Organizations today are being forced to come to terms with bring-your-own-device (BYOD) challenges, and associated issues, due to increasing user familiarity and dependence on smart devices.
That said, users and organizations need to fully understand BYOD issues and challenges before jumping onto the BYOD bandwagon. These issues include security risks from data leakage; financial risks from device cost or support/network contracts; and, compromised compliance/certifications from using sensitive services (location services, GPS etc.). Here is what Gartner feels, are the key issues in BYOD adoption in this context.
Motivation for BYOD adoption and linked challenges
The primary motivation for BYOD is attributable to employee-owned devices offering ways to perform job roles more effectively. Further, budget tightening is forcing enterprises to 'sweat' existing assets, extending refresh cycles. Users are finding they have better technology at home, and the performance gap between company-owned and employee-owned devices is ever increasing.
Well framed, comprehensive BYOD policies addressing these issues and challenges can help shift cost to the users and reduce support burden on IT for non-strategic devices. Plus, a formal BYOD program is a great way to control rogue devices that have always existed on the network and these policies can be extended to contractors/outsiders connecting to the company's network.
Existing policies are often unbalanced, fragmented or contradictory; focusing too much on notebook BYOD issues and not enough on securing smart-phones, tablets or new end-points. when addressing, in terms of securing smart-phones, tablets and new devices in the market, since they. Moreover, a lack of mobile device management (MDM) frameworks leaves gaping security and support holes and is a big BYOD challenge.
BYOD in organizations today is largely a 'don't ask/don't tell affair' users do what they can, because they can. Exceptions rank high among BYOD issues. Indeed, exceptions for devices belonging to senior executives or high-value employees have probably already been made in your organization.
Advice and insights for CIOs
Business considerations for BYOD
While BYOD is becoming pervasive, it might not be appropriate everywhere; for instance, in high security or business-critical environments, there can be no substitute for company-owned hardware. Also, BYOD might be suitable only for certain types of employees. The level of technical literacy of an employee is also a challenge for BYOD, since employees might be unable to deal with the self-service nature of these devices.
Prior to instituting formal BYOD, issues related to regulatory, security, compliance and SLA matters need to be reviewed. Remember that an employee's personal liability and the company's obligation to its investors or customers may not always be linked. Consider that the loss of user-owned devices carrying sensitive data might lead to serious trust deficits that might be difficult to recover from.. If you lack adequate MDM and data protection controls, instituting a BYOD program might backfire.
The cost versus saving equation for BYOD programs is an issue depending largely on the specific platforms (PC, tablets and smart-phones) and infrastructure considerations required to provide adequate protection to enterprise assets. Rather than net saving, focus on auxiliary benefits such as IT not having to manage nonstrategic assets and being able to focus on high-value, high-ROI initiatives.
Even if you haven't considered BYOD yet, a key goal should be to develop endpoint independence to prevent getting tied down to only specific types or device categories. New strategic architecture needs to be conceptualized to address BYOD issues such as minimizing support costs and maximizing security. Addressing architecture is the only long-term way of addressing device diversity.; with the alternative being ad-hoc solutions that increase costs, strain support and compromise security.
Given that users can be anywhere and on multiple devices, a single no-holds-barred level of access is no longer tenable. Ideally, mobile access to company resources should only be granted incrementally, based on user and endpoint evaluation in BYOD, a challenge that can be overcome by using criteria such as differing levels of authentication, device fingerprints, location, and so on.
Proliferation of device/ownership choices also requires that the organization's application delivery architecture be revamped to keep corporate and consumer computing separate. BYOD issues around administering diverse environments will require segmented, policy-controlled architectures, where application delivery focuses on isolating company data rather than targeting complete device control.
Keeping all enterprise data off endpoints is a major BYOD challenge. Wherever that is not possible, insist on encryption. Approaches such as Web apps, virtualized apps and hosted virtual desktops may be used on the server side, complemented on the client side by secure access clients, sandboxes, thin clients and trusted computing devices/dongles.
More recommendations from Kleynhans' talk
In the final analysis, launching BYOD is challenging, and requires a thorough due diligence on your organization's readiness, putting equal emphasis on technology, policy and support issues. Extend existing policies wherever possible and ensure that the full range of interested parties such as IT, business, HR and legal are involved to cover all contingencies and legal requirements. Further, your policies need to define clearly what can and cannot be done with employee-owned devices; the level of enterprise network access; privacy restrictions; exceptions; penalties; and, most importantly, liabilities.
This tip is based on a talk on challenges and issues surrounding BYOD adoption, by Stephen Kleynhans, Research VP, Gartner, at the Gartner IT Infrastructure Operations & Data Center Summit 2012 in Mumbai.
Business considerations for BYOD
This was first published in June 2012