byod: six essentials for success

1DMI WHITE PAPER

The BYOD (Bring Your Own Device) consumerization of IT is here to stay. The allure of incredibly powerful, easy-to-use handheld devices, constant global connectivity, and an app for everything have given rise to a stunning consumer-driven transformation of the IT landscape. According to IDC, 56% of the business smartphones shipped in 2013 will be employee-owned.1 By 2016, up to 85% of enterprise employees worldwide will be using smartphones or tablets—as high as 95% at many large corporations.2

But as thousands of unmanaged devices connect to networks, CIOs are losing sleep, and IT organizations are struggling to catch up. In the “old world” of laptop PCs, it was already difficult for IT to safeguard networks, keep track of corporate data and protect it from loss or theft—even with near total control of procurement, provisioning and security for PCs. With the BYOD phenomenon, employees are making their own purchasing and provisioning decisions without concern for security or support. Without enhanced protection, these devices are less secure than PCs, and their small form factor makes them particularly susceptible to loss and theft.

This paper outlines 6 essential factors that must be considered to create a successful enterprise-wide BYOD strategy and policy. It outlines several key issues that must be addressed to arrive at secure, usable, manageable mobile solutions. This is much more than a technology challenge. Business policy, legal policy, management and governance are all involved, along with technology selection and deployment. BYOD solutions will vary widely from organization to organization, but the issues that all enterprises must address are outlined here.

BYOD:SIX ESSENTIALS FOR SUCCESS

1 IDC Research, November 20112 ABI Research, “Enterprise Mobility Management Services for Smartphones and Media Tablets,” October 2011

2

BYOD: Six Essentials for Success

DMI WHITE PAPER

Essential 1: Understand Your Current Environment and Business RequirementsSuccessful execution of a BYOD strategy requires the development of a comprehensive framework of policies to cover the business, legal, technical and governance issues that arise when integrating employee-owned devices into the enterprise. But these policies cannot be developed without a clear assessment of the current environment and a roadmap for future requirements. Gathering information from management and directly surveying users will help build a meaningful picture of the current environment and guide the development of BYOD and broader mobile device policies. A few key questions include:

What is a company’s goal for implementing a BYOD policy? It is employee satisfaction, flexibility, cost savings, or some other objective?

What distinct segments of mobile users can be identified in the organization?

What information and applications need to be accessed by each of those segments?

What levels of security will need to be applied to this information?

What are the data usage requirements of each user segment?

What travel requirements and other environmental factors need to be considered?

These questions only scratch the surface of the information needed to develop a useful understanding of the current environment, but they offer a glance at the sort of picture that needs to be painted in order to develop policies that map to real business requirements.

Once an understanding of the current environment and future requirements is developed, it’s time to draft the policies that will govern the introduction and use of employee-owned devices within the organization.

3


DMI WHITE PAPER

Essential 2: Build a Business Policy FrameworkArmed with an understanding of user and security requirements, a policy framework can be drafted to address the following business policy questions:

SOURCING: Can employees purchase devices anywhere or just from preferred vendors? This policy may well vary based on user segment and location, with varying data usage needs, travel, environmental, security and other requirements factored in. Executives might be encouraged or required to purchase from one set of devices, sales from different set, and mobile service personnel from yet another.

SUPPORTING DEVICES: This is one of the most important but often overlooked aspects of a BYOD policy. It’s unrealistic to expect your IT team to support every device that could be purchased by employees. IT will need to determine which devices it is willing to support. It may be that a tiered structure is called for—no support for “not-allowed” devices, limited support for “allowed devices,” and a higher level of support for “recommended” devices.

GEO-FENCING: It may be that security or data use requirements necessitate policies to govern device use within predefined geographical areas. Everything might be allowable in your native region, but in other areas restrictions might apply that govern data usage levels, data access levels, or both.

