At a conference on the consumerisation of IT that Quocirca attended late in 2011, one delegate stated that their organisation “would not be adopting it”. The point had clearly been missed; the issue is that consumerisation is about what employees choose to do with consumer technology, be it the use of social media or personal computing devices. In the letter case, the choice is not about whether employees bring smartphones and tablets in into the work place, but about the controls to put around them.

The issues involved are wide and varied, from the security of the corporate network and data to the control of how software is used on devices and mobile operator bills are paid. No one should be in any doubt that when the average employee is carrying a more attractive way of accessing IT in their pocket, handbag or briefcase than their employer provides on their desktop, that addressing the use of employee owned devices is one of the big issues for IT departments in 2012.

That said, 2012 is also likely to be good year for an agreement to be reached between employers and employees on what is acceptable. The argument was often heard a few years ago that employers would have to cave into employee demands because restrictive working practices would not be attractive. However, as the age of austerity deepens and a return to recession looms, any reasonable job should be attractive, especially to the aspiring young who are most adept with the devices driving consumerisation and are most likely to be job hunting. 2012 should be a good time for employers to be setting out the ground rules and embedding them in employment contracts.

This article outlines the issues IT departments need to consider with regard to the use of employee owned devices; the technological, security and commercial issues involved and the longer term benefits that may be achieved with the right controls in place. The issues fall into two broad categories; protecting the business, its network and data and then managing the devices and the access to/payment for network resources.

NAC – controlling access to the corporate network
First get the workplace itself under control and what devices are allowed on to your internal network. Rogue devices are not welcome and any unknown device is a potential rogue. However, it should be made easy for employees to access the business network when in the workplace and they should be encouraged to do so, rather than leaving them to run up mobile bills, which the business might ultimately pay.

Network access control (NAC) tools, which identify devices, their users and certify their fitness for network access, have been around for several years. However, a resurgence of interest has been seen by specialist suppliers like ForeScout and Bradford Networks as well as the networking giants.

NAC is generally enforced via a dedicated appliance or modified router that identifies known devices and questions unknown ones—usually referred to as managed and unmanaged. With managed devices checks are made every time they come back on to the network; is the device’s security up to date? Does the device identity match the usual user identity for the given device? Do the geographic location and time of use make sense?

By definition, unmanaged devices have not been seen before so NAC technology cannot rely on installed agents and therefore need to be able to operate agentless. The status of unmanaged devices can be checked and granted access in certain circumstances. For example, is this is a known user using a new device and, if so, what policy should be applied? Is it a guest device that should be granted limited network access for a restricted period of time? Is it a rogue that should be blocked?

Protecting corporate and regulated data
Data on mobile devices is a risk. This may be because the device has been compromised in some way but more likely because it is stolen or user-mislaid. Any business must see protecting its corporate data as a key requirement of managing consumerisation.

One approach is, as is increasingly mandated for laptops, that the devices should be encrypted. This is all well and good, but the cost of licencing encryption software and managing the keys could spiral out of control. Furthermore, there is the problem of software licencing and what degree of control can be taken over a user’s device; it is not really acceptable to encrypt the employee's own data so selective encryption is required, further complicating things. Many are now concluding that the only way to support consumerisation is to treat smartphones and tablets purely as access devices and to restrict the way corporate IT is enabled. There are three basic approaches:

1. Provide access to applications that allow data to be viewed and updated, but not copied. For example, just because you allow employees to read email remotely does not mean their content should necessarily be copied to a device. There is increasing talk of “corporate app stores”.
2. Provide a virtual desktop environment for the user. Again, data is not actually stored on the device, it is simply an access tool to a virtual desktop that is available anywhere the user can get online. For example, Citrix provides mobile support via its Receiver product.
3. Provide the ability to view data in central data stores, for example Microsoft SharePoint or services specifically designed to support mobility like Trend Micro SafeSync and only allow downloading of data with a low security classification.

Keeping malware at bay
Writers of generic malware typically target the most popular software to maximise the chances of finding a way on to as many devices as possible. For this reason, Microsoft Windows and popular programs that run on it, such as Office and IE, have historically, and still are, the most common targets. However, in 2011 the total number of smartphones on the planet overtook the number of PCs, and the operating system and applications run on them are different. The Economist’s Beyond the PC report (Oct 2011) shows the amount of malware targeted at mobile devices to be increasing. The Android operating system is particularly vulnerable; it is now the most widely installed mobile operating system and more open than Apple’s iOS.

