It may be hard for some to just say no to the growing Bring Your Own Device (BYOD) crowd, but that was the initial reaction manager of information at certified public accounting firm Burr, Pilger, Mayer Anthony Peters had when senior executives starting purchasing iPhones, asking them to be supported.
But now almost two years later, with a BYOD policy in place, "the demand comes from everyone." Much the same thing is happening all across the country in manufacturing, government, healthcare, high-tech and in law offices as BYOD challenges traditional security and mobile-device management practices.
At Foley & Lardner LLP, the 600 or so attorneys there are offered the option of BYOD on a voluntary basis and with a subsidy to keep it "cost-neutral" to whatever corporate-issued device that BYOD is expected to replace, says Rick Varju, director of engineering and operations there. He says this "whole consumerization of IT craze" basically got rolling because the CIO there got an iPad.
But due to concerns about security and compliance, IT departments are making their own demands on BYOD users often asking them to agree to give IT control over their personal smartphones and tablets. They're requiring them to use corporate-issued management and security software to monitor or remote wipe and sign off to accepted practice in BYOD policies.
John Pironti, president of consulting firm IP Architects, who has advised security association ISACA on BYOD security issues, contends the legal questions are usually harder to answer than the technology ones.
"It's about liability," when it comes to corporate data at risk, Pironti says about BYOD. In some places, BYOD should be rejected because it's too big a risk, or it's deemed a violation of the user's privacy. Either way, he warns, don't think a personally-owned BYOD device won't be subject to regulatory-driven audits just like corporate devices.
At the Burr, Pilger, Mayer firm, it is viewed that BYOD devices have to be audited just like any corporate-issued device would. So employees eager to go BYOD have to agree to use the necessary mobile-device management software and services, which includes Fiberlink MaaS360. They must adhere to specific iOS and Android types -- and definitely not 'jailbreak' their Apple smartphones to disable security (which the firm says it would know immediately if it happened). Each BYOD user also has to sign two policy documents about accepted practices and the company's requirements.
"It states you agree the firm can wipe the device," says Peters, adding the accounting firm also affirms the right to randomly monitor the device. But all these measures don't totally put to rest the uneasy feeling about the invasion of consumer devices into the corporate world.
Indeed, some businesses have put up the 'Keep-Out' sign to BYOD at least for now.
"I'm not comfortable with BYOD," says Brad Hillebrand, director of enterprise technology at paint and protective coatings manufacturer Rust-Oleum. "I don't want corporate resources on devices we don't own."
Instead, Rust-Oleum, which uses GroupLogic for mobile-device secure file-sharing, has started issuing iPads and iPhones to employees and telling them the devices now have a "personal mode" that allows personal data use "in a personal-security mode."
This personal mode is enabled by software from MobileIron and AirWatch that separates usage into business and personal. "Rather than BYOD, we're providing the personal mode," Hillebrand says. While users seem happy about it, Hillebrand acknowledges it does add cost and managers get monthly reports to see how "personal mode" is faring, especially in terms of wireless data-service plans.
Some organizations these days believe that BYOD is a way the corporation can save money by not buying corporate-issued mobile smartphones or tablets at all for employees.
That's the idea over at networking giant Cisco as far as smartphones is concerned. The company doesn't supply smartphones to any employee anymore, unless their job falls under government regulatory restrictions where it's plainly spelled out that the employee must be using a corporate-issued device, says Steve Martino, vice president of information security at Cisco. This requirement comes not only from the U.S. government for classified work, but from foreign governments, too, he points out. BYOD at Cisco is basically about trying to lower costs, but Martino argues that Cisco see measured productivity gains of about 30 minutes per day per employee through BYOD.
A recent survey of 116 IT and telecom professionals about BYOD found that nearly a quarter of them that allowed BYOD in their organizations said mobile capital expenditures had actually increased by more than 20%. However, the survey found that 60% of the respondents said they adhered to "the traditional approach of corporate ownership and liability," while 22% have a mix of both "corporate liable" and BYOD to accommodate different user group. One in 10 said their companies had gone "fully BYOD" in allowing employees to use their own devices at work, and expected employees to pay all their monthly network service charges themselves, while another 8% practiced BYOD with reimbursement.
The U.S. federal government has not yet opened the gates to BYOD, and is undertaking a close look at how security and MDM should optimally be done with BYOD. The National Institute of Standards and Technology (NIST) published a draft policy proposal just last July which suggests BYOD is inherently riskier than use of corporate-owned smartphones and tablets.
