This document discusses enabling bring your own device (BYOD) policies in organizations. It argues that BYOD is inevitable as employees now always have powerful mobile devices and want to use them for work. The document advocates taking a risk-based approach to mobile security and embracing, rather than resisting, mobile technologies and "shadow IT." It suggests implementing secure containers to access organizational data from personal devices in order to avoid employees finding unsafe workarounds. The overall message is that blocking mobile access to data is futile and organizations should focus on facilitating secure information flow to any device.
1. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
Is it Safe?
Yes it is – so get out of the way of the data flow…
2. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
1. Why ‘do’ mobile at all?
2. Is it Safe?
3. Your responsibility is to take a risk based approach.
3. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
Let’s quickly remind ourselves
what the business drivers look
like…
5. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
• Collaborating with partners becomes easy – e.g. health
integration opportunities
• Engaging the Deskless Workers
• DR/BCP in the cloud
• Work/life balance (and VIP iPhones)
So field workers are more productive if they have some tech? Pretty
obvious, but hardly ground breaking. There’s so much more that
mobile brings in addition to efficiency savings…
A few examples
It’s all about facilitating the information flow…….in Local Gov we deliver many, many
different services and have A LOT of information - perhaps a more complex information
landscape than any other organisation - IT’S COMPLICATED.
6. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
The IT department’s job is to get out of the way
and let the information flow….
7. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
It’s all about information – how we create it, how we store
it, how we protect it, how we share it and how we exploit
it. Clever exploitation of information and technology will
help Local Government and the wider public sector to, not
just survive, but thrive.
8. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
Information is the lifeblood of any
organisation and, as is the case with actual
blood, the consequences of the flow being
blocked are just as serious as the
consequences of some leaking out.
And by wilfully (or otherwise) interpreting
the security rules in the wrong way you are
blocking the flow
9. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
But it’s not safe, is it?
11. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
OFFICIAL - has added confusion where
it was supposed to simplify. Despite
what suppliers may tell you, there’s no
such thing as OFFICIAL (SENSITIVE)
and IL2 and IL3 are still here…
12. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
There’s no certainty – everything is changing very quickly.
• PSN’s Putin style land-grab appears to be over, and
PSN is withdrawing to a more natural position
• IG Toolkit (and other compliance pieces) will need
to fill the gap
• PSN CoCo controls are merely guidelines
• Case studies please GDS!!!
13. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
The old way:
the ‘Surly Bouncer‘ model
If your name’s not down you’re not coming in
14. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
The new way:
the ‘Data Inside, Devices Outside‘
D.I.D.O
Or ‘Internet by Default’
17. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
Your responsibility is to take a risk-
based approach
18. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
100% of your employees have a
powerful computer in their pocket – and
they have this with them 100% of the
time.
In addition lots of them would like to use their
mobile devices for work (nobody wants to carry 2
devices around).
19. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
According
to Computing Research, 70
per cent of IT leaders still
place themselves in the
"hold on" camp when
describing their attitude to
the idea of allowing devices
into the workplace that are
not fully controlled by the IT
department. With 80 per
cent saying the same thing
three years ago, progress on
the BYOD front has not
been as swift as many
anticipated.
Some 50 per cent believe that in three years' time they will still be asking employees to "hold
on" when using unsecured devices. But why do only 30 per cent of IT leaders currently
believe it's time to "let go" and devolve responsibility for devices to the users and business
units?
20. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
Embrace the Shadow Tech
Nobody will ever be
forced to BYOD – but if
they want to, why
would you try to stop
them?
21. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
We’ve been here before
Customer
Shadow
Tech 1.0
IT
Dept.
22. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
New Shadow Tech
Customer
IT
Dept.
Shadow
Tech 2.0
23. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
BYOD is not a tide that the IT Department should be attempting to hold back –
it’s futile. If you don’t enable access to Council data from smartphones and
tablets then your data at risk. If you don’t find a secure way to give your users
the convenience of access from the devices that they know and love then they
will find a way to go around the IT Department:
“Fine, I’ll just send the document to my Gmail account!“
Aaaarghhhh! The data has left the
network and is now in the wild – this is
not the kind of behavior that you want to
encourage – but that’s just what you’re
doing if you don’t give your users an
alternative. BYOD is here to stay and your
users will do it – either with you or
despite you – make sure it’s the former
24. Richard Copley MSc, PGCert, BSc, SMSITM @Copley_Rich
“A ship is safe in the harbour –
but that’s not what ships are
for.”
Information is safe on a server – but that’s not
what information is for
1. All devices are ‘mobile’ now
2. Trust the device, implement a secure container for the data
3. Run good network config - then the rules are the same across mobile and desktop
Thank you – any questions?