BANDWIDTH THROTTLING: For corporate-sponsored data plans, will bandwidth be limited to a predetermined level for various user segments? What happens when limits are met? Is data cut off? Is the employee required to secure special approval or to pay for data use beyond a certain limit? Which policies apply to which user segments? There could be exceptions to policies, for example policies for employees who are travelling internationally might be different from domestic policies.

BUSINESS SUPPORT VS. PERSONAL SUPPORT: For an employee-owned device that accesses personal data and applications as well as business data and applications, how far will IT support extend? Will the organization support all calls from the employee about the device? What constitutes a personal support issue vs. a corporate support issue? Does the policy vary by user segment?

DEVICE LOSS: If an employee-owned device is lost, stolen or broken while being used for business, what’s the policy? Can data be wiped from the device? How much control does IT have? Can they try to locate the device? How do you tread the fine line between privacy and security? And for employee-owned devices, what’s the policy for replacement or repair? Many companies view BYOD as a cost-saving initiative but based on how these questions are answered it may actually increase costs.

REIMBURSEMENT: How will employees be reimbursed for devices and/or data plans? A broad range of options exist, from total coverage of devices and unlimited data, to reimbursing employees for data expenses up to a certain preset level. Do employees submit a reimbursement for their expenses or do they get a fixed amount/allowance? What happens when employees exceed the data plan? Once again, different policies are likely to apply to different user segments.

4


DMI WHITE PAPER

Essential 3: Build a Legal Policy FrameworkThe introduction of employee-owned devices into the enterprise environment, and the presence of enterprise data on personal devices, will immediately give rise to legal issues. Policies must be outlined in advance to avoid costly mistakes.

RESPONSIBILITIES: Does an employee using a device with corporate apps and data have a certain responsibility to protect the device? What if reasonable or required precautions are not taken to protect the device? What if they are but information is still compromised?

RIGHTS: What rights does the employee have to protect his/her private data? What rights does the organization have to protect its data? What if a disgruntled employee leaves the company with a device that contains—or may contain—sensitive corporate information? What actions can the company take to protect itself? Can an organization delete information and applications housed within a secure corporate container at any time without notice? The legal rights of employees and organizations differ from country to country and have to be customized to meet applicable regulatory and privacy requirements.

LIABILITY: Is the company liable if some action on its part results in exposure or loss of private data? Is the employee liable if corporate information is lost? What if the employee is following the required security policy, like password protecting the device? Does that remove liability? In a different vein, is the company liable if the employee uses his/her device for illegal/unethical practices in personal time?

5


DMI WHITE PAPER

Essential 4: Build a Security and Technical Policy FrameworkTechnical issues abound for BYOD implementations. As is the case for business and legal policies, no single approach is best for all organizations, environments and users. Regardless of your specific business characteristics, the following issues should be considered in light of user segmentation and business and security requirements.

DEVICE ACQUISITION: When employees purchase new devices, technical considerations may influence policy for device acquisition. Specific hardware or operating system requirements may favor the purchase of particular devices, may influence the selection of a particular vendor, or may require a particular vendor to supply devices that have already been provisioned to your organization’s specifications.

SECURITY: One of the most challenging technical issues in BYOD is balancing security and risk. A successful IT strategy for BYOD security might involve applying different security policies and technologies to different user segments. IT security requirements for a typical employee accessing e-mail could reasonably be lower than those for an executive accessing sensitive enterprise data. Applying the same security policy to both user segments could be unwieldy and expensive. At the same time, however, applying multiple policies and technologies can be complicated and must be carefully coordinated by IT.

A broad range of security technologies can be applied as needed: physical device security; secure containers and sandboxes to isolate sensitive data and applications; solutions to protect data at rest and data in transit; solutions to safeguard network connectivity. An in-depth discussion of these technologies is beyond the scope of this white paper. The point is that these technologies and solutions will need to be mapped to specific user segment security requirements.

