NEWS FEATURE: Debate rages over how to manage personal mobile devices used for work

Many business still don't have a policy on how the devices can access applications

Increasingly, businesses accept the idea that employees should be able to use their personal mobile devices, such as smartphones and tablets, for work. But debate is raging as to whether these employee-owned devices should be managed and secured exactly as corporate-owned devices might be.

A survey of 988 information technology managers published this week by vendor Courion shows 69 per cent of the organisations they work for let employees use personally owned mobile devices to connect to the corporate network, though a quarter of the total say they either don't have a policy on how these personal mobile devices can access applications or are unaware there is one.

ROUNDUP: The 5 biggest IT security mistakes

"The notion of employee-liable devices is not something that can be ignored," says Andrew Borg, analyst at Aberdeen Group, adding, "Without a doubt, employee-owned devices must be compliant with policy." That might include at a minimum the ability to do wipe and lock of an employee's personally owned device.

In regulated industries, stronger controls might be expected, such as on-device encryption and a mobile VPN. To address the notion of mixing personal and corporate data, there are commercially available products, including those from Good Technology, that can create separation of personal and corporate use at the operating system level for smartphones and tablets. Other possibilities include VMware's virtual-mobile desktop, Borg points out.

Aberdeen Group's own recent research published in March about employee-owned mobile devices being used for work showed that in a survey of 500 enterprises , 72% "permit use of employee-owned mobile devices for business purposes." That's up substantially from the 40% that allowed it just two years ago. In the March 2011 survey, 45% said "yes" to any type of device from the employee end, and 27% said the devices had to be compliant with policy.

When it comes to letting employees buy whatever mobile device they want to use at work, "there are wise ways to do this and unwise ways," Borg says. Some companies allow it simply because they believe they are pushing the costs of the device onto the employees without the IT department managing and securing them. But this view is "short-sighted," says Borg. The strategic view is to push to achieve compliance of personal mobile devices with corporate security and management policies.

Some organizations might agree.

"Our policy is we want our users to use personal devices for work if they want," says Endre Wells, chief technology officer at Philadelphia-based Resources for Human Development, a nonprofit organization with about 4,800 employees in 14 states that provides social and welfare services. But the organization only allows personal devices such as iPhones and Androids for work if the employee agrees to use certain mobile-device management software, in this case, MaaS360 from Fiberlink, deployed there since May.

The MaaS360 agent software, controlled through Fiberlink's cloud-based service, gives the IT division at Resources for Human Development a way to ensure password policy is adhered to, and also provides a way to wipe the devices if lost or stolen. "We've used this twice already," says Wells.

The same Fiberlink software is required on the corporate BlackBerries that the organization still issues to those not using their own personal devices. In the past, the organization paid for about 300 BlackBerries but that number is dropping since employees often elect to use their own personal mobile device.

But not all analysts view the issues raised by employee-owned mobile devices quite the same way.

Gartner analyst Ken Dulaney, speaking at the recent Gartner IT Security Summit, acknowledged mobile-device technology these days does defy some traditional notions of best practices as employees, smitten with the latest iPhones, Androids and other devices they never put down, want to use them as their primary work tool. "This is the fashion business, not the PC business. Don't be a dictator or people will overthrow you. IT has lost control of this area -- it's a coping area," Dulaney said.

A new generation of "digital natives" is entering the workforce, and for them, the old-fashioned desk phone is simply "an expensive router to the cellphone," said Dulaney. When it comes to the mobile smartphones and tablets they may prefer to use, he suggested that if employees own them, these devices could in some instances be treated differently than if they are corporate-issue.

Employee-owned devices wouldn't be able to do as much on the network as corporate-owned devices, perhaps only email. There also should be a "policy document" to hold "individuals liable," said Dulaney. "They must report loss of the device and grant IT the right to wipe the content for any reason." He said that means the employee needs to back up "their personal stuff."

In addition, "they're still required to have a PC or notebook," for the reason that it's needed to read things like spreadsheets that don't convert well into mobile devices today.

If the employee elects to use a corporate-issued mobile device, however, the IT department would take full responsibility in buying it and fixing it, Dulaney said. Third, the reality of corporate life is that C-level executives and influential sales people tend to get what they want, no matter what. So the IT department may need to formalize a "VIP"-type service to allow restricted network access to certain groups in a consistent way that would meet with an auditor's approval.

But in the final analysis, organizations that need more high-level security will need to turn to mobility management software from vendors that include BoxTone, MobileIron and AirWatch, he added.

Yet another analyst, Craig Mathias of Farpoint Group based in Ashland, Mass., recommends a simpler approach. "You don't want tons of different policies. That's a recipe for disaster."

"Don't be foolish here," Mathias advises. If employees are allowed to bring in their personal mobile devices and use them on the corporate network, there should be mobile-device management software on it and the IT department should insist it is they who have control over the device.

"I run across companies all the time that don't have policies," Mathias points out. They think they don't need to put management and security agent software on the employee's device since the company doesn't even own it, but that's missing the big picture, he says. "It's the information that's of strategic value. You own the information on it."

Note: this is vendor sponsored research.

Read more about wide area network in Network World's Wide Area Network section.