Business Issues -> Security & Risk
By: Bob Tarzey, Service Director, Quocirca
Published: 27th February 2012
Copyright Quocirca © 2012
At a conference on the consumerisation of IT that Quocirca attended late in 2011, one delegate stated that their organisation “would not be adopting it”. The point had clearly been missed; the issue is that consumerisation is about what employees choose to do with consumer technology, be it the use of social media or personal computing devices. In the letter case, the choice is not about whether employees bring smartphones and tablets in into the work place, but about the controls to put around them.
The issues involved are wide and varied, from the security of the corporate network and data to the control of how software is used on devices and mobile operator bills are paid. No one should be in any doubt that when the average employee is carrying a more attractive way of accessing IT in their pocket, handbag or briefcase than their employer provides on their desktop, that addressing the use of employee owned devices is one of the big issues for IT departments in 2012.
That said, 2012 is also likely to be good year for an agreement to be reached between employers and employees on what is acceptable. The argument was often heard a few years ago that employers would have to cave into employee demands because restrictive working practices would not be attractive. However, as the age of austerity deepens and a return to recession looms, any reasonable job should be attractive, especially to the aspiring young who are most adept with the devices driving consumerisation and are most likely to be job hunting. 2012 should be a good time for employers to be setting out the ground rules and embedding them in employment contracts.
This article outlines the issues IT departments need to consider with regard to the use of employee owned devices; the technological, security and commercial issues involved and the longer term benefits that may be achieved with the right controls in place. The issues fall into two broad categories; protecting the business, its network and data and then managing the devices and the access to/payment for network resources.
NAC – controlling access to the corporate network
First get the workplace itself under control and what devices are allowed on to your internal network. Rogue devices are not welcome and any unknown device is a potential rogue. However, it should be made easy for employees to access the business network when in the workplace and they should be encouraged to do so, rather than leaving them to run up mobile bills, which the business might ultimately pay.
Network access control (NAC) tools, which identify devices, their users and certify their fitness for network access, have been around for several years. However, a resurgence of interest has been seen by specialist suppliers like ForeScout and Bradford Networks as well as the networking giants.
NAC is generally enforced via a dedicated appliance or modified router that identifies known devices and questions unknown ones—usually referred to as managed and unmanaged. With managed devices checks are made every time they come back on to the network; is the device’s security up to date? Does the device identity match the usual user identity for the given device? Do the geographic location and time of use make sense?
By definition, unmanaged devices have not been seen before so NAC technology cannot rely on installed agents and therefore need to be able to operate agentless. The status of unmanaged devices can be checked and granted access in certain circumstances. For example, is this is a known user using a new device and, if so, what policy should be applied? Is it a guest device that should be granted limited network access for a restricted period of time? Is it a rogue that should be blocked?
Protecting corporate and regulated data
Data on mobile devices is a risk. This may be because the device has been compromised in some way but more likely because it is stolen or user-mislaid. Any business must see protecting its corporate data as a key requirement of managing consumerisation.
One approach is, as is increasingly mandated for laptops, that the devices should be encrypted. This is all well and good, but the cost of licencing encryption software and managing the keys could spiral out of control. Furthermore, there is the problem of software licencing and what degree of control can be taken over a user’s device; it is not really acceptable to encrypt the employee's own data so selective encryption is required, further complicating things. Many are now concluding that the only way to support consumerisation is to treat smartphones and tablets purely as access devices and to restrict the way corporate IT is enabled. There are three basic approaches:
Keeping malware at bay
Writers of generic malware typically target the most popular software to maximise the chances of finding a way on to as many devices as possible. For this reason, Microsoft Windows and popular programs that run on it, such as Office and IE, have historically, and still are, the most common targets. However, in 2011 the total number of smartphones on the planet overtook the number of PCs, and the operating system and applications run on them are different. The Economist’s Beyond the PC report (Oct 2011) shows the amount of malware targeted at mobile devices to be increasing. The Android operating system is particularly vulnerable; it is now the most widely installed mobile operating system and more open than Apple’s iOS.
However, malware is not the only problem. Another incipient threat with mobile devices is the user’s desire to download consumer apps from app stores. Why bother to go to the effort of distributing malware if users can be duped into finding it for them themselves? The threats around the Google Apps Marketplace are considered to be the greatest, again because of its openness. Apple is restrictive about what gets in to its App Store, but some users chose to 'jail-break' from the Apple eco-system and download unqualified apps. However this is something that can be checked for by NAC systems before allowing network access.
Whatever the source of malware, from the point of view of managing consumerisation, businesses have two choices:
Mandating the use of on-device software such as anti-malware and encryption leads to software licencing issues. If the software is corporate-issued, what rights are there to install it on personally owned devices? What control is there over licences when an employee leaves the organisation? The same applies to any application software that is installed on employee owned devices. This underlines the benefit of treating smartphones and tablets purely as access devices. However, that is not an end to the software licencing issues.
Some vendors, in particular Microsoft, licence their software based on the number of clients (Microsoft call these Client Access Licences/CALs). If a virtual desktop provides access to such software then its use needs to be audited and licenced to ensure compliance. If VDI is used it will also need licencing, although these vendors should be a little more friendly to the concept of consumerisation as this it has become one of their target use cases.
Mobile device management, airtime contracts and mobile billing
IT end-point management vendors such as Dell/KACE, Kaseya and Symantec Altiris have focussed on traditional PCs. Mobile devices introduce all sorts of new issues. This has led to the rise of vendors specifically focussed on mobile device management (MDM), for example Good Technology and MobileIron. However, from the business requirements point of view, the management needs have been converging for some time; there is a need for unified PC and smartphone support. Some IT management vendors are staring to develop or acquire MDM capabilities; others are partnering with the MDM specialists.
MDM tools enable the management of software and licences installed and security features such as device wiping and disablement. Another key issue is airtime contracts and billing. When it was still practical for businesses to issue mobile phones to employees who needed them they could achieve economies of scale through having all contracts with a single airtime service provider.
However, with consumerisation each employee may have their own contract. This is may not seem to be a problem if they pay the bill themselves, but what happens if they try and expense all or part of it? Perhaps employers should allow users to bring their own devices but provide them with a contract and pay the bill? But, what happens about personal usage and the possible tax implications? What happens when the employee goes overseas and inadvertently runs up a huge roaming bill because corporate email is being pushed to their device? Telecoms expenses management (TEM) is a complex issue and can only be addressed with MDM tools that manage contracts, billing and specific mobile device configuration issues.
It is likely that a distinction will need to be made between different job roles. Perhaps senior management will be issued with all expenses paid, company supplied BlackBerrys, whilst sales staff are given an allowance buy their own Android device for which the company will provide a contract and pay the bill. Other employees may be simply told that the bill is their own responsibility whilst they are provided with a corporate approved app to view emails.
Consumerisation cannot be ignored; it is a fact of life all business must face up to. Enable it and, ultimately, your business will benefit with a more motivated and flexible work force using devices they have chosen for themselves because of the productivity they enable.
For more in-depth coverage of some of the issues covered in this article, information is available in the following freely available Quocirca reports:
This article first appeared in Global ETM: http://www.globaletm.com/page/2012q1
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.