The Australian National Audit Office’s high security requirements are reflected in its BYOx strategy. The agency set out to put a fleet of BlackBerrys, iPhones, iPads and Androids in the hands of employees as a means to improve productivity while also mitigating the significant risk that it brought.
“We operate to protected level and need to totally isolate workspaces,” says chief information officer Garry Pettigrove. In March, he migrated to BlackBerry 10 to manage its fleet of 50 agency-supplied BlackBerrys and other devices.
The deployment follows prevailing security advice in physically separating the personal and corporate lives of employees on devices. Some consumer applications are whitelisted and allowed to operate on the network, while others, such as Dropbox are blacklisted and prohibited.
This decision is taken to ensure a supported standard operating environment where corporate data cannot be stored on consumer cloud services protected by possibly leaky credentials, or placed at risk by user privacy slipups or software vulnerabilities.
Users can do whatever they like on their side of the security wall. “I don’t care what they do on their side,” Pettigrove says. “It gives them the freedom to do what they need to do for their own productivity without compromising corporate data.”
Data cannot be copied from one side to the other, and security systems including data leak prevention stop users emailing or uploading corporate data out of the ANAO, unless it is through the federal government’s Fedline mail system.
Pettigrove can also nuke corporate data on any device when employees resign. For a security-conscious organisation, he seems relaxed with the realities of BYOx and plans to build out the system further to allow staff to securely send data from their computers to phones and tablets.
Sometimes security is a matter of black and white. Staff walking the likes of Dropbox, Evernote or Google Drive into an organisation should face a checkpoint bearing the question: is this app approved? A whitelist tick means the app can run on the corporate network while a cross might result in a blacklist ban.
One of Australia’s best-known utilities runs an innovation sandbox where staff are invited to put their favourite apps up for assessment to become part of the company’s official endorsed kit. “They created a working group who would review these apps, standardise some and then perhaps buy that app in bulk under an enterprise licence,” IBRS analyst Joseph Sweeney says. The communications specialist cannot disclose the name of his client but says they are well mature and resourced in their BYOx deployment.
The system has support from executives, who are themselves BYOx users and enjoy the ability to have their most productive apps sanctioned by the security team and run over the mobile device management system. Apps that do not gain approval are not blacklisted – which could hinder the performance benefits of BYOx – but are instead run inside a safe container within the mobile device management platform.
Organisations should begin their BYOx assessments by asking staff what apps they “have in their pockets” to avoid shoving the wrong apps down their throats. Security aside, most employees already use their apps effectively and efficiently and do not need IT staff giving them new apps to work with.
The most difficult component of the project was budgeting; the apps costs mere cents so projects can’t generally be funded by a discretionary budget. Sweeney says it requires a new form of budgeting framework that needs to be worked out. “That’s the real show stopper,” he says.
Having mobile device managers and zoning networks into distinct areas of personal and corporate data were important to BYOx deployments, but so too was the need for education. A veteran security manager at one of the world’s biggest pharmaceutical organisations told CRN – on the condition of anonymity – that many of her security programs succeeded by focusing on the human. For her BYOx deployment, she ensured each of the organisation’s thousands of global staff were trained in handling sensitive information as part of orientation and were retested periodically on that training. It was a huge success, she says.
“All of the 400 staff who responded to our security survey were positive,” she says. “They would go home and find potential risks in all sorts of apps they use and apply their knowledge to their personal lives.” She asks staff a simple question: ‘Would you be happy if your office was on the front page of a newspaper for a breach?’
The opportunity of the channel in BYOx security is about communicating the need to control, but not the free use of apps and devices. Martin Claridge, network solutions director for Avaya, says BYOx is a conflict of universal access, openness and useability. “The conflicting security needs may be summed as the business’ regulatory requirements, privacy obligations, fiscal security and auditability of transactions, through to protection of intellectual property,” Claridge says.
He says to create a BYOx implementation with acceptable security, resellers must focus and direct customers through a consultative selling process to resolve policy and process definitions while isolating and separating an owner’s personal property and information. Resellers and service providers must educate their customers that they do not ‘own’ a user’s personal device and have no inherent right to know how or where it is used.
This, Claridge says, is the single biggest challenge he sees and runs counter to corporate security practices that are built on policies of access denial. “There is a large and highly profitable market developing around identifying management of individuals, devices and applications that we believe is driving our resellers, the market and the end users to transition to a new way of thinking about how we work, where and with what,” he says.
“Identity management and BYOx is occurring at the same time as we have a massive market dynamic moving our method of access for our apps and devices from a fixed connectivity model [wires and switches] to a more connected wireless access model in a virtualised ‘cloud’ method of service provision.
“Resellers and service providers have a unique opportunity –admittedly requiring up-skilling – to take on unified access, identity management, and application virtualisation for business.”
Customers need to be brought out of thinking of BYOx as a matter of tracking and wiping phones and start seeing it as a way of properly securing applications by way of sandboxing and private app stores.
“Education of customers is key,” says Pang. “Many IT managers still think that mobile device management is limited to remote wiping phones or tracking their location [but] these days it can help you set up sandboxes to secure unknown applications, build private app stores for your employees and securely deliver internal apps to your mobiles.
By understanding customer goals and risk tolerances, resellers and managed service providers can deliver solutions to boost productivity without unnecessary risk.