This concept is represented in the accompanying spider chart. Each user segment is likely to have a distinct security requirements map. One segment may have a high requirement for secure email and productivity tools while another may need secure access to a set of custom apps. All might need a certain level of security applied to the mobile device itself. Technologies deployed—and associated costs—will apply accordingly.

SPECTRUM OF MOBILE DEVICE SECURITY OPTIONS

SECURITY REQUIREMENTS

BY SEGMENT

6


DMI WHITE PAPER

DEVICE PARTITIONS: This user segment-based approach maps well to the use of device partitions and personas to support flexible application of security privileges. A growing number of devices are designed to support multiple user personas. Secure containers can also be used to isolate the data and applications associated with each persona, simplifying the assignment and ongoing maintenance of user access controls.

APPLICATION MANAGEMENT AND DEVELOPMENT STANDARDS: Management policies need to be established to ensure the right level of control on each app based on its sensitivity and use. Access to certain apps and data could be blocked if they are not relevant to a certain role. Perhaps an individual app should be geo-fenced rather that the device? What about time-fencing apps so they are not used outside business hours?

To support the user segmentation-based security and provisioning model, application development standards will need to be developed. Securing email is relatively easy. But to secure mobile apps and data at rest and in transit, apps should be developed to fit into a more scalable and secure app model.

One approach is to create a container on the user’s device which functions as a shield around the data and apps which reside within it. A composite app resides in that container, and a set of granular apps sit inside the composite app. When a user is provisioned, they are granted access to the appropriate container(s) and composite app(s) based on the user’s persona. If the container is secure, the apps and data are secure. The standards and architecture implemented will impact app distribution, employee-owned device management and security management.

This container/composite app model can greatly simplify app provisioning and maintenance. But the standards for app development need to be established up front to ensure that the full range of enterprise apps is consistent with the model.

DATA ACCESS: Data access policies will also need to be established. This is true for both company-owned and employee-owned devices, but employee ownership introduces an added layer of complexity and need for governance. Key questions that will need to be addressed are: Will the company offer corporate WiFi access to supplement the broadband access being purchased from a telco? While this may be practical for many organizations, physical layouts, geographical distribution and building structural issues may drive different decisions. What level of broadband access is the company willing to pay for, and what are the bandwidth requirements of the different user segments? Is 3G adequate? Is 4G necessary? For which users?

7


DMI WHITE PAPER

Essential 5: Build a Plan for Successful Policy ImplementationEmployee ownership of devices introduces a unique set of challenges and requirements when it comes to policy implementation:

SELF-PROVISIONING: The most obvious challenge with employee-owned devices is that the company doesn’t typically have access to the device. So, mechanisms must be set up to enable employee-owned phones, tablets and other devices to be provisioned by the users themselves.

USER PROFILES: A solution must be in place to link individual employees with their user profiles—probably based on an AD/LDAP access control system and set of policies around individual membership in groups and group access to various data and apps.

AUTO-CERTIFICATION: With employees connecting to the network and provisioning their own devices, the technology and process for automatically certifying that the device has a container needs to be established. Further, the company needs to be able to ascertain that the device is connected through the container.

EMPLOYEE SELF SERVICE: Since organizations cannot typically take possession of employee-owned devices, it is essential that employees can provision and service devices through a “single self-service window.” Device and data plan management, usage tracking, and access to corporate applications that are authorized for individual personas all should be included. Without simple, integrated, single-window service, employees may wind up frustrated and unhappy, while IT is bogged down in an overwhelming stream of support calls.

TELEWORKING: An organization’s virtual desktop and unified communication strategy should extend to mobile devices. In fact, mobile devices, particularly those with larger form factors, provide a logical setting for enabling teleworking. A comprehensive BYOD strategy and policy should encompass teleworking as well.

