Strategies for securing the enterprise in a BYOD world – guest blog by Chris Swan

Submitted by Editor on 12 December, 2012 - 21:13.

With so many execs with tablet devices on their Christmas list this year, CTOs will be under increased pressure in the New Year to formulate a strategy that allows employees to use their new toys at work.

In this post, Chris Swan explains the different approaches for companies as they embrace enterprise mobility and balance the groundswell behind bring-your-own-device (BYOD) with company security. This piece follows up on a presentation by Swan at Making it Mobile last month. Until recently Swan was the CTO for client experience at Swiss banking giant UBS, prior to that he was CTO for security. He is currently looking for new opportunities. This post is also available on Swan’s personal blog.

I’ve spent a good part of the last year working on mobile strategy, so I get asked a lot about Bring Your Own Device (BYOD)[1]. This post encapsulates my responses.

It’s not about cost (of the device)

Last week, a friend sent me a link to this article 2013 Prediction: BYOD on the Decline?. My reply was this:

News at 11, an unheard of research firm gets some press for taking a contrarian position. They ruined it for themselves by trying to align BYO with cost savings. Same schoolboy error as cloud pundits who think that trend is about cost savings.

Cloud isn’t about cost. It’s about agility.

BYOD also isn’t about cost. It’s about giving people what they want (which approximately equals agility).

In fact, cloud and BYOD are just two different aspects of a more general trend: the commoditization of IT; cloud deals with the data center aspects, and BYOD with the end user devices that connect to services in the data center[2].

The enterprise is no longer in the driving seat

When I was growing up, the military had the best computers, which is a big part of why I joined the Navy. Computers got cheaper, and became an essential tool for business. For a time the enterprise had the best computers, which is why I left the Navy and found work fixing enterprise IT problems. Now consumers have the best computers in their pockets – so it’s time for another career change.

There are a number of companies out there trying to sell their device/platform based on it’s ‘enterprise security’ features. This is a route to market isn’t working - just take a look at the sales of the RIM Playbook – because the Enterprise doesn’t choose devices any more.

  • Consumers choose devices
  • Employees take their consumer devices to work
  • Devices that come to work need applications to make them more useful

Even when the Enterprise is buying devices – where the trade-off between liability and control is worth it – they usually buy the same devices that employees would choose for themselves.

MAM is where the action is, MDM is a niche

For a consumer device to be useful in a work setting it needs access to corporate data, and in most cases there is a need/desire to place controls around how that corporate data is used. There are essentially two approaches to doing this:

  1. Mobile application management (MAM) - where corporate data is secured in the context of a single application or a group of connected applications (that may share policy, authentication tokens and key management). With this approach the corporate data (and apps that manage it) can live alongside personal apps and data.
  2. Mobile device management (MDM) – where corporate data is secured by taking control (via some policy) over the entire device. This is how enterprises have been dealing with end-user environments for a long time, but that was usually a corporate-owned device (where this approach may still be appropriate) rather than BYO. Most users are bringing their own device to work to escape from the clutches of enterprise IT (and what the lawyers make them do), so MDM is a bad bargain for the employee. It’s also a minefield for the enterprise – what happens if employee data (e.g. precious photos) are wiped off a device? Could personal data (maybe something as simple as a list of apps installed) be accessed by company admins and used inappropriately?

There is a 3rd way called virtual-machine-based segregation, but that approach is mostly limited to Android devices at the moment, and anything that ignores the iOS elephant in the room isn’t inclusive (and thus can’t be that strategic).

MAM isn’t without its issues, as it is essentially a castle in the air – an island of trust in a sea of untrustworthiness. This will eventually be sorted out by hardware trust anchors; but for the time being there must be some reliance on ecosystem purity (i.e. the ability of device/OS vendors such as Apple to control the spread of malware) and detection of tampering (i.e. jailbreaking) with device integrity.[3]
• See the slide on user profiles, below, for more information.


Application Frameworks

The containment of corporate data is one issue, but regardless of whether that’s done at the app level with MAM or the device level with MDM, enterprises need to figure out how to get that data into an application. There are essentially three approaches:

  1. Thin client – rather than make a new app for mobile, just project out an existing application and access it via the tablet/smartphone or whatever. This can be pretty awful from a user-experience point of view as the approach depends on good network connectivity, and often does a bad job at presenting apps designed for keyboard and mouse to a device that offers touch and gestures. On the other hand, it is a quick and relatively easy way of preserving an existing investment in line of business applications. The connectivity issues can be dealt with by using protocols that are better optimized for mobile networks (such as Framehawk), and it’s also possible to use UI middleware to re-factor desktops apps for the BYO user experience.
  2. Mobile Web – take an existing Web site and provide a mobile version of it, reusing as much of the existing content management and UI componentry as possible. This is usually a great approach for cross-platform support, but doesn’t give the shiniest native experience (and performance can be poor).
  3. Native app – build something specific for a given target platform for the best user experience and performance. This can be perceived as an expensive approach, though getting mobile apps (which are after all just the UI piece of what’s usually a much larger app ecosystem) developed can be small change compared to other enterprise projects.

