Nearly two-thirds of Australian enterprises have staff that are using personal apps for work purposes according to the Australian Enterprise Mobility Market Study 2014, produced by technology analyst firm Telsyte,
'Bring-your-own apps' — or BYOA — “is like the silent, invisible challenge that many CIOs are going to face," says Telsyte senior analyst, Rodney Gedda.
Although 'bring-your-own device' (BYOD) is the flavour of the month, "the real challenge lies in the applications that are on these devices", Gedda says.
The analyst said it's concerning that IT departments often overlook this emerging form of shadow IT — Telsyte's survey revealed some 27 per cent of organisations allow staff to use any personal mobile or cloud-based application for work purposes without any restrictions.
On the other hand, nearly 80 per cent of Australia’s IT departments have no plans to officially support BYOA, while 34 per cent of businesses have taken an iron fist approach, banning BYOA outright.
However, in not allowing BYOA some businesses might be missing an opportunity to boost staff productivity. Businesses can take advantage of BYOA, so long as steps are taken to keep the use of public apps balanced with the security and integration requirements of corporate IT.
"There’s a groundswell of [BYOA] activity happening at all levels, from general staff all the way through to senior management… this is something that’s pervasive through the enterprise,” says Gedda.
The productivity benefits need to be balanced against data security and regulatory compliance, as well as the risk of fragmentation of workflows and IT systems.
For the most part, Gedda believes BYOA empowers people, and advises organisations that they may be better off working with it, not against it — regardless of whether personal apps receive official sanction within an organisation, people will still find a way to access them.
“You need to really be on top of it before it gets on top of you,” the analyst says. “You need to have strategies around it before you realise you have no visibility of data across the multitude of apps that are being used.”
Mobile device management
Currently there are a number of methods available, such as mobile device management (MDM) and mobile application management (MAM), which can let organisations increase the security of consumer-targeted mobile apps and cloud services.
According to the Telsyte report, around a quarter of Australian businesses currently rely on a dedicated MDM solution.
Gedda believes data integration is also a key part of BYOA strategy, as apps frequently include an API that can be used to link mobile apps to enterprise applications, and vice versa. There are also enterprise editions of popular SaaS apps such as Dropbox for Business and Evernote Business.
Telsyte research found that around a quarter of businesses allow BYOA from an approved catalogue of apps.
“The public app in BYOA is not an endpoint; the enterprise can actually adopt that app and get more of the features it’s used to, whether it's permissions, access controls, data location controls, remote working, so on,” says Gedda.
If there's a particular app that staff members love and are productive with, CIOs can look at subscribing to a premium version that allows people to segregate business and personal data, and includes technical support, Gedda says.
A number of organisations have set up their own, in-house app store as a means to control the software downloaded and installed on company mobile devices. A Gartner report released last year predicted that by 2017, one quarter of enterprises will have their own app store as “apps downloaded from public app stores for mobile devices disrupt IT security, application and procurement strategies," according to Gartner analyst Ian Finlay.
Gartner cautions, however, that enterprise app stores only work if IT security, application, procurement and sourcing professionals can work together to successfully apply the app store concept, while ensuring they provide a wide selection of apps. Gedda believes this may be overkill for many organisations.
“A lot of organisations don’t have the inclination or capacity to maintain an app store. But it’s something that can enable organisations to have better visibility, gives better knowledge over which apps are being used, and more accountability in regards to data sovereignty,” Gedda explains.
“So they can actually approve the app to be distributed throughout their suite, knowing that they’ve done some back-end integration to get the data from that app.”
He suggests that if taking this route, enterprises ensure there’s more than one option available so that if there’s a business continuity issue with a supplier the enterprise is not locked into a particular app or vendor.
The University of Sydney is one organisation that has successfully set up an in-house app store for students and staff, with the end goal of creating a personalised working environment that allows access to a variety of software from personal devices being used both on campus and remotely.
“The BYOA piece for university is quite different to the view that you’d see in a traditional corporate world,” says Nick Gilbert, director of service management, ICT with the university.
“[Tertiary education] has always been loosely federated… the challenges that traditional businesses saw with people bringing their iPhone and laptops, for us that was sort of business as usual.”
“For us BYOA is not a risk of a loss of IT governance and risk control, so much as a loss of relevance,” says Gilbert.
“We’ve started a reorganisation... inside IT specifically in response to that, to beef up the connection we’ve got with our teachers and researchers, so when they do find an application we’re able to do more than just say ‘no, you can’t use that’, or ‘you can’t plug that into our enterprise’.
“We’re able to say ‘here are the reasons this is a challenge, we’re aware of these few applications that do roughly the same thing, let’s talk about how they might be relevant’.”
Gilbert suggests that IT departments should take a proactive approach and talk to staff about what’s important from a business perspective, reducing the risk that IT will be bypassed.
“We want to be in the mix there, providing IT domain-specific advice, support, assistance, and particularly plugging in at a micro level, asking what you’re trying to achieve here and let’s talk about how we can help,” says Gilbert.
“If you’re being disintermediated, the response is not to lock it down. It’s probably much more about a relationship or a strategic block if anything else, that’s what you should be addressing — are you providing the right support?”
Gilbert also cautions those considering internal app stores that licensing is “incredibly complex”; an app store can involve a large portfolio of software, all under different licensing agreements, some of which couldn't be allowed or would prove extremely expensive.
“For us, there was an element of having to re-craft some of the vendor’s contractual arrangements and working with them on the greenfields virtualization contracts, so that was a key challenge,” says Gilbert. “There’s no easy way to address it, but just don’t assume it’s not a challenge and make sure you build time into your schedule.”
Gedda says when it comes to developing a BYOA strategy, organisations need to start with education and discovery to ensure they don't get left behind. Talking to staff to find out what apps they use, and why, can help with understanding what IT can offer, what risks need to be managed, and what benefits IT can glean for the business.
“People obviously are using Dropbox for a reason — and if you’ve got something equivalent and they’re not using it, and there’s a reason why. Maybe it’s not user friendly or accessible,” says Gedda.
Lastly, Gedda reiterates the risk of killing productivity by simply banning apps, but cautions that “you want to be sure that the benefits outweigh the risks". "Don’t just hope," the analyst says.