The coming of BYOD and its challenges
By Edwin Yapp May 25, 2012
- Change of mindset, establishing clear implementation policies needed to make BYOD transition
- Security is by far the greatest concern in BYOD implementation
WHILE the bring your own device (BYOD) phenomenon is beginning to gain traction in the enterprise world, several impediments still stand in the way of the trend becoming a mainstream adoption, say industry watchers.
Gordon Payne, senior vice president for desktop and cloud division, Citrix Systems, said that about four years ago, vendors who tried to speak to CIOs of Fortune 100 companies were asked to leave, noting that the only devices they would consider using in their companies are BlackBerrys and the personal computer (PCs).
"Then Apple came with its devices -- MacBook Air, iPhone, iPad -- which opened the door of the consumerization [of IT], and [suddenly] everyone wants to bring their own devices," he told Digital News Asia in an interview on the sidelines of Citrix Synergy Conference in San Francisco.
Payne (pic) noted that three years ago, there were only 5% of companies who had BYOD policies but now, the figure is closer to 50%, he claimed.
But while these figures may seem encouraging for adoption of BYOD policies, sentiments on the ground, especially among larger enterprises, are not as encouraging as one would like to think.
Acknowledging this, Payne said some of the larger enterprises in verticals such as healthcare and financial services industry (FSIs) take longer to adopt such policies.
Payne believes that the challenges to the adoption of such nascent concepts like BYOD are because of legacy issues. For 25 years, the computing industry had locked down enterprises with a standardized way of doing things, and to overcome the sheer inertia of doing things the current way is a huge impediment to BYOD policies, Payne added.
"The old way of IT is that it does everything for the user, including delivering full service to every employee, which is a very costly model," he said.
Payne pointed out that enterprises need to move away from the thinking that IT is a service provided by a company for its employees to one that thinks of IT as a self-service model. Unfortunately, most in the IT realm aren't comfortable about this, he added.
"Companies need to think of themselves as online retailer that are serving their employees with [IT] services. The way to do this is to offer data and apps as a service, and to empower them to act by themselves," he said, adding that this is where Citrix can help as it has the tools and solutions to enable this.
Payne also said the BYOD agenda must be driven from top down as senior company executives need to realize that such policies are about transforming the business rather than about spending on IT per se.
"It's really a business discussion -- the notion of how to empower their employees to work from anywhere, anytime. So companies need to frame their discussion in business terms including how such policies and tools can improve the business."
Establishing a workable plan
According to David Johnson, senior analyst, desktop, mobile infrastructure & operations, Forrester Research, the first thing any company would have to do if it were to consider BYOD policies is to implement a rational way to determine who in the company is a good fit for the practice of BYOD.
Based on Forrester's research, there are six questions that a company should consider, Johnson said. They are:
- Whether employees are telecommuting or office based;
- How much access do they have to privileged information;
- What are the regulatory requirements for those employees;
- Whether they have any software applications dependencies such as switching from Windows to Macs;
- How technically savvy employees are, as some workers can support themselves, while others can't; and
- How much employees travel, how mobile they are.
Johnson (pic) said such questions asked will help companies narrow down who would qualify for a BYOD policy as not everyone in a company would need to bring their own devices.
He also noted that a BYOD environment is essentially a self-service one and advised that companies establish a self-support zone within the company to enable workers to be able to support themselves for the most part.
"Wikis and self service portals are going to be key, as is hosted virtual desktops," he suggested. "These are some of the best practices we've discovered from companies that have been practicing BYOD successfully."
Citrix's Payne added that companies should take baby steps to implementing a BYOD policy as it's unnecessary to gear the entire organization towards such a move.
"Go through the standard questions of evaluating based on return-on-investments, capital expenditure and security. Rely on experts to help you through the transitions, establish a solid framework and plan of implementation, and make your applications for BYOD user centric. In the old world you can force employees to use unattractive apps but today, you can't."
Security concerns still present
Even if there are companies who are ready to make the BYOD shift, one of the greatest fears underpinning the adoption of BYOD is the issue of security -- both apps and data -- industry observers have noted.
In a guest posting on networking company Juniper's blog, Canalys analyst Nushin Hernandez noted that mobility multiplies the number of attack vectors open to cyber-criminals and potentially makes corporate data more vulnerable through physical loss of devices.
Users, she added, have a tendency to treat smartphones and tablets as low risk, but they need to be educated to understand the security implications when they use these devices to access corporate data and networks.
"IT managers have tried to maintain their acceptable device policies, but this has become more difficult and they’re starting to lose control in the enforcement of these policies," she said in her posting.
"Over the next few years, proliferation of mobile devices will continue to increase – in parallel with this growth, the BYOD problem will get worse especially considering that according to Juniper’s Trusted Mobility Index Survey.
Hernendez (pic) noted that this strategy goes beyond mobile device management (MDM) and involves advanced content security, network security and security management capabilities.
"Businesses need to plan, deliver and optimize their mobility strategy to cater for new devices, new applications and new user requirements," she explained. "They also need to act fast and be proactive or else find themselves in a reactive-spiral."
She added that for BYOD to succeed, this mobility framework must be user dependent and user friendly.
"Willingness of users to adopt such a strategy will also depend on their level of awareness of the possible security risks. Businesses with the help of technology vendors, device manufactures, service providers and channel partners need to do more to educate users on the risks," she said.
Forrester's Johnson added that another big challenge for BYOD is to get every employee to safeguard the company information that they have on their own devices.
This, he said, implies firstly that there is a way to verify that the information on an employee's device is being protected, and secondly, that he has the controls to prevent any unauthorized information from leaving the organization.
Asked if Citrix had the necessary tools and solutions to address these challenges, Johnson noted that the company has solutions that not only gives a complete and contained workspace environment that allows people to share information but also preserves manageability, which is good.
"However it's not foolproof as virtual desktop infrastructure (VDI) is still vulnerable in the same way other end points are vulnerable," he explained. "For example, if you click a web link, you can still download malicious software and still have a security outbreak. You can recover from such instances quicker, but it is nonetheless a security issue."
Citrix's Payne said most companies have security at the edge of the network but for BYOD to work, the data center is where the secure zone is for the data and applications.
To address this holistically, Payne said, there is a need to centralize apps and data, before securing the information without compromising the delivery across the network.
Watch Digital News Asia' senior editor Edwin Yapp speak with Gordon Payne, senior VP for desktop and cloud division, about three best practices companies need to take note of when adopting a Bring Your Own Device (BYOD) policy.