Taming the BYOD beast - issues of management and security

Date: Tue, 10/16/2012 - 18:07

For the employees it means greater convenience, job satisfaction and productivity. For the IT department it means a three or fourfold increase in the number of multi-vendor endpoints to manage, greater network permeability and new security risks - with little hope of commensurate budget and staffing increases. But BYOD is here to stay, and it’s growing huge

Taming the BYOD beast - issues of management and security

Vishal Jain, Analyst, Mobile Services, 451 Research, at NetEvents EMEA Press Summit, Algarve, Portugal

PHOTO / telecomkh.com

Solutions are needed to address visibility, management, network access control, security and the means to test a fast-evolving ecosystem of consumer devices - and we have a panel of vendors each promising to tame the BYOD beast.
But what sort of guarantees can they offer for a problem that is evolving as fast as the consumer market? Can one solution fit all - if so, who has the best solution? Or will we be forever adding and patching for each new invasion - the IT Department’s BYOSolution for BYOD?

Introduced and Chaired by Vishal Jain, Analyst, Mobile Services, 451 Research, at NetEvents EMEA Press Summit, Algarve, Portugal
So a very good morning, and thanks to NetEvents for hosting us and giving the opportunity to talk about BYOD-related issues here. So I'm Vishal Jain. I'm an industrial analyst with 451 Research. I cover enterprise mobility applications and services and I'm based in London. I've got a very interesting panel here. I've got, starting with Shehzad from Extreme Networks, Nigel from MobileIron, Markus from Enterasys and Steve from Aerohive. And I'll quickly go through the presentation, a very introductory one to get you introduced to the topic that we are going to talk and discuss.
So just a bit about 451 Research. I hope a lot of you know about what our organisation does. We look into the enterprise, the innovation. So you have already been introduced a lot to innovation. So we look at how that innovation impacts enterprises and their buying decisions. We do a lot of qualitative, quantitative and syndicated research in this space.
Talking about the mobility trends that impact the enterprise, so the BYOD, BYOD is an interesting topic here because on one hand you've got corporate buying on a rise in the enterprise, but then on the other side you've also got employee [reliable] smartphones, tablets. And there is now a very increasing trend towards owning a device and bringing that into enterprise. It's kind of going beyond the coolness factor here. And we draw a lot of data that we do from our market research. So one of that is more of the change research survey that we do which goes in to the consumer and talks about - understand how they're using the resources in the enterprise, which is typically devices and applications.
The other is more of from the [dip inside], TheInfoPro, where we talk to a lot of end users in the enterprise and say what they're doing to deal with that. And so we see that there's - we recently did a survey which was quite fresh. And it says that they are dealing with the fragmentation of their IT landscape to it's no longer very homogenous landscape now. Looking to address [pain points] related to security, to connectivity, to the higher usage, which is a stress on their resources, their time. And the most confusing part is the amount of options that are available from what they have to what should they buy, what should they internally develop, all of that. So you can look up all these other trends another time.
So just one of these is that we asked a couple of - around 1,510 people about which mobile or [SSR] used and smartphones that your company currently provides, which is a company buys a smartphone and then gives it to them. So iOS rules the roost here, followed by very closely by RIM, and then closely [launching] is Android. But you see that the August, in the three months [trading] cycle that we see, Android and iOS have now - have peaked over BlackBerry, so it's on a continuous decline.
The other is very interesting is enterprise versus non-enterprise smartphone and tablets connecting to the network. Although you would see that there is a lot of enterprise issued at the moment, but the next 24 months, the percentage change in the next 24 months, and I was talking to Nigel, and you see that the non-enterprise issue, that's showing a 74% jump here. So that is the BYOD discussion that would be great to jump into.
And so here is what we're going to really pass over, how do you manage BYOD? And from our research standpoint, we see four core asset classes here. One is the resource, the network, device and app and because your device typically transgressed across all these four resources.
So these are the different ways to do it. And I think the best way is over to the panel to start with the first question. I think the agenda had quite a good one here from a question standpoint on bring your own solution to bring your own device as well, which is quite a good one to start with. But to the panel, the immediate question that I have following this is when should an enterprise start thinking about BYOD? What is the right time to think about it? Anyone can start. Jump in. 
 
