When alien hardware invades: 4 keys to BYOD success

We all love our gadgets, but some of our favorite devices, however innocent they may appear, are poised to overwhelm IT departments worldwide.

Like it or not, the "bring your own device," or BYOD, trend is now a permanent fixture among businesses big and small. Sure, some companies still prohibit employees from integrating personal laptops, tablets, and smartphones into their IT infrastructures, but their numbers are quickly dwindling. BYOD is a matter of "when" not "if," so businesses and IT admins must understand the risks involved and determine the most effective and secure ways to embrace all these alien gadgets.

When Paul Proctor, vice president and security analyst for Gartner, moderated a panel discussion on BYOD at the RSA Security conference in San Francisco this week, he classified four different approaches to BYOD: containerization, embrace, block, and ignore.

"Containerization" allows for BYOD but carves out a separate space for business-related data and communications. Meanwhile, companies that "embrace" BYOD have a no-holds-barred, bring-it-on ethos when it comes to hardware and security management. "Block" characterizes companies that actively ban BYOD, while "ignore" describes organizations that pretend the issue doesn't exist.

Proctor also shared Gartner research that crystallizes just how widespread BYOD has become. According to Gartner's numbers, 47 percent of today's businesses use containerization, 30 percent embrace BYOD, 15 percent block it, and 8 percent ignore it. But what's more interesting are Gartner's projections for how the next three years will shape up: The embrace model will double to 60 percent, containerization will drop to around 38 percent, block will plummet to below 3 percent, and ignore will completely cease being an option.

Richard Stiennon, security analyst for IT-Harvest, puts it more bluntly. "Resistance is futile," he says. "IT departments have always resisted consumer-driven change. Email, Web browsing, and Wi-Fi are all innovations that were initially blocked. Every organization should embrace BYOD. It's the future."

Let's take a look at those Gartner projections again. Less than 3 percent of all businesses will block BYOD outright, and these organizations will probably be in highly regulated, security-conscious segments such as government and banking. Meanwhile, ignoring BYOD will go away forever--a wise response to a trend that poses significant security problems. The upshot is that if you have any stake in the hardware or networking infrastructures in your business, now is a good time to consider BYOD risks and benefits, and to develop a plan for managing BYOD at your company.

The tricky part is that there's no single correct response to BYOD. There's no silver-bullet platform or application that just makes BYOD work. For many businesses, there isn't even a single BYOD approach that they can apply companywide. Different roles and individuals may present different levels of risk, and may require you to apply and manage BYOD differently.

With this in mind, here are four essential matters to consider when you're navigating the ever-swirling BYOD waters.

1. Weigh your options

BYOD is emerging as a valuable and effective tool for attracting and retaining talent. Younger staffers simply expect to use their own smartphones and tablets to get work done. That said, embracing BYOD doesn't have to mean allowing a free-for-all.

Rob Enderle, principal analyst for the Enderle Group, explains: "Extremely unsecure platforms should likely still be avoided until and unless they can be effectively locked down. IT should still ensure that devices are protected through policy, and that corporate information is segregated from personal information, and is protected, and [that] its use is managed by policy."

As for the definition of "unsecure platforms," we can look straight to Android for some of the bigger security risks in the BYOD revolution, but unpatched Java and Flash installations are responsible for security breaches as well.

To some extent, defining or limiting which hardware platforms employees use goes against the basic tenets of BYOD. To wit: Saying that employees can bring their own devices as long as they're Windows Phones isn't all that different from saying that employees must use company-issued Windows Phones. Still, you have to examine the risks involved with different platforms, and understand how much control the organization will (or won't) have to protect company data and communications. Some devices simply won't make the cut.

Next page: Set the rules of BYOD engagement...

2. Spell it out

Whatever your BYOD policy is, you should define it in a written document. Employees should be required to read and accept the terms of the BYOD policy before receiving permission to use a personal device for work purposes.

