The technologies for securing access to business information and systems from personal devices are becoming very capable, and they are developing very rapidly. These should be taking away the fear of ‘Bring Your Own Device’, which is still surprisingly common among ICT teams, and allow us to embrace a change which gives us the opportunity to provide a much more user focused experience without compromising the safety of our organisations’ information. Actually, I think this will improve security too.
Firstly, I have no intention of allowing an unsecured device to connect into our secure networks. The focus for BYOD has to be on delivering information securely beyond the network, not opening the doors to all manner of unmanaged threats — that would be daft!
But I also genuinely don’t believe that managing a personal device as you would a corporate device is a viable BYOD proposition. Nor do I believe that it’s necessary given the technology capabilities available and the right policy and practices (I recently blogged some thoughts about how the traditional business and ICT relationship for security needs to be rebalanced here: https://bytherye.com/2013/08/28/does-ict-need-a-manifesto/). Indeed, I think that BYOD could actually increase the safety of information as it will reduce the likelihood of users doing really silly things such as losing sensitive paper documents and emailing inappropriate information to personal addresses. Evidence from the Information Commissioner shows that these are by far and away the most common reasons for information incidents (http://www.ico.org.uk/enforcement/trends).
Councils have had close to 50% of their budgets cut and we have to work much more closely with communities and a wider range of partners to help bridge the gap. We need to meet the BYOD challenge or ICT will be creating expensive barriers to achieving those business goals (for example, community groups are unlikely to be willing or able to pay a large ‘IT tariff’ just to have a council device so that they can work with us, and you can’t manage a device with two different Mobile Device Management services — which is important where partners need to use their own managed corporate devices to work with us).
The main mobile platforms have been making major leaps forward in addressing concerns about security, and tools we already have available can help us to make this work.
Mobile Device Management providers such as AirWatch (http://www.air-watch.com/solutions/bring-your-own-device-byod) can provide the ability to implement sufficient controls and where needed lock business information safely away in a secure container.
And we actually even have very powerful tools available within our existing email services which again allow us to make sure that appropriate protection can be provided if we allow access to our corporate email from a personal device. These include requiring a passcode lock, wiping the device after a certain number of failed password attempts, remote wipe for devices which are lost or stolen, limiting the amount of email which gets sent to the device (for example, seven days worth is quite sufficient for users to get a big productivity gain while also significantly limiting the amount of data which is sent to the device), encrypting the device and managing how attachments are handled. For detail of some of these capabilities check out these links:
Microsoft Exchange ActiveSync: http://technet.microsoft.com/en-us/library/bb123484(v=exchg.141).aspx
Balanced with the right policies, robust user training and alternative secure solutions for more sensitive information (a much smaller but very important part of the information we look after) I’m convinced that this approach can provide a viable way forward.
But we also need to remember that providing access to email and calendars is really only the first step in delivering a genuine shift and enabling our users to work productively from any device. Recent updates to iOS and Samsung’s Knox give much more sophisticated mobile management capabilities, accelerating a move away from Mobile Device Management towards secure Mobile Application Management. These links provide a bit more detail about these changes:
While these are very recent additions to our toolkit, the potential they offer is substantial. And let’s not fall into the trap of thinking that this is all about ‘bring your own’ and playing with shiny toys. It’s about ICT moving beyond the old ‘all in one’ model where we have to control everything, it’s about removing technology barriers to our organisations’ innovation and it’s where we have to get to if we’re going to still be relevant in only a short period of time.