enterprise rights management, other things, we don't have the clients on the, for example, smartphones to work with M protected information, not to speak about email. And I seeing some, I think that's a problem occurs. We are not, not good enough in doing these things today. So, so we really have to think about what are the, let's say sort of the workarounds, like desktop virtualization and other things we can use.
Great. What are your feelings?
Yeah, I, I think, you know, for me, it always goes back to not just where your data is stored, but under what name space. And when I say name space, it's, it's the, the access and control infrastructure around that data. And so when you're evaluating that, as you've already pointed out, you wanna look at trying to consolidate those and make it easy and have as much main space single sign on and Federation that you can get to to make sure that there's, that nothing slips through the crack, by letting someone who shouldn't have access to a
Does your own device is mean that it departments have to fundamentally change the way they go about their business. Is this a real pivotal moment in the history of it, or is it just another annoying bug that we have to fix?
I think that it's not a fundamental shift. It's sort of it departments for a long time have been focusing on device security team. It's right now more focusing on information security, as far as you can focus on information security, besides it's more focusing on, let's say I would call it application security so I can secure my applications or maybe my, my desktop environment. So the device itself isn't that a center anymore, but you still have to manage things. You still have to find ways. And so I, I wouldn't say that it fundamentally changed the way it departments have to act. I think they, they have to accept some more, let's say openness or, or whatever you would call it in their environment, some more hetero rigidity, but that's like correct before that, before. That's not a new thing. If you, you go back some did I buy my first IBM PC?
I think it was right around about 90, 85. Yeah. Okay. There, the same thing happened then. And so it, it's, it's really not a new thing, which, which happens here. It's just, let's say the next step in a longum. Yeah. And I think the point is really the most important learning is the, the approach to security wise probably is another one which works in the future, but it doesn't mean that it doesn't have to care centrally about how can we protect our information. However, I've never been a, let's say a big, big friend of saying, if I protect the specific IP device, IP address, then I have done my things in security. I think the work always has been more complex and protecting the device never, ever has been the very best choice to do it. Security.
What do you think about the management tools that are already existing in that it professionals can use? I mean, you need to be able to do things like enforcing strong passwords and, and wiping data from lost devices, obviously, but in the past, you know, the management solutions for mobile devices have usually been provided by the mobile device manufacturers themselves rim or, or Microsoft, or what, whoever in the past, in the recent months we have seen vendors like semantic and Zenprise and, and AirWatch all of a sudden entering the market with what they are at least claiming are very strong management tools for device security. What should it departments do? Just use the stuff that the vendors are giving them, or should we be looking at third party solutions,
Third party, simply because if you want to manage an routine environment, you can't do it efficiently with a lot of different single vendor tools. You will end up this two complex solution. There are several vendors. You mentioned some I've mentioned mobile I before, which are providing solutions, unfortunately. And that's, that's an interesting discussion I had with one of these vendors trust yesterday evening. What I'd like to see is a solution which drives me to manage the things regardless of what title he wise they are on. So, so currently it's a little bit about, I have done one thing in this case, I have one thing which helps me to manage my mobile devices. And I have one thing to manage my, or to manage my smartphone, say it like this, and one which helps me to, to manage the rest of my mobile devices. So my laptops, and then other things I still have two, at least at least two large management environments.
That's a little bit of problem. And, and so, so I think what I like to see would be sort of something which says, okay, I have business foods, I have rules for, for all these things, which I apply to different types of devices, because let's say wiping a system after closing the application, which accesses the corporate email that could be done on any, to any type of device. The rule is the same to execution is different, but I like to have one tool. We are good way away from that. But proprietary solutions for a specific type of device are. And the answer from my perspective.
Yeah. And I, I see it the same smart and it's, you know, traditionally, always third parties have been a better place to go to, to get solutions without a sub agenda. You know, their, their interests are for the customer, not in forcing the customer to buy more product from them as a vendor. And that's why I, I look for third parties like Symantec or Landes, or who focus on the security business would be great participants in providing solutions.
