On the heels of launching our eGroup eBook, “7 Steps to a Sensible BYOD Strategy: So You Can Sleep at Night,” we recently sat down with John F. Andrews, Chief Operating Officer and Fractional CIO of Virtual C-I-O, to chat about his company’s views and opinions on BYOD. And, most importantly, how c-level executives should manage the situation.
It sounds like both eGroup and Virtual C-I-O agree on quite a bit when it comes to BYOD. Read on for more:
eGroup: What effective approaches can management take in addressing “bring your own device” to the workplace?
JFA: BYOD is a growing, undeniable reality. The CIO or company fractional CIO would be best served to embrace this trend as well as establish a program to manage its implementation, just as programs are put in place to implement other new technologies. To roll out such a program effectively, a cross-functional team of IT, finance, legal and all other affected operating entities must collaborate to address the following at minimum:
- Which employees are eligible and which are not?
- Who pays for service plans and hardware?
- Who pays for devices that are stolen or lost?
- Which applications are permitted and which are not?
- Are employees required to use mobile device management security software that encrypts company data, monitors the device usage and passwords?
- Are employees required to agree that the company can remotely wipe out any data—possibly including personal data—if the device is lost or stolen?
- Are employees responsible to back-up their own personal data?
- What disciplinary actions will be taken in response to misuse?
With these items fully vetted and addressed, a formal policy can then be developed which best fits the corporate culture, legal, financial and operating perspectives. The CIO or fractional CIO must understand that there is no “cookie cutter” approach that works for all organizations.
eGroup: How should management educate their employee users on the security risks and potential threats BYOD raises without hampering the substantial productivity benefits of BYOD?
JFA: BYOD isn’t a technology issue, it’s a policy issue. A policy issue that involves other organizations besides IT, such as finance, legal, HR and operations. Therefore, a comprehensive view is appropriate. This cross-functional group mentioned earlier, led by the CIO or fractional CIO should be responsible for developing a policy that considers all aspects of BYOD with security being a critical item. It should be formalized, institutionalized and communicated to all impacted employees just as all other business-critical policies.
eGroup: Does company management have a role in making mobile apps available to employees and their devices?
JFA: After adequate review and approval, the BYOD program should indicate which company applications can be used by each employee based on their role in the organization. The policy should also indicate which applications or application types aren’t to be used as well.
Beyond that, we see many CIOs and fractional CIOs setting up their own “app store” that BYOD participants can access to download applications and other software that they are approved for, and that provide tangible support for their jobs.
As you write in “7 Steps to a Sensible BYOD Strategy: So You Can Sleep at Night,” VMware’s Horizon Application Manager is a great example of a tool which helps CIOs deliver policy-driven application access.
eGroup: What is the best method for encouraging productive feedback from the employee end-user community to company leaders?
JFA: To gain the most candid and honest feedback, CIOs and their teams should conduct regular user surveys. Centralized suggestion mailboxes are also popular, where employee users can provide suggestions at any time on how to improve service. Both methods can be handled on an anonymous basis, again encouraging the most honest and candid feedback, without the worry of reprisals.
eGroup: Should a CEO be concerned that the company’s application usability and human factors are best-in-class?
JFA: Absolutely. Software is integrated into almost all — if not all — core processes in corporations today and can be a major differentiator – either positive or negative – on the company’s stature, reputation and desirability as a supplier or employer. The company CIO or fractional CIO can actively support the CEO’s leadership in this regard by developing a comprehensive strategic road map design for IT / business technology that includes the internal as well as external leverage that BYOD provides. In addition to tactical responsibilities, the CIO’s role involves strengthening the CEO’s company vision, as well as the long-term value proposition.
You covered your bases and protected your client devices – complex passwords, two factor authentication, application white lists, client firewalls and anti-malware. You also have taken measures to ensure that if a device is lost the data will not be compromised – encrypted hard drives, remote wipe capability, and encrypted VPN tunnels for information transfer. Now you are feeling pretty good about your client security posture. Of course, if you are not doing these things, then later I’ll have to write about why they are still important.
Now, let’s explore a very real scenario where all this security preparation will not and does not matter. While this scenario focuses on U.S. Policy examples, this applies to any governmental action in any part of the world.
Let me set the scene. You travel outside the United States, visiting a client or international branch of your organization. Everything goes well, however upon entering back into the United States, you are pulled into a room by Department of Home Land Security (DHS) personal, who kindly ask you to “power on” your device and enter your password to decrypt the contents.
Oops – Complex passwords; two-factor authentication; encrypted contents, doesn’t matter you have just handed over the keys to the kingdom. Most people in this situation may be a bit nervous, but not overly worried, because they do not believe there is anything to hide. However, as recently reported by David Kravets of Wired Magazine (http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/ ), the DHS office of Civil Rights and Civil Liberties published a two-page executive summary of its findings in regards to DHS suspicion-less search-and-seizure policy pertaining to electronic devices.
The executive summary of this report included this statement, “We also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits,”
What does this mean?
Well, it means regardless of what you have done or not done authorities can take your equipment. If they do so after you have given them access to the machine, then they now have access to all data without a warrant, and you no longer have any control over it.
The article illustrates a real world example of this in action. Mr. Abidor, a PHD student was held while DHS agents went through his computer – and what the article doesn’t point out is that Mr. Abidor had to file a lawsuit to get the computer back. DHS held it for over two weeks, though there were no charges filed against Mr. Abidor, nor any suspicion of wrong doing alleged.
What is on your company laptops?
How much financial information, patented company information, personal identifiable information (PII), personal health information (PHI), credit card account information, among other sensitive data, are you, your colleagues, or your employees carrying around? You may think even in an extreme scenario like this, the data wouldn’t be compromised in a way that would hurt your or your company, after all the Government has protocols and processes that should protect what they have seized.
Are you ready to bet your company on it?
Today, I know of no known instances where a border seized asset led to leaking of corporate data or privacy breaches. That doesn’t mean it has not happened, or that it will not happen. How do you protect against this scenario, or even a similar one, say, in another country, where you have even less recourse against it? I outline a few options below:
How about the Public Cloud?
Be careful on the what/where/how of your provider. International and national providers are inundated with requests for access to data hosted in their “cloud” by both foreign governments, U.S. federal government, and countless other local government entities. Of particular concern is that some companies, most visibly those major communications providers, have deals in place where they make millions of dollars by sharing your information with the government. How much do they really have vested in your privacy?
Even with the spotlights put on these programs in recent years, it appears the future will be even more “cloudy” in this regard. As an example, the recent ruling of the sixth court of appeal in United States v. Skinner (http://www.ca6.uscourts.gov/opinions.pdf/12a0262p-06.pdf) ruled that police do not need a warrant to access GPS data of individuals. This data is of course held by your telephone provider, or navigation service provider. What type of doors will this open to other types of data you are storing in large national public clouds?
It is still possible to gain the efficiencies of a public cloud, while avoiding the conflicts of interest of the big players. Look for an established local or regional partner that is offering services comparable to the big players in availability and security, but is without those entangling agreements that were not made in the best interest of your data.
What about a Private Cloud?
Clearly, there is more control here. You have the most control when you own not only the servers, but the location they are housed in. At least in this scenario any entity will need a legal warrant to retrieve data from servers in your private infrastructure. Many companies are jumping on the private cloud band wagon. Companies with big data center experience, like EMC for example, are taking that knowledge to deliver reference architectures like VSPEX that blueprint a flexible and tested solution utilizing a host of technologies that can deliver on the private cloud promise. Microsoft, VMware, and even traditional network players like Cisco are offering private cloud solutions.
How do you access your data in the cloud?
Really there are two choices here, although the technology to deliver them will vary.
Encrypted VPN tunnels are the traditional method for gaining access back into a corporate network. These will work in this scenario as well, but you have a lot of issues with where data will be saved, how working copies are managed, and what is kept on a personal device. You have a wide range of choices in how this is delivered – Microsoft Direct Access, Citrix NetScaler Access Gateway, and a variety of Cisco solutions – just to name a few. The options in this space are nearly limitless, and chances are you already have one in place, even if it’s not in use.
The other option is to keep everything in the cloud, including the working environment, so there is literally nothing on the device. How is that done? Virtual Desktops.
Utilizing private cloud to deliver virtual desktops provides the best combination of usability and security. The environment is controlled completely by the organization, and no data is kept on the client device. Popular choices in this space are VMware View and Citrix XenDesktop. In addition to fully virtualized desktops, another popular option is to utilize virtual applications.
Virtual applications can be delivered like a desktop, and still benefit from saving data in the cloud. This can sometimes be easier for IT departments to deploy if they will not be able to standardize on specific desktops, and can actually be combined with virtual desktops for the most dynamic scenarios. Again, the options in this space are VMware with their Horizon Application Manager, along with Citrix and its flagship product XenApp.
In addition to the leaders, there are a multitude of startups in this space, as well as established companies that are trying to break into the market – and as such the quality and price run from free to astronomical, and everything in between.
Coming back to my initial story, during a border seizure event or similar incident, you can unlock a device and allow the ability to browse and search with without having to worry about exposing the data. If a device is lost, it can be replaced and you can get back to work immediately because your working environment is separate from the piece of hardware you are carrying around. It’s simply a usability device that acts as a stepping stone to the non-resident application execution and data storage environments.
There are many risks to your personal data, your company’s data, and a client’s data that we probably have not even thought of or experienced yet. The good news is that there are many technologies available to assist with mitigating these threats.
Over the last five years, virtual technologies have matured economically so that businesses of all sizes can take advantage of them. Indeed, even individuals can find solutions tailored to their budgets.
Virtualization can be a great platform for savings, but an even better one for protecting your data when deployed correctly.
When you think about the Bring Your Own Device (BYOD) phenomenon, does it send shivers up and down your spine?
If you answered “no” – great! Sounds like you have everything under control. But, if you answered, “yes” – you’re not alone according to our research.
These days, business and IT leadership wake up in a world where one-third of young employees use three different devices. For many, it’s a nightmare because there’s a gang of monsters hiding under the bed (i.e. security, cost, management, etc.). No wonder 73% of UK IT directors surveyed said they are concerned BYOD will cause IT costs to “spiral out of control.” Their fears are supported by Aberdeen Group’s finding that a company with 1,000 mobile devices spends an extra $170,000 per year, on average, when it uses a BYOD approach.
Yet, most IT leaders aren’t disputing the business case for BYOD.
With all this Fear, Uncertainty, and Doubt, filling the market, we’re pleased to offer advice and practical solutions in the latest eGroup eBook, “7 Steps to a Sensible BYOD Strategy (So You Can Sleep at Night).” In it, you will learn how to devise and implement an effective BYOD strategy. Enjoy – and don’t let those gang of monsters win!
Download (PDF, 283KB)
eGroup’s SharePoint expert, Brad Shannon, was recently quoted in SearchContentManagement’s article covering SharePoint upgrades, “SharePoint upgrade requires sharp focus on planning, user preparation.” His advice on how to better prepare for an upgrade is pasted below.
Give the entire piece a read and then start documenting your infrastructure!
A company’s technology infrastructure also needs to be prepared for upgrading to a new version of SharePoint, and as part of that process, it’s important to document the existing features and services in a SharePoint environment as well as the new ones that will be deployed in the upgrade, said Brad Shannon, an application services engineer at eGroup, a technology consultancy in Mount Pleasant, S.C.
“If you don’t know what you have in your environment, you’re going to find out the hard way,” Shannon said, explaining that the more detailed the documentation of the current environment is, the better an organization can prepare for the SharePoint upgrade.
Companies should also start with a clean SharePoint farm, Shannon advised. “That means you don’t have anything on the farm you don’t need,” he said. Sometimes SharePoint systems will include items used for testing purposes that were never fully deployed or removed. Leaving them in place can create more work for SharePoint administrators, Shannon said.
["First Day...Four Questions" will be an ongoing blog series throughout 2013 as we on-board dozens of new team members. We want you to understand what makes our new colleagues tick. And what drives them to be "serious competitors. We hope you enjoy.]
My initial attraction to eGroup came from two things. The first was the description of the job position, it was as if the poster was talking to me directly. It was exactly the type of opportunity I was looking for. After spending more than a decade administering infrastructures, I realized how much I enjoyed designing and building them. I felt like I had met a match with eGroup. Of course you also can’t deny the draw of such a magical place as Charleston. Once I had a chance to meet everyone, I knew it was the place for me. It is a rare thing in this day and age to find a company that is so dedicated to customer satisfaction. The recruitment process made me realize that not only do they take great care in selecting the absolute best candidate, but that I am one of them. I am looking forward to a long and lustrous career at eGroup.
What makes you a serious competitor?
According to my wife, it is because I am a know it all. That is, I go to great lengths to make sure I know what I am talking about. I like to do a lot of research and be as informed as possible. From a technical perspective I am a bit of a Dr. Frankenstein. I can get really creative when it comes to designing solutions and have been known to take decommissioned and outdated equipment and craft it into a viable production environment. Sometimes you don’t have a lot to work with and the end result might not be very pretty, but it most certainly does the job.
If you weren’t in Tech what would you be doing?
If left unmanaged, I will talk your ear off. I am definitely an extrovert, with a capital E. When you mix that with a love of foreign cultures you get an ideal linguist. Nothing activates the brain better than trying to learn a new language. In my studies I have learned a bit of Latin, Spanish, Japanese, and Chinese. When I got an opportunity to study abroad in France and Germany I made sure to learn enough of the language to survive during my two weeks there. Of course, if that didn’t pan out I could always go back to being a clown/magician.
What’s your Headline?
Former magician reveals centuries old secret of making objects disappear… “We just store them in ‘the cloud’…”
Welcome to the eGroup team, Chris!