But a number of states, such as Mississippi, as well as many local governments already are in the middle of BYOD initiatives, that are happening because no one has made a good argument why it shouldn't.
The city of Minneapolis, for example, says there is the option for BYOD there in some circumstances. "My iPad is my personal one, but I'm allowed to use the city network," says the CIO Otto Doll. While the idea of BYOD is fairly new, he says it strikes him that it simply represents an evolution of the idea of how home computers came to be used to access corporate data, and when it comes to data security, you have to rely quite a lot on an employee's "sense of professionalism" and training on how data should be treated.
In the city of Wichita Falls, Texas, there are plans being worked out to support BYOD, possibly in the municipal court system for the convenience of attorneys and others, says Patrick Grey, system application analyst for the city.
And in Mississippi, BYOD is allowed in the prison system under certain circumstances, says Jerry Horton, IT network manager for the Mississippi Department of Corrections.
But not directly around inmates or for inmates. "Inmates is a definite big 'no'," he clarifies about whether BYOD extends to the prison population, noting over 4,000 phones are confiscated every year, brought in by relatives or "thrown over the fence."
Horton says his department does accept requests for BYOD from agency employees, carefully evaluating how BYOD would help them in their jobs. There are no restrictions on mobile-device brands, but the employee does have to sign a form that agrees if they lose their smartphone, for example, it would be wiped. The SonicWall Aventail EX 6000 VPN gateway plays a role in helping define access to agency data resources for any mobile device. Some agency executives, investigators and probation parole officers, for example, have been granted BYOD privileges.
Doctor's order: Get me BYOD, stat!
Large healthcare systems with multiple hospitals and clinic locations are adopting BYOD in order to accommodate physicians with their own tablets who are on the go and want both hospital e-mail and patient data fast.
Eric Devine, chief security officer, information services at Riverside Medical Center in Kankakee, Ill., says his healthcare organization today issues corporate-owned Apple and Android-based tablets and smartphones to employees there. But many times physicians prefer to use their own tablets, he points out, because their jobs often take them from hospital to hospital, not necessarily even owned by the same organization.
Devine says his IT group supports BYOD for about 5% of the physicians active in the Riverside system. But BYOD doctors -- who tend to adore Apple tablet, he says -- have to install McAfee or AirWatch mobile-management software, and sign a waiver that would allow IT to wipe the personal device if it's lost. And "jailbreaking iPhones," which would be detected at once, is prohibited, though it happens from time to time as physicians turn to the teenagers in their households for help with that.
Once that happens, the MDM software ensures network access ceases and the IT staff have to rush off to find the physician and explain why that's not allowed and get them started with BYOD again, Devine says. He adds BYOD is here to stay, but today it comes with a specific burden associated with keeping track of BYOD devices, which sometimes don't appear on the network for quite some time. He adds his healthcare organization is also looking at ways it might be possible to "self-register" BYOD users.
Rick Copple, vice president and CTO at Community Health Network (CHN) in Indianapolis, also says BYOD is supported mainly to let hospital staff get corporate e-mail today, under certain conditions.
Under a policy decided by CHN's IT department, CSO, CEO, auditors and healthcare professionals who asked for BYOD, these personally-owned tablet and smartphones have to use the MOBI wireless device management service with the Good Technology client just as corporate-issued devices might, but designated as a BYOD.
If the device is lost, the healthcare organization has the ability to wipe the business e-mail but not personal mail. But the IT staff aren't officially providing tech support for BYOD devices in the same manner they would for corporate-issued devices. But as the hospital system begins its rollout of a new electronic-medical record system from vendor EPIC, much change is anticipated as the healthcare organization is actively looking at various types of BYOD software to allow selective wipe and other features.
BYOD is "different"
"We've moved completely to BYOD," says Brad Pierce, network engineer at tax planning and accounting firm Horne LLP, mainly because of strong management support for it, with Google Android and Apple iOS devices managed via AirWatch and supporting mandatory encryption at rest. "We adopted Citrix Receiver as part of BYOD for tablets. It's a way to give users access to applications that we'd traditionally run on their laptops, in a secure manner on their smartphones and tablets."
Despite things working out with BYOD, there's still that slightly odd feeling about managing an employee's personal device. "We still do have the mindset these devices are different," Pierce says. "And the end user is acknowledging they are handing over a portion of this device we can control."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: email@example.com.
Read more about anti-malware in Network World's Anti-malware section.