Essential 6: Provide for Ongoing Governance to Maintain and Evolve Your BYOD PolicyAs with any new initiative of this magnitude, a BYOD policy must evolve as new factors and considerations emerge. To do so, a governance model is necessary – one that measures and monitors key factors such as cost, security breaches, lost phones, jailbreaks, etc. The definition of a BYOD governance model is beyond the scope of this paper, but suffice it to say that a BYOD strategy and policy is only as effective as the measures that are implemented through a governance model.

8


DMI WHITE PAPER

ConclusionHarnessing the power of employee-owned devices can deliver tremendous advantages to the organizations that do it successfully. Keys to success include establishing a solid foundational understanding of the current environment; developing a clear set of business, legal, and technical policies; executing a well-defined implementation plan; and providing for ongoing governance and evolution of policies. Experienced enterprise mobility management service providers who have successfully guided organizations through the creation of BYOD programs can offer vital assistance in the process, anticipating challenges and opportunities, and avoiding costly missteps. The BYOD opportunity is here. The right partner and planning can help you seize it.

DMI and Successful BYOD ManagementDMI is the world’s leading provider of enterprise mobility services and solutions. We have been providing Managed Mobility Services for the past 9 years to a growing set of commercial and government customers.

Our comprehensive Managed Mobility Services portfolio includes:

Mobile Strategy Consulting

24 x 7 Mobile Help Desk

24 x 7 Mobile Device and Solution Management Service

Mobile Device Logistics

MDM Solution Implementation, Upgrades, Health checks and Assessments

Mobility Solution Training

We partner with the leading software and hardware vendors in the industry. Our partnerships include MDM vendors such as MobileIron, AirWatch, Fixmo, Good Platform, BlackBerry UDS/BDS/BES, as well as platform and hardware vendors such as Apple, Samsung, Google and Microsoft.

We also build enterprise class mobile solutions that generate results for the world’s top brands and businesses. Our mobile solutions combine the award-winning user experience design that has made us one of the top creators of consumer apps, with the deep middleware and engineering expertise that we’ve used to build and manage enterprise applications for the most demanding IT departments in the world. DMI mobility solutions improve business processes, tap new revenue streams, build customer loyalty, and increase employee productivity.

9


DMI WHITE PAPER

DMI One Rock Spring Plaza6550 Rock Spring DrBethesda, MD 20817

DMInc.com

DMI Sales TeamU.S. Sales: 855.963.2099Intn’l Sales: [email protected]

©2013 Digital Management, Inc. All right reserved.

The Proof:

We have 500,000 devices under management for more than 100 clients, including many Fortune 500 companies—like BP, Johnson & Johnson, Sears, The Associated Press, Allergan, and more. At BP, we’re deploying 1,000 managed mobile devices each day.

We provide 24 x 7 x 365 mobile service support for more than 500,000 users. DMI is the one call our customers need to make to resolve any issue—devices, apps, infrastructure, and even carrier problems.

We offer a full range of security options that include Federal-grade hardware-based security, two-factor authentication, secure container, and sophisticated encryption solutions.

With our expertise and economies of scale, we can provide mobility management at a higher service level and on average 20% lower cost than most companies can do on their own. Pervasive excellence is our commitment to quality service.

We’ve built more than 400 mobile apps—in the past 12 months alone—for more than 150 leading organizations—like Disney, Coca-Cola, Toyota, Vodafone, P&G, The National Guard, and Universal Studios.

We offer brilliant creative and user experience: Our mobile app development group was named the Best Branded App Developer at the 2012 Mobile Entertainment Awards. We are a Google Platform partner and Apple Consultant.

DMI is one of only a handful of companies that is CMMI L3 appraised for both application development and services, as well as ISO 9001:2008, ISO 27001:2005, and ISO 20000-1:2011 certified. Our average D&B Open Ratings performance score from our clients is 94/100.

Contact DMI today to learn how our Managed Mobility Services can deliver worry-free security, easy management, and reduced costs for your enterprise.

byod: six essentials for success

Technology