Q&A Session
Shehzad Merchant - Extreme Networks
Sure. So this is Shehzad Merchant from Extreme Networks. I think really the right time for enterprise to start thinking about BYOD is two years ago.

Vishal Jain
So it's already sell-by date.

Shehzad Merchant
Yes. Pretty much most of us today, in fact there was a survey done recently that polled IT administrators to find out how many devices per user they're managing and about 12% said their users are managing or running up to four devices already today. So you have your tablet, your smartphone, your desktop, your laptop. So you're already in this world of people bring their own devices. The question really now is how do you manage that. And is there one solution fits all or do you have to have a set of solutions? And I think that at the end of the day, when you're talking about issues like security, you do have to have a tiered solution. So there's device security, there's network security, there's application security and all of these have to be addressed individually. There's no one solution fits all.

Vishal Jain
Right. Nigel, do you have - you have already [inaudible].

Nigel Hawthorn - MobileIron
I was going to jump in there and just say that as a wireless network supplier, as a vendor of wireless, we would say, as networks migrate, as a network manager migrates and develops his network, he really has to consider BYOD in the design phase. They need to look at what they need to supply for the user. And it comes down to the user having this desire for access on demand, whether they're in their corporate space, their home space or out in the street.

Vishal Jain
So an enterprise should really go out and look at any possible endpoint that would connect to the enterprise?

Nigel Hawthorn
Yes. I think it comes down to the user with their smartphone, with their iPad, with the laptop, wherever they may be, they need connectivity these days. So there's bring-your-won device, bring the corporate device to work, to do your work. It has to be thought of before even you start implementing any form of technology. 
 
Vishal Jain
So how forward should that thought be? How much do you think future-proofing could be empanelled in that?

Nigel Hawthorn
If you pick the right network, you can scale your network from zero to hero from the beginning really.

Vishal Jain
Markus, yes.

Markus Nispel - Enterasys
I think the underlying infrastructure, so Markus from Enterasys, so we do both provide the wireless infrastructure, network infrastructure as well as security components or network access control components which are, from our point of view, one component to the solution but not the sole component to that solution.
And I think your question, when should enterprises think about BYOD, is probably the wrong question because users just demand it. Employees demand it. So there's no way that you as an enterprise can think about it. It's just reality. So a recent study in the US, [CoalFire] did a nice one just recently, showed that more than 80% of the companies that they surveyed said that people are bringing in a single device for both business and private use inside of the enterprise. So it's more than you need to provide to, A, create employee satisfaction, but B, which is more important as part of the enterprise mobility strategy to provide optimised workflows as part of your business processes.
And in terms of underlying infrastructure, I totally agree. What we have seen so far is that most wireless infrastructures underneath have been designed to provide, let's say, basic connectivity to laptops and conference areas and a lot of customers underestimate the growth in terms of devices that they are facing with the new tablets and smartphones and stuff like that coming onto the infrastructure. So there are some analysts that predict that by 2015, 80% of today's deployed wireless infrastructures are already obsolete because people didn't take the growth of devices into account. So that's very important from our perspective.

Steve Hook - Aerohive Networks
Yes. I'm okay with the answers on when should you look at BYOD, which was certainly yesterday or maybe two years ago. I think the other important question is who should look at BYOD. And it's not just an IT thing. We need to bring in the line of business, the legal people, the HR people. You need a cross-functional team to make sure that BYOD is going to be successful in your organisation and we need to start there. 
 
Vishal Jain
So you've really pulled into the right point here is what should an organisation do to really think, to implement a BYOD program. So you've said there is a small people issue, the HR issue, and obviously IT is somewhere as more of a gel here between all these things.

Markus Nispel
Yes. So I think it's cross-functional for sure. And as we talked about during breakfast actually, organisational and legal challenges are important, but also enterprises need to think about how the enterprise application infrastructure needs to be merged into an infrastructure that is supporting mobile devices. So you cannot just take your existing applications and just say okay, I do now BYOD and everything's great. You basically need to migrate your enterprise applications more towards a cloud-based model where mobile devices can access these applications from anywhere as well. So that's also something that you keep in mind. And, as Nigel said, it needs to be a cross-functional effort in enabling enterprise mobility and BYOD in an enterprise. It's network infrastructure, it's security, it's application management and also providing the right applications with the right mechanisms.

Vishal Jain
So what is a successful BYOD program as per your viewpoint? For example, I'm an employer for an enterprise. Should I be really aware if there is something like that running in the background which is monitoring what I'm doing, or is a successful BYOD something which clearly says that every step that I take with my device, thou shalt do that and thou shalt not do that? This is protected, this is not to be done. What's your take there?
Yes, sure, go ahead.

Steve Hook
It's a case of set-and-forget almost, where the policies and the profiling for the users and the devices need to be set up, put in place and then managed.

Shehzad Merchant
Yes. I think there are really two parts to that question when you talk about success, because there are really two users you're talking about. There's the end user, the guy holding the device, and then there's the guy who's running the rest of the infrastructure, the team that's running the infrastructure. And the success factors are actually different. To an end user, for me success is I can go down to my favourite electronic store on a weekend, buy the latest and greatest smartphone that I have or whatever device, unpack, then in 20 minutes I have all my enterprise computing applications up and running on it and I don't have to make a single call to IT. That's success to me. To the IT administrator, success is that when that's happened, I know exactly that's happened. I may not have to do anything about it, but I know that's happened. I know what the device is. I know who the user behind the device is. I know what he's trying to do. And if he's trying to do anything malicious, things automatically prevent him from doing that. That's success to the IT administrator. So I think there's two different criteria and I think both are pretty important.

Vishal Jain
Yes. I agree. Nigel, yes?

Nigel Hawthorn
I think you're absolutely right. User experience is key, and making sure that users can work effectively with their device of choice at minimal intervention from the IT department. I think the IT department needs to also look at the situation of employee enablement. How can you make the employees more productive with their mobile devices? Don't look at BYOD as a problem. Don't look at it from a security point of view and try to treat your employees as adults, guide them on which applications they use and how they use their devices rather than seeing it as a problem to be solved to which the answer might be well lock it down, because if you start locking down a mobile device, if you start changing what the user sees then they will rebel and they will - you won't be successful with your BYOD project.

Shehzad Merchant
Yes. If I may add to that. I actually completely agree with that, by the way. The whole BYOD phenomenon, while started from the cool factor, it's a phenomenal tool for productivity increases. And so rather than looking at this and saying hey, from the perspective of bringing security, let's lock it down, one should really look at the securities to make sure that people have access to what they want and when they want it even in the face of threats. So enable the users to be productive and provide the tools for that to happen.

Vishal Jain
Markus, you want to say something?

Markus Nispel
Yes. So for sure, embracing it rather than trying to stop it. That needs to be the goal and how people look at BYOD. So an example, and actually your requirement and how you set what is success, it's basically the perfect alignment in terms of goals that enterprises should strive for. So an example at Enterasys, we basically eat our own dog food so obviously we deployed our own solution for BYOD. Every employee can bring their own device onto the infrastructure. The IT is fully aware of what's happening with a mechanism we call zero effort on-boarding. And the data that people are able to access, we have a clear set-up and policy that needs to be designed upfront because you really jump into it and then you're ready to go.
I think that's important as well, to have that security policy in place before you implement technology. So technology alone doesn't really help you. It needs to be both. And also what you mentioned, make the employees aware of what they should do and shouldn't do, that's also important. So the same [CoalFire] study also showed that close to 50% of the respondents never got educated by their IT department what to do and what to pay attention to, which is frightening, I would say, from that perspective.

Vishal Jain
That's interesting, because I know of a case where an enterprise simply said bring your won device as long as it is an iOS device. So there are different connotations to the whole BYOD program itself, where - and it has got now tiered down into several kind of ownership models as well or sponsorship models, to put it that way. I'm going to just take a pause here and see if the audience has any questions for -? You can introduce yourselves with your name and company that you represent.

Hans Niemann - Freelance
[Hans Niemann], freelance from the Netherlands. Your last statement, bring your own device as long as it is an iOS device. What's the reason behind it? I think the Microsoft platform is secure as well. We know that Android has some breaches, but I think Microsoft is safe as well isn't it?

Vishal Jain
So the reason behind that is a lot of IT folks, so the discussions that we had with them was they think of BYOD as an overhead and they also think of - they are finicky about what kind of applications should be accessing. So it isn't more device-specific but what kind of applications are available and what should we develop. So it goes more from the back end access standpoint. So they're thinking about if we were to develop these applications, what should happen with their security model? How should we allow permissions on them? How should we roll it out to different devices? So it's more of the app story where they were very finicky about. So what kind of data goes through these applications, apps that work on those devices.
So they had a kind of development that was very much focused on iOS. So they thought it's best to have iOS rather than anything else.

Markus Nispel
Just to add on, just based on experience so not tied to our strategy, so what we see, I see personally talking to enterprises, it looks like iOS is much more predictable from an application perspective than Android. So there is not a single Android so people are challenged by that. Windows seems to be interesting, but still a lot of enterprises, just talking to a hospital last week in Germany, they want to go all iPads for all doctors because it's much more predictable. It's much more contained and much more manageable than the other OSes.
And also statistics from our own infrastructure, as I said, so we have total visibility of the number of attached endpoints and the users and the types, we have 1500 Windows PCs, 900 iPads/iPhones on the network and only 200 Androids so over time. So we see that based on our own employee base but as well as guests logging onto our infrastructure, so it looks like Apple is much more popular for enterprises, even Apple doesn't really focus on enterprises. So there are some things like Apple Bonjour, a technical thing, that is really just designed for home use and enterprises are challenged with that right now as we speak. Aerohive have a good solution to that, but we as well.

Nigel Hawthorn
I agree. We've got more than 3,000 customers. And let's remember, a lot of them actually are not using BYOD at all. They're still using corporate-owned devices. But even those people who are implementing BYOD, it is bring your own device, not BYAD, bring any device. And the organisation usually does have a list of suggested devices that they know will work with the applications that they want the employees to use.

Steve Hook
I think we've got - in the Aerohive solution, we're able to detect any device that you might bring into the network and we can deal with those shortcomings. Markus kindly mentioned there Bonjour gateway, which is now free. And that overcomes the issue with Apple not being able to move across layer 2 boundaries. So we can build those shortcomings in, and it's again focusing down to enabling the use access to the network. So as long as we're managing the user, we're managing the device, we can manage the network. We're just dealing with data at the end of the day, IP traffic. And so the apps, this is where Shehzad comes in, looking at how do you manage the applications at the end of the day. And who's doing what is where Nigel comes in with MobileIron and the legalities of that kind of element.

Vishal Jain
I think there's another question.

Jan Guldentops - BA Labs
I wonder, there's nobody - Jan Guldentops, BA Labs - there's nobody who's going to cover a one-stop solution for bring your own device. It's always going to be a complex package of different vendors and different products, or am I wrong?

Markus Nispel
Yes, for sure. It's a combination of multiple technologies. But you need that anyway for any kind of connectivity to your infrastructure. So I just wouldn't tie it to mobile devices and the latest and greatest iPad coming in. If you're running a network infrastructure and you're converging technologies on that infrastructure, like office, IT, medical devices, production infrastructures and things like that, you anyway need to manage endpoints on your infrastructure in a secure fashion. And as you do it for these kind of devices, you have to do it for mobile devices as well. And someone telling you there's a single solution for a complex problem, that's just not the case. It needs to be a solid architecture underneath, the way you can plug in solution components as you need them.

Vishal Jain
Shehzad, before you just get into that, he has raised a very pertinent question. I have a question here which follows on to that and you can address that as well. Is this an opportunity to refresh the enterprise stack on the, as I said, all the four pillars that I suggested, or stick something more on that, on top of that?

Shehzad Merchant
Sure. So perhaps both as well, let me try to address that. In terms of a single solution to BYOD, BYOD is not a problem. BYOD is a phenomenon. You've got to figure out what's the problem you're trying to solve. The problem can be mobility. The problem can be security. There's a myriad set of problems and each problem has its own set of solutions. So I don't think saying is there a single solution to BYOD is even the right question to really ask. It's what's the problem you're trying to solve because behind BYOD are a set of different challenges. So I think that's one part.
The other part is around the four pieces of the stack, as you were talking about, and leading to refreshes. I think each one of those will provide their own set of solutions. Some of the solutions will provide investment protection where you may not need to go through a complete refresh. Some of the solutions may require a refresh as well. For example, if you're looking at the network infrastructure, what we've done from Extreme Networks is we've provided solutions that will work with all the existing deployed infrastructure and still deal with user device and application mobility, visibility and control just through a software upgrade. Other solutions may require a refresh as well. So it really depends on what's the problem and what's the solution you're trying to address.

Vishal Jain
Right. Nigel, yes?

Nigel Hawthorn
The market's changing dramatically and I think that we are an industry that always throws around acronyms, but mobile device management, MDM, mobile application management, MAM, are really, I think, now one market not two. And data leak prevention is a major part of the security issues that people are worried about with mobility. And so those three areas are all coming together and you're finding that companies like ours are trying to provide solutions that cover all of those. But of course there's 20 years of networking experience. There's active directory to integrate with, and nobody would be foolish enough to say they can solve all of the issues in one place. 
 
Vishal Jain
So there's another, yes.

Antony Savvas, ComputerWorldUK.com
When you talk about BYOD, in the press, etc., it's like well what is the IT manager going to do about it. Would you agree that that's not really the issue at all? When we mention the integration of HR, etc., the IT director doesn't get involved in HR so you could ask well why are HR getting involved in BYOD? I'm just thinking isn't it a simple case of really a case of getting the network to work to support all these devices and just make sure active director works or whatever and that's about it? Aren't we just overcomplicating the issue here because most IT departments can't even secure a mobile laptop to make sure it's got security on it, let alone enforce BYOD policies and what applications people should be looking at because in the UK, and I expect other countries as well, organisations, public sector organisations are getting fined hundreds of thousands of pounds for not even securing a laptop to have encryption on it? So aren't we overcomplicating the issue here? Isn't it a case of personal responsibility and just making sure the network works to support all devices?

Vishal Jain
Great question. Thank you.

Shehzad Merchant
Yes. I think it's not a matter of complicating things more. I think the challenge definitely is that it's not just about providing connectivity to the devices, but when you start looking at regulatory compliance issues, you do have to have controls as to who's behind the device, what's the device doing, what applications can the device access and not access. It's very different when there's an IT-provided asset, there's an IT-provided desktop or an IT-provided laptop which has a certain build, it has a certain antivirus on it, it has a certain set of client software on it. But if you bring your own device, it doesn't have all of that. And so it becomes very important to be able to manage that or to be able to provide the tools to be able to manage that. So I don't think it's a matter of overcomplicating things. I think it's actually more than necessary.

Markus Nispel
Yes. Also if you look at the legal implications in certain countries, if you have your own device, you have corporate data on it and you want to, for example, wipe that corporate data and by accident you wipe also the private data on that device, who's liable then? And depending on which country you're operating in, it's a complex issue that needs to be addressed actually. Nigel is the expert in the UK, but in Germany I can tell you it's not that easy. 
 
Nigel Hawthorn
So actually we've got a document that talks about the legal requirements in eight different countries. And it's a great example of how it is different in different places. But I think your point is a good one. Ten years ago I was dealing with web security. And quite often the IT people didn't want to implement web security at all. It was HR and legal who forced it upon them, and they were only the people who implemented it. They didn't want to be the police, they just wanted to enable users to work. I think we're in a similar situation here where BYOD is an astonishing opportunity for corporate organisations and other organisations to enable their employees.
IT are in a great position to be the heroes of the hour. And really what they need to be doing is looking at it from a point of view of enabling BYOD and providing the thinnest level of security that they can and treating employees as adults and workers and trusting them and giving them advice and coaching when they need to, but not necessarily going to the bad old days of trying to lock everything down. One, it's very difficult technically. Two, as I said before, your users will rebel.

Steve Hook
Was it Antony? Yes. I'm on your side. At Aerohive we look at simplifying networking. When we bring a corporate device on the network, we embrace them. We'll put end clients onto the device and we'll allow them access because we've identified them, we've enrolled them and we've given them access to all the services they need. If a guest comes onto the network with their own device, we'll quarantine them. We'll then contain them on the network and allow them to the services only that they are profiled to go to. So we keep it as simple as possible.
If you want to complicate it, fine. But you're only going to make a rod for your own back at the end of the day. So I'm on your side.

Vishal Jain
Great. Thanks, Steve. I think I'm going to sum it up with a couple of - a bit of conclusion that you can provide, each of you. So the question is you said, you rightly point it's a phenomenon that's now going as a wave across different enterprises, large or small. But you said you have to identify the problem in that. As per you, Shehzad, Nigel, Steve, Markus, Steve, if you can spot on one problem that you see which should be really looked at, what would be that? Each of you can address that, answer that.

Shehzad Merchant
Sure. I'll take a crack at it. There are several. And I'm sure -

Vishal Jain
One. 
 
Shehzad Merchant
Right. So I'm sure someone's going to bring up security, so I won't bring up security. But I think there's another larger trend behind this that unfortunately we didn't get a chance to talk about if we talk about BYOD. But the larger trend here is the consumerisation of IT. And I think there's a far bigger behavioural change taking place over there which is if you call up your IT department and say hey, I've got a connectivity problem for my device, the first question is which device? And IT has no visibility to say right, it's from a smartphone, they say alright, what's your IP address? I have no idea. You spend 15 minutes going through that process and then they say where are you connecting from? From some passageway and I don't know where that is. So there's very little visibility today in your IT infrastructure for users with multiple devices. And I think that's, looking at it from the IT side, you've got to solve that visibility and control problem in addition to the security problems that I'm sure somebody else will talk about.

Vishal Jain
Thanks, Shehzad. Nigel?

Nigel Hawthorn
Yes. I guess I would just try to open it up and say IT people have got to look at this as an opportunity for change. We've seen reports that employees in BYOD organisations tend to work longer hours or at least be more productive over a wider length of time. And that makes the organisation more effective and so anyone who is resisting BYOD I think should look at it from a positive point of view and try to enable it as soon as they can, otherwise they're going to get rolled over.

Vishal Jain
Thanks, Nigel. Markus?

Markus Nispel
It's a tough one. So I would just say embrace enterprise mobility, embrace BYOD while maintaining visibility and control to the level that your business demands it, then you're ready to roll. And visibility is key because from that point on you can do whatever you want with users' end devices on your infrastructure.

Vishal Jain
Right. Thank you. Steve?

Steve Hook
At the end of the day, it's the user. He wants access on demand, regardless of where he is and what device he's using. So it then comes down to the network manager and then the IT administrator, the IT team to be in a position to know the right thing to supply, how to supply it best and manage it for the good of the user and the enterprise.
So my support would go to the poor network manager who has 15,000 things to do at the same time.

Vishal Jain
Right. Yes. I agree with that. That's a big overhead for them. So thanks a lot for your comments and insight into this issue here. To conclude, I would just clearly say that I think BYOD is an unsolved problem yet in terms of which part one should look at. But as they said, there are certain components that are key to incorporate in your BYOD approach, which is visibility, management, security obviously, and the way to look at the holistic organisation and what it wants.
Thanks a lot and thanks for being here.

 

valorar este articulo:
Your rating: None

Post new comment

Datos Comentario
The content of this field is kept private and will not be shown publicly.
Datos Comentario
Datos Comentario
Submit