BYOD is still a nascent concept, and organizations are just beginning to deal with the repercussions that result from IT and employees misunderstanding the rules of engagement. Take the plight of Amanda Stanton, who in 2010 learned the hard way that her company had the power to remotely wipe and reset her iPhone, which she had purchased and managed herself.

Any smart BYOD policy should spell out crucial details such as how much access or control the organization expects to have over an employee-owned device. Will an app, agent, or profile be required for the company to deploy and manage policies on the device? How much power will the company have to lock or wipe data from the device? Under what circumstances will the device be wiped?

All of these questions need to be considered and resolved, and the answers should be shared with employees before BYOD hardware enters the workplace.

3. Who owns the data?

Issues surrounding data ownership become complicated once BYOD enters as a variable. It's easy to make the case that the person who owns a device should have authority over the data it contains. On the other hand, a company can't surrender ownership of proprietary data just because it allows an employee to access or store that data on a personal smartphone or tablet.

Take the case of Larry Sitton, who in 2011 sued his former employer in Georgia after discovering that the CEO of his old company had gone into his office and accessed a personal email account on his personal laptop, which he was using in a BYOD capacity. Sitton argued that his former employer, a printing company with some 120 employees, was crossing the line and that its act was an invasion of privacy. The court, however, ruled that the company had the authority to access the computer because it was being used for BYOD.

To prevent such scenarios from happening, one approach may be to segregate data into separate silos: Keep personal data sequestered in personal directories, and keep company data in company-managed containers. Don't let personal and company data mix, and define a BYOD policy for management accessing company data on employee-owned devices.

This approach might work, but Rod Beckstrom, vice chairman of the Global Agenda Council on the Future of the Internet, World Economic Forum, expressed a more ominous view during the RSA conference's BYOD panel discussion. Beckstrom suggests that under various legal and compliance mandates, an organization may not legally be able to segregate data, or guarantee that personal data will be protected. As a corollary, if a company is ever required to surrender data under legal discovery, the personal data on a BYOD device may be forced into play--formal BYOD agreements between employers and employees notwithstanding.

Another problem is that once company data has landed on a modern BYOD device, it's exceptionally difficult to control where it goes. For example, if an employee has company data on a personal iPhone, and that data is backed up to iCloud, wiping the device is no longer sufficient to protect that data. It's difficult--if not impossible--to know which servers or devices are storing company data. So, if you're in charge of data security, you need to consider all the various places data might end up once it leaves the servers over which you actually exert control. You should also limit the data that employees can access (and therefore store) to information you're willing to set free in the wild.

4. What happens when it breaks?

One last thing to consider is who handles troubleshooting and support for employee-owned devices. For employers, one of the perceived benefits of BYOD is offloading the burden of hardware and software support, and letting employees work directly with device vendors and wireless providers to fix problems.

That sounds good at face value, but if the productivity of your employees is tied to the functionality of their personal smartphones and tablets, and those devices are having issues, that has a direct negative impact on your business. Admittedly, device vendors and wireless providers are often the best choices for troubleshooting and support, and should be a first line of defense. But you still need a Plan B.

You should work with employees to establish expectations for addressing BYOD support issues. How long is it acceptable for a device to be inoperable? Will the company take any role in facilitating or managing the support process? If the device is out of warranty, will the employee be expected to pay for service out of pocket, or will the company subsidize the necessary repairs? What happens if the device is beyond repair, and the employee can't afford to replace it--or simply chooses not to?

One thing is clear when it comes to BYOD: Nothing is ever really clear. BYOD means different things to different people. Allowing an entry-level employee to access company email from a smartphone poses a different level of risk than allowing a company executive to store intellectual property on a personal laptop.

The bottom line, though, is that BYOD is here to stay. The question isn't BYOD or no BYOD. The question that organizations must consider is whether they want to embrace BYOD as a strategic opportunity, or to allow BYOD to happen to them with no well-considered management plan.