What can the user himself do on his device? Do we have to set up rules here that will sort of limit what I'm allowed to do on my, my own device, even though it's mine,
As far as what to access,
Can companies not to do something? Or is there any way that we could, you know, get the, the, the user involved in this, this business, obviously he owns the device and it's gonna be, it is gonna be hard pressed to actually enforce anything. But I mean, company guidelines have worked in the past. Do we need to set down rules for the use of your own device?
Hard to do. Yeah. You know, once again, what you need to do is just make sure that access to the data is through mechanisms that are familiar, usable, and secure, rather than trying to impinge the user to follow practices that, that they're not gonna do anyway.
Yeah. I think, I think that's really the, the point, if you decide for allowing bring your own device, then you, you might be able to say, okay, for that type of application, if you want to use it, you have to accept some very specific and very limited, very focus control, but you really not be able in that concept to gain full control about DC Wises. I think that's the fundamental issue. So if you accept to do bring your own device, you can't have those things. There are probably a good, good saying in, in an American for that, but you can't have those, those of these things together that sort of mutual excuses, easier to bring your own device and accept that these devices are relatively unmanaged or they might be managed to, to, to some degree, but relatively unmanaged or you don't to bring your own device. I think that's, that's just, just the fact you might like it or not, but it doesn't. Yeah, it doesn't change anything if you like it or not. If you don't like it.
Okay. Before we hand over to the questions from our audience, I would like to explore at least raise one additional question. I mean, we're in Germany here after all. And Germans are always very concerned about the safety and legal aspects and privacy aspects of things like this. If I, in fact, were to Institute tools that could remotely wipe my data off the phone that I own. So the, the corporate, it gets to do something on my phone. Do you anticipate that we will run into legal problems there? If you know, the company has to bring your own device policy that will, they will, the users have to sign off and agree that the employee here gets to, to for instance, wipe their device and what happens in the case of litigation, could we force our employees to turn over their devices that are privately known because they contain information that we think could be crucial as in, in front of a court of law?
Yeah, I, I think it's, it's a little bit the same thing. Like if you look at the, the network access protection or network access or admission control, however you call it, there are several solutions out there which have been starting for, for example, for externals, who are accessing the internal network with their own notebooks. In that case, I think it has been basically the same decision. So it's about, can I do a for example, system, house check for these systems? Can I do them? Let's say, can I fix things on these systems in case that I detect something, first part is usually doing things on systems you don't own. I'm not a lawyer, or I'm not a leading person, but usually it's about if you want to do this, you need the, the person to, to accept it. So you need some written thing around this, or some, at least some clear thing where the person accepts, okay, he's allowed to do the system track on my system. You can't do it with without permission. That's the first part of it. The second part of it is even if you're allowed to track, usually we won't have much abilities to do, to do changes on these systems. So you end up more or less with
Decision about yes and no means. If he doesn't allow you to check the system, you can say, okay, I let him in, let him in any way, or you saying no, no access. And if you, if he says, okay, check is allow, but there's something wrong. You again can say, yes, no, you might be a little bit more granular and say, okay, this is what I've detected is relevant for that type of information. So I don't let him access that information, but only the error. Let's say the lesson, it's part of information, but you will end up that sort of things. And by the way, another interesting question, which could be discussed would be around who's responsible for support of the devices. And if something goes wrong, just bring your own device. Another question we haven't,
Can I take you to the corporate it people and say fix it?
Probably not.
Probably not. Depends on who owns it. I think that's your, you know, some of the first questions you brought up that we didn't go very far into, you know, if the company owns it. Sure. You could, if
It's your own device, probably not. You're gonna have to take it back to the manufacturer. Yeah,
Yeah. But, but the problem for sure is that's also one of the things you have to consider as an it department. I think again, pragmatic thing from the, let's say not enthusiastic, bring your own device perspective. I would say, okay, if you're not able to use this, the, our appropriate applications and information, their problem reality is you can't do it that way because there will be probably some higher level managers than others, which then say, yeah, it doesn't matter care for it. Anyway. So you will have to think about how can you reduce potential problems. So you will have to provide guidelines on, on how to use specific types of corporate applications with specific types of mobile devices. And so you will end up with having to provide some support in reality, even if you don't like it.
