Over the past year, many CIOs have seen their IT environment change dramatically — from a controlled environment to one where employees are bringing in all sorts of different personal devices into the workplace.
And employees, whether they’re allowed to or not, have started using all sorts of consumer-based apps on their personal devices to get the job done — since those tools are often more effective than the ones their company provides. They use Dropbox to send files to customers, they open up pdfs with GoodReader, they back up their data to iCloud — to name just a few examples.
Consumerization of IT is here to stay, but it doesn’t have to be a scary prospect. It represents an opportunity for employees to be more productive, more efficient and potentially even happier. There’s no stopping the tide of Bring Your Own Device — the best a CIO can do is minimize the potential risks.
ATB Financial, a Crown corporation with 5,000 employees serving 670,000 customers in Alberta, is doing just that.
Chris Timmons, senior manager of information security with ATB Financial, has been working on a BYOD strategy for the past two years, recognizing that the “trend” is here to stay. ATB is already allowing BYOD to some extent, but it will be rolled out completely after this year’s spring budget.
“Companies spent far too long with their heads in the sand,” said Timmons, who presented at McAfee Focus last fall and later spoke to CIO Canada. “If users really want to do something, they will find a way. You need to be reactive — users will do it, whether you want them to or not.”
ATB’s environment includes 2,600 laptops, 1,800 BlackBerry smartphones, 120-plus cell phones, 100-plus iPhones, 100-plus iPads and about 100 home office workers, as well as about 400 terminal server users.
“We anticipate the corporate-issued BlackBerry to iPhone ratio to equalize within a year,” said Timmons. “New users can choose either device, and existing BlackBerry users can choose either device during the upgrade cycle.”
Timmons also expects iPad usage to increase exponentially as new business cases are approved. They’re just getting into Android devices; because carriers can customize the platform and there are so many different app stores, there’s a requirement for anti-virus on those devices.
So far, there haven’t been any requests for Windows Phone; however, Windows 8 phones and tablets could change this, and the OS will allow IT to support those devices right out of the box, just like a corporate laptop.
“It’s not just going to be iPhone — the solution needs to be viable for anything,” said Timmons. “We’re playing with Samsung tablets — it’s not really an iPad, not really a laptop, it’s a full-blown OS that doesn’t conform to anything. We can’t use existing MDM solutions for that, so we have to look at what other enterprise controls we can have.”
Timmons is concentrating heavily on data loss prevention in social- and cloud-oriented environments. For example, an employee could receive an email with a PDF, open it up with GoodReader, sync it to Dropbox and access it from a personal iPad. “Even if you removed that content and wipe the guy’s phone, your corporate info is still linked to that personal account,” said Timmons. “It’s literally no better than taking a USB and dropping it in the parking lot.”
So the idea is to prevent corporate data from getting on personal devices in the first place. You can segment mobile devices and apply security policies to them, he said, so they’re not allowed to get attachments or back up to the cloud due to the security policy of the device, for example. You can also remotely wipe lost or stolen personal devices, or wipe corporate data once an employee leaves the company.
Malware scanning and hardware encryption are essential, as well as policy enforcement, password enforcement and Internet content filtering. The No. 1 requirement, however, is remote wiping and password reset. “If that doesn’t work, nothing works,” said Timmons.
However, awareness policies are essential. Apple by default allows Siri to be accessed even when the phone is locked, which doesn’t meet corporate security standards. Employees have to manually make this change and sign off on it, said Timmons, since there is no API to enforce this.
“Overnight we’ve got four, five, six different operating systems. On top of that, you’ve got the hardware and the platforms, especially with Android where manufacturers are free to add value by tailoring the hardware — there are permutations we frankly didn’t see with desktops,” said John Dasher, senior director for mobile security with McAfee Inc., during McAfee Focus. “The industry is really in its infancy of where we’re going to head.”
Apps are perhaps the most interesting aspect of mobile platforms, he said. A year ago, the average iOS user had 65 paid apps on their device. With Apple’s walled garden approach, Apple is the gatekeeper of apps for iPhones and iPads, making them somewhat more secure. With Android, however, there’s more than a dozen app stores — you can download and side-load apps — and that’s causing some of the current security threats in the Android marketplace.
Android attacks have increased 238 per cent since December 2010, said Dasher, while Symbian remains the most attacked mobile platform in terms of total malware samples. Android has emerged as the platform experiencing the largest number of new attacks, more than all of the other mobile operating systems combined month to month.