It’s also possible to hybridize approaches 2 and 3, though this will involve trade-offs on performance and flexibility that need to be carefully considered. Hybrid should not be a default choice just because it looks like it covers all the bases (just look at Facebook backing out of their hybrid approach).
• See the slides on Frameworks and containers and Framework characteristics for more information.

Conclusion

BYOD may presently look like a trend, but it isn’t some temporary fad. It’s an artefact of consumer technology transforming the role of IT in the enterprise. That transformation places demands on IT that broadly fall into two areas: containment (of sensitive data) and frameworks (to develop apps that use/present that data). MAM is the most appropriate approach to containment for BYOD, and frameworks should be evaluated against specific selection criteria to determine the right approach on a case by case basis.

Notes

[1] It’s remarkable how quickly the conversation moved on from Bring Your Own Computer (BYOC) to Bring Your Own Device (BYOD) – normally meaning a tablet, but usually expanded to include smartphones that support similar environments to tablets.

[2] At some stage in the (not that distant) future, the cloud will invert, and be materially present at the edge, on the devices that we presently consider to be mere access points.

[3] For the time being things are much easier in the iOS ecosystem, due to the monopolistic nature of the App Store. But expect things to get far more problematic when all of those shiny new Android tablets that people get for Christmas show up at work in the New Year.


• Be the first to know when mobiThinking adds new stats, guides, competitions etc… follow mobiThinking on Twitter: @mobithinking or via the RSS feed.


Don’t miss:
• The insiders' guides to world’s greatest mobile markets • New in-depth country guides to: • NigeriaKenya
• There are one billion smartphones in use in the world – that’s all folks
• Mobile Web overtakes PC Web in China
• Must-watch video on how mobile is transforming Africa
• Guide to mobile agencies • Latest agency profile: • The Hyperfactory
• Guide to mobile industry awards • Check out the video case studies: • EmmasWSA Mobile
• Guide to mobile ad networks 2012 • with 5 new ad networks •
• Mobile events 2012 • best conferences, great discounts and free tickets •
• 19 video interviews with leading mobile experts
• The big compendium of global mobile stats

© mobiThinking. Feel free to reference, quote or paraphrase parts of mobiThinking articles, clearly stating and linking to mobiThinking as the source, but reprinting or republishing the whole or substantial parts of the piece without permission will not be tolerated. Please see mobiThinking’s legal statement.

Rating for this article:
0
Submitted by Clara Butler (not verified) on 20 December, 2012 - 11:16.

Mobile devices are used to move data out if the enterprise and then must protect the data. People were using dropbox because they wanted their data to work on at home. Before that they used USB keys or email. The task has to be dedicated on enabling the user while securing data in transit and while at rest.

Submitted by Gary Griffiths (not verified) on 19 December, 2012 - 11:17.

Chris, this is a great piece, well done.

I couldn't agree more that securing business applications and data is where it's at.

I'd like to offer a maybe slightly different perspective on MDM. I don't believe MDM = Mobile Device Security, and it certainly does not equal Mobile Data Security. The only thing MDM can do from a security perspective is leverage any device level controls the respective device manufacturer has made available. In that sense, I think it helps leverage device controls more efficiently, but it definitely does not add any security that the device does not already have.

I believe there are three elements to securing business data when it comes to BYOD.

1. Securing data at rest and in transit (Encryption/VPN etc)
2. Preventing data leaking to non business apps/cloud services (containerisation/MAM/virtualisation are some approaches)
3. Enforcing robust authentication for those industries that need multi factor authentication - at the application level

MDM has no role to play here. I agree for the reasons you state and a whole lot of other risks MDM introduces to the enterprise, and other significant impacts to users in has (eg I have heard story after story about Exec's children wanting to play a game whilst they are out, entering the device password wrong 5 times and the whole device being wiped).

I look forward to hearing more about what you have to say.

Good luck with your next career move.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

To combat spam, please enter the code in the image.
Syndicate content