This document discusses preparing for "Bring Your Own Device" (BYOD) in corporate IT environments. It notes that corporate IT departments have largely lost the ability to restrict which devices employees use and that there is now a wide variety of devices. The solution is for IT to accept this diversity and focus on securing access to corporate information on different devices rather than trying to manage each device directly. The document recommends taking a risk-based approach and creating a matrix to define how different applications and information can be accessed securely from different device classes through options like secure browsers, virtual desktops, or custom apps. While securing access across many devices is challenging, the document argues it is more feasible than attempting to manage or restrict each individual device type.

1. Be prepared for BYOD
06.06.2011 by Martin Kuppinger
BYOD: Again one of these acronyms. It stands for “Bring Your Own Device”. You’d also say that it
stands for IT departments accepting that they’ve lost against their users. They have lost the
discussion about which devices shall be allowed in corporate environments. When I travel by train,
I observe an impressive number of different devices being used. There are Windows notebooks,
netbooks, iPads, iBooks, other types of “pads”, smartphones,…
For a long time corporate IT departments have tried to limit the number of devices to a small list,
thus being able to manage and secure them. However, the reality especially in the world of mobile
devices proves that most IT departments have failed. For sure many have restricted the access to
corporate eMail to Blackberry devices. But many haven’t managed to achieve that target. And the
popularity of Apple devices increases the heterogenity of devices being used by employees.
It increasingly looks like the solution only can be acceptance. Accept, that users want to use
different types of devices. Accept that the innovation especially around smartphones and pads is far
quicker than corporate IT departments can adopt their management tools.
At first glance that sounds like a nightmare for corporate IT departments. How to manage these
devices? How to secure the devices? However, it is not about managing or securing the devices.
That would be “technology security”. It is about managing and securing information, e.g.
“information security”. It’s about the I in IT, not the T. Thus, we have to look at when to allow
access to which information using which tool.
To do this, a simple matrix might be the starting point. The first column contains the classes of
devices – notably not every single device. The first row contains the applications and information
being used. In the cells you can define the requirements, based on the risk score of both the devices
and the information. In some cases you might allow access based on secure browser connections, in
others you might require to use virtual desktop connections. In others you might end up with having
to build a specialized app. However, if banks are able to secure online banking on smartphones,
why shouldn’t you be able to secure your corporate information on these devices?
You might argue that building apps or deploying desktop virtualization is quite expensive. However,
trying to manage all these different devices or trying to restrict the devices allowed is expensive as
well – and much more likely to fail. I don’t say that it is easy to protect your corporate information
in a heterogeneous environment, supporting BYOD. But it is much more likely to be feasible than
to manage and secure any single device – given the increasing number of these devices, the speed of
innovation, and the simple fact that corporations don’t own all these devices.
Thus it is about preparing for BYOD by providing a set of secure paths to access corporate
information and to protect that information – and by understanding how to protect which
information where. When you start with BYOD, do it risk-based.