However, malware is not the only problem. Another incipient threat with mobile devices is the user’s desire to download consumer apps from app stores. Why bother to go to the effort of distributing malware if users can be duped into finding it for them themselves? The threats around the Google Apps Marketplace are considered to be the greatest, again because of its openness. Apple is restrictive about what gets in to its App Store, but some users chose to 'jail-break' from the Apple eco-system and download unqualified apps. However this is something that can be checked for by NAC systems before allowing network access.

Whatever the source of malware, from the point of view of managing consumerisation, businesses have two choices:

1. Insist their users have anti-malware installed; indeed this can be a check and pre-condition of NAC. However, it is not really practical for occasional users. The traditional anti-malware vendors are adapting their products for mobile operating systems and some new specialists have emerged.
2. Assume any mobile device may be compromised and take measures to insulate their business's IT systems from any harm. Given some of the other complexities involved with supporting consumerisation, many will conclude this to be the most practical approach.

Software licencing
Mandating the use of on-device software such as anti-malware and encryption leads to software licencing issues. If the software is corporate-issued, what rights are there to install it on personally owned devices? What control is there over licences when an employee leaves the organisation? The same applies to any application software that is installed on employee owned devices. This underlines the benefit of treating smartphones and tablets purely as access devices. However, that is not an end to the software licencing issues.

Some vendors, in particular Microsoft, licence their software based on the number of clients (Microsoft call these Client Access Licences/CALs). If a virtual desktop provides access to such software then its use needs to be audited and licenced to ensure compliance. If VDI is used it will also need licencing, although these vendors should be a little more friendly to the concept of consumerisation as this it has become one of their target use cases.

Mobile device management, airtime contracts and mobile billing
IT end-point management vendors such as Dell/KACE, Kaseya and Symantec Altiris have focussed on traditional PCs. Mobile devices introduce all sorts of new issues. This has led to the rise of vendors specifically focussed on mobile device management (MDM), for example Good Technology and MobileIron. However, from the business requirements point of view, the management needs have been converging for some time; there is a need for unified PC and smartphone support. Some IT management vendors are staring to develop or acquire MDM capabilities; others are partnering with the MDM specialists.

MDM tools enable the management of software and licences installed and security features such as device wiping and disablement. Another key issue is airtime contracts and billing. When it was still practical for businesses to issue mobile phones to employees who needed them they could achieve economies of scale through having all contracts with a single airtime service provider.

However, with consumerisation each employee may have their own contract. This is may not seem to be a problem if they pay the bill themselves, but what happens if they try and expense all or part of it? Perhaps employers should allow users to bring their own devices but provide them with a contract and pay the bill? But, what happens about personal usage and the possible tax implications? What happens when the employee goes overseas and inadvertently runs up a huge roaming bill because corporate email is being pushed to their device? Telecoms expenses management (TEM) is a complex issue and can only be addressed with MDM tools that manage contracts, billing and specific mobile device configuration issues.

It is likely that a distinction will need to be made between different job roles. Perhaps senior management will be issued with all expenses paid, company supplied BlackBerrys, whilst sales staff are given an allowance buy their own Android device for which the company will provide a contract and pay the bill. Other employees may be simply told that the bill is their own responsibility whilst they are provided with a corporate approved app to view emails.

Conclusion/key takeaways
In summary:

• Use NAC tools, corporate apps stores and/or virtual desktops to protect your corporate network and data whilst enabling controlled access.
• Private networks need to be able to identify unmanaged devices and make decisions about access but make genuine guests feel welcome.
• Deploy MDM tools to manage the devices themselves, their software, security and airtime contracts/billing.

Consumerisation cannot be ignored; it is a fact of life all business must face up to. Enable it and, ultimately, your business will benefit with a more motivated and flexible work force using devices they have chosen for themselves because of the productivity they enable.

For more in-depth coverage of some of the issues covered in this article, information is available in the following freely available Quocirca reports:

• Carrying the can - consumerisation and enterprise mobility (June 2011)
  http://www.quocirca.com/reports/605/carrying-the-can--consumerisation-and-enterprise-mobility
• The data sharing paradox (Sept 2011)
  http://www.quocirca.com/reports/620/the-data-sharing-paradox

This article first appeared in Global ETM: http://www.globaletm.com/page/2012q1