Incorporating BYOD, Non-Traditional Devices in the Hybrid Workspace
The traditional workplace, dominated by Windows-based desktops and laptops, has suddenly given way to a new workspace featuring a hybrid blend of form factors, platforms and work styles. We refer to this new world as the User Workspace, and it covers mobile devices, tablets, desktops, laptops, Windows, Mac, Android, iOS and much more. Today's users are no longer restricted to one device or one platform, or even one application - they expect to be able to work on every device, whether it is personally owned or provided by their company.
Of course, this brings with it a whole new world of challenges and concerns - what about security, liability, privacy, access and support? In this article, I will take a look at the challenge of managing the User Workspace, and some approaches that might work for you.
Why even consider BYOD? Until now, IT has been built on a history of carefully planned and prepared computing devices, centrally managed with understood limits on personal use and accepted liability exposure, right? Well, that might be the perceived wisdom, but the reality is that putting any device in the hands of a user is a risk, and users have found ways to circumvent controls and do it for themselves, forever.
Today's wave of tech-savvy users who employ cloud-hosted, low-cost services for everything from e-mail to file storage, CRM to travel, as well as productivity apps in their personal lives, don't think twice about circumventing IT if they need something to get the job done in their professional lives. This wave of consumerization extends to devices too. In their personal lives, users alternate between tablets, phones and various types of desktops, and increasingly use browser and mobile apps. They expect the same in the workplace, and progressive employers encourage this more flexible style of working, because it attracts the brightest, most free-thinking employees, and enables greater productivity and extended working hours.
The fact is that consumerization and new devices are coming whether you like them or not. Extreme commentators will say that no matter what security controls you put in place, users will always circumvent them as long as they have web access, or even just wireless internet. I've heard it said that attempting to manage every endpoint is a pointless strategy, so the focus should be on identity and data access policy. These are important, but some organizations simply have to go further, whether to comply with government regulations or legal requirements, or to reduce the risk of losing confidential information.
The first thing you have to decide is what balance of user freedom and corporate control will work for your organization. Privacy and security concerns are paramount, so the first decision is whether to allow corporate data to be stored and accessed by unmanaged devices, or whether you are going to lock everything down and extend the security perimeter onto devices outside the network in a very controlled way. For example, you might provide an e-mail gateway that allows access to corporate email and attachments on employee-owned devices, but you must understand this means corporate data can be easily copied and lost. Alternatively, you might use a client-hosted desktop virtualization solution with encryption and secure communication to place a sandbox on the end-user device (a PC or Mac laptop) that can be remotely wiped, and does not allow data in or out, except to connect to the corporate HQ.
Another way to enforce strong corporate control, when appropriate, is to provide employees with corporate-owned laptops, but remove the administrator rights except for preapproved operations through careful policy control. This not only provides more security (since users cannot make changes to make laptops less secure) but also reduces help desk costs. It is, however, likely to be unpopular since it takes away a lot of user freedom.
An approach I like very much is keeping corporate data in the datacenter at all times, rather than at the endpoint. Using remote display technology (which is now well advanced), it is possible to securely access applications and data from anywhere, on any device, but without communicating anything other than the user interface of the application. This technique is nothing new, but is gaining a new wave of awareness with the buzz around BYOD and desktop virtualization, in general. It requires investment in server hardware and licensing, and works only for Windows applications, but it does provide a tried-and-proven solution to the security and access problems, and enables safe use of BYOD and non-traditional devices. Another downside is that some Windows applications don't behave well in these environments, but there now are automated testing and remediation tools to help prepare these apps for all types of virtualization.
Another part of the balancing act between user freedom and corporate control is determining how much the devices are managed, especially when you extend existing desktop and network management solutions to reach mobile devices and non-Windows computers. For example, you might implement a corporate policy allowing the use of employee-owned devices, but only if they are added to an inventory of managed and protected devices with secure remote wipe capability in the event of theft or loss. Not all employees will agree to have their personal devices managed in this way, but if it's a condition of being able work more productively and is minimally invasive, it might be an acceptable compromise that protects the interests of the organization.
The final consideration here is cost. Some organizations have suggested that since the majority of their employees own smart phones anyway, corporate services should be made available in a BYOD program, and employees should no longer be provided with company phones. On the face of it, this saves hardware and support costs, and shifts the burden to the employees. However, this has to be balanced with loss of control and exposure to liability. Some lawyers have even questioned where the ownership of data lies once it has been willingly transferred outside of corporate control, and whether this violates things like supplier contracts, customer privacy notices and government regulations. A risk analysis should definitely be part of any cost analysis when introducing a BYOD program, since the hidden costs might outweigh the hardware savings.
In summary, consumerization and the increase in computing power of user-owned devices are here to stay, and your choice is how much to embrace them. I've tried to outline some of the User Workspace Management solutions that can be used to define the balance between user freedom and corporate control so that BYOD can be embraced in a controlled and productive way. With the right policy decisions and selection of management solutions, you can take your organization into the future and embrace the new user workspace.
Posted by Jon Rolls on 08/08/2012 at 12:49 PM