Folks, Bring Your Own Device (BYOD) is really all about users owning the equipment, and by association the base environment on that device. It means that any other folks with a footprint, apps, or data on that device are guests and not owners. And only the Owner should make decisions about the device.
That's not to say that IT organizations don't have the right to protect their data and applications - they absolutely do; but they need to do it without imposing on the Owner's right to use his device as/how they want to.
I'll point out a few failures of being a good guest in this context.
I was talking to a IT professional not long ago about his company's policy on smartphones and tablets and was told that "Users can connect and use anything they want, as long as we can remotely wipe it." If IT wipes my device and I loose my apps and personal data as a result that's much like inviting a friend into my home and having them decide that they don't like my furnishings and packing them all up and taking them to the dump. I'm left with an empty house because someone else didn't like my photos!
When I left a previous employer, I had an older Windows based Smartphone that had been configured to connect to the corporate Exchange environment (which worked quite well!) and to my personal Gmail account. It was my personal device, but I wanted to read/reply to my work email and sync my calendar. After my employer terminated my accounts the phone became very cranky about not being able to connect to Exchange. When I removed the Exchange account from the phone it promptly deleted all of my contacts off the device - even those that were really part of the gMail account, and the local phone book. Suddenly I didn't have my father's phone number anymore. Fail! My device. My data. Why should deciding to detach from corporate email remove my personal phonebook? That's like my guest emptying my clothes closet when the leave because they brought some clothes with them.
I was working with a very nice client hypervisor which seems like a perfect solution for a consultant. The idea is that I have a computer, I go onsite with a customer who provides me with a corporate VM for their environment and I use that to connect to their systems. I keep my own stuff separate and never touch their net. The problem here is in implementation - as soon as I connect my hypervisor to their environment to get the VM, the hypervisor marries itself to their systems. I can't login to my own computer anymore without authenticating the to client's servers. Further it can only marry to one client system at a time, and when you separate them all the VM's on my computer get deleted. FAIL! That's like a guest changing the locks when the arrive and buldozing the house when the leave!
Many users choose not to connect to the corporate resources from their equipment because the cost of that guest is simply too high. It's easier to have a separate phone or do without then it is to invite IT to come visit.
All of the above are examples of well meaning folks trying to protect corporate data. But the implementation and execution are simply wrong. At least for BYOD. If this were company hardware this would all be fine, but in all cases it was Mine, not Theirs.
So how do we be a better guest on someone else's machine? How do we protect our data?
Well first things first - Users get to pick their own devices, just like they get to pick their own cars. If it gets them to work then it's done it's job. That means we don't get to say "as long as we can remotely wipe it." or "as long as it's got Anti-Virus" ... (Yeah, I know that last hurts).
If we can accept the above premise, then we know we have to treat the device as an unstrusted entity - that is we can't trust the device to not do bad things, nor (really) to not disclose what it knows to someone we'd rather we didn't know. It's a little like having a party line and not knowing who else it listening.
As an untrusted device we don't want to store data on it. We don't want to accept data from it. and we want to control what data it sees. Hm... if only we had a way of offering corporate applications and data without actually sending or storing them on the PC/Tablet/Phone ... A way that we could control and filter what the device can see.
Ok, the above sounds fine, but I need to work offline?
Well, the need for being disconnected does need to be evaluated; but if you have to then it's time to think about protected, safe, trusted, containers ... Endpoint Inspection (are you clean right now?), and data encryption not of the whole device, but of the corporate data with it's own access controls. These containers should have controls in place to prevent their 'leaking' and to facilitate their destruction, but in either case without harming the device or hindering it's ability to concurrently entertain other guests. It's ok if a guest wants to blow up their suitcase, as long as they don't blow up the guest-room too.
Well, we can do that but our solution only works on <insert platform here>.
Sorry to say, that's a little like "I'll come visit, but only if your house is blue." If your solution is restrictive then it's not really a solution. If the user can't pick the device they want, then it's not their device. Sooner or later someone important will have a white house and you'll have to figure out how to make it work. Better to get ahead of the curve on this one.
One last point here - End-User IT technology is a consumer commodity item these days. Manufactures market to your users, to your children, your spouse, and your executives. They do not market to IT. Consumers want what is sexy and hot today, not what IT tells them they should have. Let's be clear, IT has already lost this battle.
So what do we do? Well I suggest you invest in providing access that protects your data and applications. That doesn't expose your data, or require trust of the end-user device. And that allows flexibility and end-user choice. But in the end remember that the device is Mine, not Yours!
No comments:
Post a Comment