Feature Article

November 26, 2013

BYOD: The Six Essentials for Success

BYOD (Bring Your Own Device) is a much talked about trend. The allure of incredibly powerful, easy-to-use handheld devices, global connectivity, and an app for everything have given rise to a stunning consumer-driven transformation of the IT landscape. According to IDC, 56 percent of the business smartphones shipped in 2013 will be employee-owned. By 2016, up to 85 percent of enterprise employees worldwide will be using smartphones or tablets, and­ as high as 95 percent at many large corporations.

But as thousands of unmanaged devices connect to networks, IT departments are struggling to catch up. In the “old world” of laptop PCs, it was already challenging for IT to safeguard networks, keep track of corporate data and protect it from loss or theft; even with near total control of procurement, provisioning and security for PCs. With the BYOD phenomenon, employees are making their own purchasing and provisioning decisions without concern for security or support. Without protection, these devices are less secure than PCs, and their small-form factor makes them particularly susceptible to loss or theft.

Implementing a successful BYOD strategy is much more than a technology challenge. Business policy, legal policy, management and governance take center stage.  BYOD solutions will vary widely by organization and industry, but the six essential issues that all enterprises must address are as follows:

Essential 1: Understand Your Regulatory and Business Environment. Successful execution of a BYOD strategy requires the organization to develop a comprehensive framework of policies to cover the business, legal, technical and governance issues that arise when integrating employee-owned devices into the enterprise. To begin, the organization must take stock of its current environment and use the findings to develop a roadmap for future requirements. Key questions to ask include:

  • What is the company¹s goal for implementing a BYOD policy?
  • What are the regulatory and compliance requirements for the industry/organization? For global organizations, understanding country-specific laws are critical.
  • What distinct segments of mobile users does the company have?
  • What information and applications need to be accessed by each of those segments?
  • What levels of security will need to be applied to this information?
  • What are the data usage requirements of each user segment?
  • What travel requirements and other environmental factors need to be considered?

Once an understanding of the current environment and future requirements is in place, the organization can then draft its BYOD policy framework.

Essential 2: Build a Business Policy Framework. Armed with an understanding of user and security requirements, a policy framework can be drafted to address the following business policy questions:

Sourcing: This policy will determine whether employees purchase devices anywhere or just from preferred vendors, and will vary based on user segment and location.

Supporting Devices: This is one of the most important but often overlooked aspects of a BYOD policy. It’s unrealistic to expect your IT team to support every device that could be purchased by employees. IT will need to determine which devices it is willing to support.

Geo-Fencing: It may be that security or data use needs require policies to govern device use within predefined geographical areas. Everything might be allowable in your native region, but in other areas restrictions might apply that govern data usage levels, data access levels, or both.

Bandwidth Throttling: For corporate-sponsored data plans, bandwidth usage issues are a hot topic. Organizations must determine how to allocate employee demand for bandwidth across a broad swath of locations, roles and usage volumes.

Business Support vs. Personal Support: Organizations must determine the extent to which they are willing to provide technical support for an employee-owned device that accesses personal data and applications as well as business data and applications.

Device Loss: Device loss or theft is a fact of life.  As such, the organization should have a thorough plan in place for how to protect (or remotely wipe) data on a device if it goes astray.

Reimbursement: How will employees be reimbursed for devices and/or data plans? A broad range of options exist, from total coverage of devices and unlimited data, to reimbursing employees for data expenses up to a certain preset level.

Essential 3: Build a Legal Policy Framework. The introduction of employee-owned devices into the enterprise environment ­ and the resulting presence of enterprise data on personal devices ­ will give rise to legal issues. Policies that sidestep risk must be outlined in advance to avoid costly mistakes.

Responsibilities: Does an employee using a device with corporate apps and data have a certain responsibility to protect the device? What if reasonable or required precautions are not taken to protect the device? What if they are, yet information is still compromised?

Rights: The legal rights of employees and organizations differ from country to country and have to be customized to meet applicable regulatory and privacy requirements.

Liability: Is the company liable if some action on its part results in exposure or loss of private data? Is the employee liable if corporate information is lost? What if the employee is following the required security policy, like password-protecting the device? Does that remove liability?

Privacy: What measures will a company take to protect the privacy of the employee?

Essential 4: Build a Security and Technical Policy Framework. Technical issues abound for BYOD implementations. Regardless of the organization¹s specific needs, it should consider the following security requirements as part of any comprehensive BYOD strategy.

Device Acquisition: Technical considerations often influence device acquisition policies. Hardware or OS requirements may favor the purchase of particular devices, the selection of a particular vendor or may require a particular vendor to supply devices that have already been provisioned to the organization¹s specifications.

Security: One of the most challenging technical issues in BYOD is balancing security and risk. A successful IT strategy for BYOD security might involve applying different security policies and technologies to different user segments. Note that applying multiple policies and technologies can be complicated and must be carefully coordinated by IT.

Device Partitions: A growing number of devices are designed to support multiple user personas. Secure containers can also be used to isolate the data and applications associated with each persona, simplifying the assignment and ongoing maintenance of user access controls.

Application Management and Development Standards: Management policies must be established to ensure the proper level of control for each app based on its sensitivity and use. This container / composite app model can greatly simplify app provisioning and maintenance. To ensure that the full range of enterprise apps is consistent with the model, standards for app development must be established up front.

Data Access: Data access policies will also need to be established. This is true for both company-owned and employee-owned devices, but employee ownership introduces an added layer of complexity and need for governance. The enterprise will need to determine a number of factors, such as whether it will offer Wi-Fi to supplement broadband access, and if so, what levels it is willing to support.

Essential 5: Build a Plan for Successful Policy Implementation. Employee ownership of devices introduces a unique set of challenges and requirements when it comes to policy implementation:

Self-provisioning: The most obvious challenge with employee-owned devices is that the company doesn¹t typically have access to the device. So, mechanisms must be set up to enable employee-owned phones, tablets and other devices to be provisioned by the users themselves.

User Profiles: A solution must be in place to link individual employees with their user profiles, probably based on an AD/LDAP access control system and set of policies around individual membership in groups and group access to various data and apps.

Auto-Certification: With employees connecting to the network and provisioning their own devices, the enterprise must establish the technology and process for automatically certifying that the device has a container and is consistently connecting through the container.

Employee Self Service: Since it’s typically either impractical or impossible for organizations to take possession of employee-owned devices, it is essential that employees are able to provision and service devices through a “single self-service window.” Device and data plan management, usage tracking, and access to corporate applications that are authorized for individual personas all should be included.

Teleworking: An organization’s virtual desktop and unified communication strategy should extend to mobile devices.

Essential 6: Provide for Ongoing Governance to Maintain and Evolve Your BYOD Policy. The company’s BYOD policy must evolve as new factors and considerations emerge. To do so, a governance model is necessary,­ one that measures and monitors key factors such as cost, security breaches, lost phones or jailbreaks. The success of the BYOD strategy is dependent on the efficacy of the measures that are implemented through a governance model.

Looking Ahead

Harnessing the power of employee-owned devices can deliver tremendous advantages to the organizations that do it successfully. Keys to success include establishing a solid foundational understanding of the current environment; developing a clear set of business, legal, and technical policies; executing a well-defined implementation plan; and providing for ongoing governance and evolution of policies. The BYOD opportunity is here. The right planning can help you seize it.

Edited by Rory J. Thompson

FOLLOW MobilityTechzone

Subscribe to MobilityTechzone eNews

MobilityTechzone eNews delivers the latest news impacting technology in the Wireless industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter