By Malcolm Orekoya, Network & Security Specialist, Netutils
Views expressed in this post are original thoughts posted by Malcolm Orekoya, Network & Security Specialist, Netutils. These views are his own
We are now all too aware of the proliferation of mobile devices, such as smartphones and tablets in enterprises today and employers supporting a bring-your-own-device (BYOD) environment in order to support the growing number of employees who want to use their devices to work at home, at the office and while on the move is definitely on the rise. But what is the right approach to a successful BYOD implementation? Why at such an early stage of the BYOD popularity are so many enterprises struggling to correctly implement a BYOD environment?
Similar to starting up a new business, there has to be a good understanding of what one is trying to achieve (like having a business plan complete with forecasts and your bottom line), a good knowledge of all the variables involved (like knowing your market and competitors) and there needs to be a solid foundation from which to start (like having financial support through savings, investors or your bank). Today a lot of enterprise BYOD implementations start with the end user (usually a few high level executives) wanting to use their personally owned devices to access corporate resources while in the office and out of the office. As a result, IT departments begin their BYOD planning by starting with a small group of users, then their devices, then the resources they want to access, followed by how to implement control and then finally, a BYOD policy is formulated and rolled out to the larger employee population. In my opinion this is the wrong approach and sets the enterprise up for running into numerous problems down the line.
Irrespective of how the BYOD conversation starts within any enterprise, once the decision has been made to adopt BYOD across the network (i.e. it has gained the organisations support), a rethink needs to take place which properly considers the users, devices, resources, control and enterprise wide BYOD policy that would apply to everyone. The sequence of considering these variables when planning a BYOD environment should look something like shown below and not the other way around.
BYOD Policy → Resources →Control → Devices → Users
Each one of these considerations affects and ties in with the next one. The BYOD policy should stipulate that which the enterprise requires its employees to agree (this policy should be signed by employees) and this will be influenced by the type of resource access required by the employees as well as the control utilised. For example, if an employee wants to bring in their own device to gain full access to corporate resources (say similar to what he or she has on their desktop computer,) the BYOD policy might state that the employee is required to allow IT to install a piece of software on their device that will allow IT to control and validate the posture of the users device (for instance check the Anti-Virus is up to date and possibly wipe the device if it’s lost or stolen.) If, however, the employee would rather not give this level of control over his or her device to IT, then they may only be granted limited access to corporate resources (for instance use of the internet and maybe web email.) Furthermore, the control required by the enterprise would determine the devices that it supports, which in turn could determine what devices users end up purchasing, although the popularity of some devices, such as Apple and Android devices, could quite possibly dictate both.
Enterprises need to start thinking about their BYOD implementation planning before actually implementing BYOD across their network. Considering the variables in the right order avoids putting the cart before the horse and would help avoid problems in the future. Having said that, it is worth mentioning that although planning for BYOD should start from the left to right of the variables mentioned earlier, actually implementing BYOD should be considered from right to left; I’ll explain. Implementing BYOD starts by considering the level of trust attributed to a user and/or device, which is usually determined by users and/or devices successfully authenticating or validating their identity to a trusted entity, followed by the authorisation (access control) subsequently given to corporate resources, where the level of trust determines the level of access granted. All of which must ultimately comply with the organisation’s BYOD policy.
User Trust→Device Trust → Access Control/Authorisation →Resources→BYOD Policy
Again, each variable ties in with the other variables next to it, but it is important that enterprises do not make the mistake of starting to write their BYOD policy by first considering the trust attributed to their users.
In conclusion, as I mentioned at the beginning, starting a business almost always involves an understanding of the market, competitors and a business plan before anything begins. The same should be the case with BYOD in the context of the variables mentioned above, only then will your enterprise minimise problems and increase its probability of a successful and worthwhile BYOD environment.