Balancing act: Security vs. ease of use
The consumerization of IT requires a well-thought-out BYOD policy
By Nancy Doucette
Tod Ashby prefers not to be a "no" guy. As the senior vice president of information technology at Van Gilder Insurance Corporation in Denver, he would rather be ahead of the curve—anticipating the technology needs of the 130 people who work in the agency. So when Apple introduced the iPhone in mid-2007, Ashby sensed that it wouldn't be long before colleagues began asking to use their personal iPhones rather than the agency-issued Blackberries. He wasn't wrong and he was ready . . . he'd done the infrastructure work to allow these then-new devices to work with the agency's servers.
"We have a boatload of iPhones, iPads, Android phones and tablets," he says. "And there are diehard Blackberry users. We use Exchange 2010—which has some built-in functionality for mobile devices—for our e-mail platform; so we decided we would support any device that uses Exchange ActiveSync. We want to provide that kind of flexibility for our employees; we want to give our users an ease-of-use experience. We want them to use whatever tools make them more productive—more available and accessible to our customers.
"Workers want more control of their work environment. BYOD [bring your own device], desktop virtualization—delivering a consistent desktop environment to a range of devices—and mobility enable that. The consumerization of IT, where employees are allowed to use their personal devices for work-related activities, is good," Ashby states. "But at the same time, it's paramount that we protect client data. It's a balancing act."
Ashby shared some of his balancing act experiences at the NetVU PowerUsers meeting in a session aptly titled "Mobility and Virtualization." (More sessions on the topic are slated for the NetVU Conference, March 14 – 16, 2013.) During his PowerUsers presentation he referred to the "BYOD and Virtualization" study released in mid-2012 by networking equipment giant CISCO (www.cisco.com/web/about/ac79/docs/BYOD.pdf). If there were any doubts about the impact on agencies of BYOD, desktop virtualization, and mobility, some of the statistics he pulled from the survey got audience members leaning forward in their seats:
• Seventy-eight percent of U.S. white-collar employees use a mobile device (e.g., laptop, smartphone, or tablet) for work purposes.
• By 2014, the average number of connected devices per knowledge worker will reach 3.3, up from an average of 2.8 in 2012.
• Forty-one percent of respondents indicated a majority of smartphones connecting to their company network are actually employee-owned.
• Eighty-six percent of BYOD costs are non-hardware related, highlighting the importance of choosing the right governance and support models to control these costs.
If there ever were a time to have a set of policies and procedures in place, it's when an organization, which has the critical need to maintain the security and confidentiality of sensitive company data, welcomes employees' use of personal devices for work-related tasks.
Ashby says Van Gilder's BYOD policy lays out employee responsibilities as well as the agency's. "We wanted to keep the policy simple. We wanted it to be strong legally, but we didn't want it to sound like a bunch of legal jargon," he says. It needs to be fluid as well, in anticipation of changes in technology.
One of the points on the BYOD policy is a carry-over from prior electronic access policies: Expect no right to privacy when it comes to e-mail. However, "BYOD muddies that," Ashby observes, "because our users are walking around with a device that has their personal Hotmail, Yahoo! or Gmail account on it. It also has their Van Gilder e-mail on it."
Because protection of client information is paramount, Ashby says the BYOD policy instructs employees to create a "time out" setting so the device will require a password to reactivate after a certain period of inactivity. Additionally, users are reminded they need to notify IT in a timely manner if they lose their device. "Even if the device is locked by a password, we want to use the tools we have to remove all corporate data," he says.
The BYOD policy also specifies that employees are solely responsible for the content of their devices—the apps they purchase as well as their personal data. Employees need to use whatever mechanism their manufacturer offers to keep their device backed up. "Van Gilder has the right to 'wipe' and remove any corporate data at any time for any reason," Ashby points out. In the process of doing that, he says, "it may blow their device back to the state it was in when they first took it out of the box. But if they're taking the appropriate steps to back it up, they reconnect it, resync it, restore it—minus the corporate data.
"Our BYOD policy outlines employees' responsibilities with respect to corporate data. Some of that data may fall under HIPAA or PII. They have a responsibility for protecting that data just as we do."
However, there's only so much an organization can foresee and attempt to control. With BYOD, the days of controlling the updates that went on employee's hardware are disappearing. "With these mobile devices that people individually own, we can't control that anymore," Ashby says. So "the shoe that is ready to fall" is some future Apple or Android update that "completely breaks everything we've done as far as our infrastructure is concerned to make sure our users can use that device for business purposes," he says.
"Where we used to have a highly controlled environment that allowed us to keep reliability levels high, BYOD brings with it support issues. We're venturing into an unknown area."
Ashby says this uncharted territory is addressed in Van Gilder's BYOD policy. "There have been several iOS updates and a few Android updates and nothing has broken—yet. But at some point I know something will. At that point users will have to be understanding while we get their devices back on track."
And with the likelihood that some outside entity's update will "break" the infrastructure that Ashby and his IT team have put in place, he foresees a time when IT support will become a collaborative effort between agency IT staff, the employee, and a third party such as the Apple store or the provider that supports an individual's device.
Dealing with "application creep" in a mobile environment isn't too different from what IT staff have dealt with at the desktop level. "People have a habit of bringing on software that ostensibly simplifies their job," Ashby notes. "With BYOD, that's even easier, given the ready access people have to apps from online stores. Some people would be shocked to discover the apps that have crept into their environment because of cloud computing."
Dropbox is a prime example, he continues. "They've had some significant security breaches in the past year. But we have customers as well as carriers that want to exchange information that way. At this point, there's really no good way to transfer large documents that are too big to go through encrypted e-mail (that's a topic for another conversation) so users turn to Dropbox. Before anyone on our network is allowed to use a program like Dropbox, our firewall throws up a Web page that alerts the user that the site may not be secure. It reminds them of HIPAA and PII and that what they're about to do may not be suitable. They have to acknowledge the warning before they can proceed. Their acknowledgement is logged and they're allowed to go to the site."
Rather than ignore application creep, Ashby recommends that organizations survey staff to find out what cloud services they're using. "Don't try to stop it," he cautions. Instead, "find out why they're using the applications and then find viable solutions that meet corporate security objectives."
Ashby hopes to avoid an environment where every e-mail and document that passes through the corporate firewall is examined for Social Security numbers, PII or HIPAA information and if that information is present, it is quarantined and not allowed out of the environment without a designated individual's approval. "We don't need to go there yet, but we do need to protect the corporation and customer data," he acknowledges.
"Mobility initiatives are important today, given what is going to happen tomorrow," he says, referring back to the CISCO study. "In just over a year's time, it's expected organizations will have between three and four devices per user connecting to their systems. That's a big deal. That's going to have a huge impact on IT budgets. With that on the horizon, traditional IT funding models aren't going to exist too much longer. Organizations will have to decide whether they're going to pay for their employees' devices and/or their voice and data plans.
"We're approaching a post-PC world and BYOD is a powerful trend. As the CISCO study points out, 'Work is an activity that people do, not a place to which they go . . . there's a blurring of the line between work time and personal time.' I try to avoid HR issues—the exempt vs. non-exempt employees and what you're obligated to pay people for when they work. I let the HR people work that out," he says with a smile.
"I just want to be an enabler where it makes sense," Ashby concludes, "and align our IT objectives with what Van Gilder is trying to do."