One of the challenges that IT departments face is how many devices they’re going to support, said Doug Cooke, director of sales engineering with McAfee Canada. Apple’s OS is fairly secure from a malicious code standpoint, compared to Android and Symbian. But there are management facilities available that can restrict which apps can be downloaded onto a device, “sort of like a corporate approved app list,” he said.
So what are the threats? In a PC environment, a worm can move from computer to computer, but in a mobile environment, this is more limited — a user needs to click on something. However, hackers could potentially gather contact information, record phone conversations and gather keystrokes, said Cooke. They could go into a banking app to gather keystrokes and passwords; send corporate contact lists to third-party advertisers; even initiate calls or text messages to chargeable services.
“It’s our conclusion that mobile device management is necessary but not sufficient,” said Dasher. “You want to protect the device, the data and the apps. Malware can undermine any MDM system you have in place. If all you have is MDM, malware can get in there and undo it.”
On the data side, you want to make sure any native encryption on the device is being used. But with apps, this is an emerging area in terms of technology. “We’ve had app marketplace owners — three in Asia — say we’d like your help in making sure our apps are in fact clean and not infected, so we’ve worked with app marketplaces to integrate McAfee technology. This is largely custom work; we’re figuring out how this makes sense (on a larger scale).”
Dasher expects in the next 24 months we’ll see every enterprise running their own app store, where employees can get custom apps in one spot, similar to a corporate disk image in the desktop world. “Today it’s a recommendation,” he said. “Tomorrow we’ll be able to white list and black list.”
It doesn’t make sense for IT to dictate what applications a line of business is using, said Christian Kane, infrastructure and operations analyst with Forrester Research Inc. Rather, they need to be bringing the LoB into the conversation and having IT change its philosophy of serving the business.
Often consumers are more aware of new technologies than corporations, so they’re finding new ways to work — and IT should support that in a more guided manner, he said, being mindful of business security requirements. Employees are not using these new tools to be malicious; there’s an unmet need.
That’s a stark difference in how IT has supported the workforce and how they will support it moving forward, he said. Ultimately it’s about managing data and access rather than the devices themselves.
“It’s important to get started now, to start running pilots, tweaking policies, finding out what your needs are,” said Kane. “MDM solutions look different from one month to the next; it’s hard to keep up with this. There are a million different choices available right now, and all of them will look different in a year’s time.”
Most firms are starting with an MDM solution and building out a mobile policy. Once they get their devices under control, they’re turning their attention to applications. Vendors are working on better application controls and better data management, but it is still very much a work in progress, said Kane. Right now, there isn’t one solution for everything an enterprise wants to do.
Apple and Google are developing more enterprise functions, as are plenty of third parties. There’s interest in developing app management and self-service tools, including enterprise app stores that mimic consumer app stores. But there’s also a lot of confusion toward third-party technology in MDM: There are already 45 vendors in this space, including MobileIron, AirWatch, BoxTone, Tangoe and McAfee.
Despite this quickly changing and somewhat confusing marketplace, James McCloskey, senior research analyst with Info-Tech Research Group, sees it as an opportunity.
“There was this notion that if the company deployed a device — desktop, laptop or BlackBerry — that that was somehow sufficiently secure in and of itself because it’s company-deployed. The BYOD situation forces them to come to terms with that reality, and it’s a huge opportunity to put in the right security and management approaches.”
MDM solutions have become much more capable and flexible in terms of end points they can support, providing BlackBerry Enterprise Server-like experiences across multiple devices. The BES environment is now being extended to provide some level of control over non-BlackBerry devices.
The bigger challenge is with personal and unmanaged applications; this is particularly an issue with BYOD, unmanaged or unlocked devices. Employees will find a way to do what they need to do but might not be using apps that align appropriately with corporate objectives for privacy. It’s important for IT organizations to not only understand what apps their employees are using, but also what they’re using that isn’t standardized.
“Why are people using Dropbox? They need a way to simply transfer files between devices and people in or outside corporate intranet,” said McCloskey. That creates a pressure for IT, but it’s a good kind of pressure — IT can satisfy that need in a way that’s equally effective and aligns better with corporate security policies. “If you say, ‘Don’t use Dropbox,’ you’re really not going to get a reasonable uptake of that message,” he said.
There’s an unstoppable tide of BYOD, but it’s an opportunity for IT departments to rethink the way they deliver IT services, instead of pushing back or locking down the environment.
“BYOD is like the seven stages of grief — anger, denial, and eventually you make your way to acceptance,” said McCloskey. The difference is, he said, you can come through it a better and more complete IT delivery organization, with much happier employees.