BYOD: How to Achieve a Win-Win for Employee and Enterprise
Author(s): Premkrishnan Venkatasubramanian, Posted on December 23rd, 2014
As per the Wikipedia article on BYOD, Bring Your Own Device, the term BYOD began to gain prominence in 2011 when Unisys and Citrix Systems shared their perceptions of the trend. As per IDC, the smartphone market has nearly tripled since 2011 and is expected to reach total shipments of 1.3 billion for 2014. Given this level of proliferation of smartphones, one would expect BYOD to have become the norm at most enterprises over the past three years. However, ground realities paint a different picture. A recent survey by Ovum and Dimension Data, More than half of businesses still without BYOD plan, indicates that 70% of respondent organizations do not have a formal BYOD policy. So what has gone wrong? Why hasn’t the growth of BYOD mirrored the explosive growth of smartphones?
The answer could be that BYOD has always been a ‘conflict zone’ between enterprise IT departments and employees. IT departments fear that BYOD can provide a new channel for malware, since they cannot control what devices are used to access the network. As a result, BYOD even if permitted, comes with several restrictions. Employees, on the other hand, do not like the IT department telling them what is an acceptable usage of their own devices. This has resulted in a tug of war situation, hampering BYOD adoption.
Enterprise mobility solutions that aim to tackle this problem can be classified based on the granularity of the surface secured. Let us first look at solutions that operate at the mobile device level. MDM (Mobile Device Management) involves running a management layer (usually a software agent) on the device, which facilitates remote management of the device. MDM solutions are offered by several leading software vendors. Though popular among IT teams, MDM can lead to privacy concerns for employees.
Device-level VPNs (Virtual Private Networks) encrypt data from the device to the enterprise edge. These VPNs usually permit split-tunneling so that only data destined for the enterprise goes through the VPN tunnel and all other data is sent in the clear. This may seem an acceptable approach, but is still not preferred by many IT administrators due to fear of data leaking from other apps (possibly malware) to the corporate network, or other apps being able to sniff data sent to the enterprise.
An evolution of the device-level VPN approach is the Persona approach which secures ‘compartments of apps and data’ rather than the entire device. In this approach, the user can switch between Home and Work personas, and is presented with data and apps only for that persona. However, switching personas can quickly become cumbersome.
Finally at the lowest level of granularity is the per-app VPN approach – in which each individual mobile application has a secure tunnel to the enterprise edge. An enhancement of this approach is the app-wrapping approach, in which the app binary can be wrapped securely with specific policies (user authentication location masking, encryption of data-at-rest, detection of jailbreaking/rooting and others), without any code changes. This approach reduces the surface area of enterprise management to individual applications rather than the entire device. From an employee perspective, only enterprise apps on the mobile device are wrapped and secured. Personal apps are left out of the ambit of enterprise control, thus alleviating any privacy concerns.
Is just app-wrapping sufficient? Wrapped apps authenticate the user, but thereafter provide a uniform interface, irrespective of the user identity. However, not all users have identical access rights to servers in the datacenter. Also app-wrapping secures data only till the enterprise edge, leaving data within the datacenter in the clear and vulnerable to insider attacks. This definitely poses a problem, especially for mission critical enterprises. So, to strengthen app-wrapping, it can be complemented with an identity-based access control solution which extends encryption all the way to the destination server in the datacenter. One such solution is Unisys Stealth for Mobile. This approach ensures that servers in the datacenter are only accessible to authorized users, while remaining dark to other users.
This approach (app-wrapping combined with identity-based access control) addresses the BYOD concerns of both enterprise and employee. Enterprises can permit access to their crown jewel applications in the datacenter to mobile users through specifically wrapped apps, without taking on the burden of managing the entire device. Data in-motion is encrypted across the Internet as well as within the enterprise, thus securing it from eavesdroppers. As for employees, they get anytime anywhere access to enterprise apps from their own devices, without having to cede control of their personal apps and data. Definitely a win-win solution.