Of course, this is actually a more overreaching topic, namely the question of what I like to call user controlled identity management, where there are numerous vendors out there right now, experimenting with systems, which can sort of escalate the degree of security required to access certain information. Either based on the nature of the data itself, you have to, you might be able to get in with a username password to very unsensitive data. But if you really want to get up the Chrome jewels, you have to add a second or third or fourth factor, like smart card or fingerprint or voice recognition or something like that. And then the, also the, the concept of having various sort of use cases that you can determine as a user where you say, well, I want to do my home banking. And, and if I do it on the road, I only get to, you know, look at the balance. I don't get to transactions, but if I at my office, I get to do all kinds of stuff. And my home office has different settings. Then, then my, my physical office in the office in the company's headquarters, is that possibly something that we could envision for the future of, of bring your own device, that we can actually have different scenarios, different security systems in place, depending on location. And depending on the nature of the data, we want to access sure.
Context based, authentication, authorization, context based security. Yes, for sure.
But is that still very early days?
I think there are some interesting things out there, but it's still some way to go. Yes.
But, but if you look at some of the tools around risk based syndication authorization, there are technologies out there where you could do some, some things at least. And, but it's that let's say sort of out of the box technology.
Yeah. Okay. Well, we are running out time here and I have a couple of questions that were posed by members of the audience. Actually, it's just one member of the audience and he is very diligent. Austin was, I hope I'm pronouncing it correctly. Sorry, Austin. He asks our north secure network access, SNA, Cisco network, admission control, NAC and Microsoft suitable for bring your own device concept.
I could take this question
Somewhat limited. I would say, because if I look at microsoftnet where I'm most familiar with Microsoft nav is focused effect. As far as I would in mind, maybe they've made some enhancements, but focused mainly on windows, desktop, windows, classical windows, operating system environments. So notebooks, desktops, windows, and they leave a lot of other systems still unprotected. And so I, I think if you enhance such approaches, it could be very helpful to do the system health check across different types of devices. But from, let's say the out of box state, I think more or less limited from what I know, I, I didn't go into north or Cisco for, for quite a while. I would have to track this. But the most important thing is they should work for every time of the device you have, and you might have the future.
Craig, do you have anything to add to that? I mean, you're very close to, to the people at Microsoft.
Yeah. I, I, I would agree Microsoft, you know, stumbles, I think a lot in the fact that they're so windows centric, I think both semantic and Cisco are further ahead in Microsoft, in their ability to control multiple devices and platforms and actually Symantec more than Cisco. I think, you know, Cisco really, I, I, I tries to clamp down and prevent and isolate the unit before they bring it into the, into the workplace. And that that's, you know, you get one executive who's isolated and that ends real quickly. That's probably all I have to add.
Austin asks actually a set of questions here that I think provide a very nice finishing touch for this webcast. He asked, but data mobility, isn't a new problem with B Y O D. Isn't the unmanaged device. That is the issue.
Yes. But we can't manage it. I think that's the answer, right? What we said before.
And he adds, and we need a way to control where these devices go and how to control data on them. I believe we can all agree on that.
Yes. But we are limited in what we can do. So we have mainly to control what happens, who can access our information in which way, and how can we limit it in which cases do we need to do more? So I think the point is re control for devices is something, which is what I said. It's mutual exclusive to the concept of bring your own device.
Okay. I think we can sort of wrap up by agreeing that bringing your own, Y OD does stand for bring your own device and not bring your own disaster. It's not a disaster in the making, but possibly some additional head aches for the it people. But of course, they're used to that and used to finding ways to solve the problems. Some lines relatedly let's help. We don't have to wait too long for the stuff for the whole problem. Be solved. I would like to thank my two participants here, my partners in crime, Martin copier and Craig Burton. And thanks to all of you out there that followed us and especially thanks to Austin for his very useful questions. As I said, this webcast will be available at my tomorrow on our website, your com as a podcast. Thanks for listening and have a nice evening or morning, depending on what time zone you dial in from. Bye.
Thanks everybody. Thank you.