BYOD - Opportunity or information security risk?
BYOD was on the increase throughout 2011, in fact according to Infoworld many companies that have accepted the BYOD phenomenon are taking the next step, shifting from a passive acceptance spurred on by employees and executives who would use iPhones, iPads, and Androids anyhow to active exploitation of BYOD to increase productivity and reduce mobile telecom costs. In other words, businesses are learning that not only are mobile-equipped information workers a great way to increase productivity and ROI but that employees will foot much or the entire bill for the privilege.
Along with this comes information security risks and issues with IT department controls, managing consumerisation of IT is one of the major challenges facing CIO and Information Security heads this year. Paul Wilson, Information Technology Security Manager at Yorkshire Water will be speaking and sharing his experience at the annual 2012 Information Security Executive Summit in February in an end user case study session on how they manage consumerisation within the organisation.
Some organisations are embracing BYOD as an opportunity; SAP, for example, has 12,500 iPads in use across a wide range of business groups, and iPads are popular in all sorts of customer-facing businesses, from insurance sales to energy inspection, from health care to kiosks. Infoworld also wrote an article based on an interview with the CIO Oliver Bussmann of SAP about their approach to managing consumerisation and found that they have quite an open minded approach.
When mobile device management tools became available, SAP adopted one, for more formal management. But it has not adopted technologies such as data loss prevention (DLP) to monitor the flow of information to and from these devices. Bussmann believes the better approach is a form of digital rights management (DRM), where the security is intrinsic to the information itself. DLP and other perimeter approaches all require determination on the fly of what is secret, which means there are too many opportunities to calculate incorrectly or too late, much less act. Plus, false positives hinder employees from doing their work.
Instead SAP use policies to map access to levels of trust, and he can foresee using analytics tools to create finer-grained policies based on the level of trust derived from monitoring employees' actual behaviour. Those who act more responsibly get more trust, and thus more access and capability. Because mobile devices are so strongly monitored, Bussmann is confident that SAP can use a behavioural approach to tune permissions and access on an individual level, not just on predefined groups - essentially, a trust engine.
According to a blog by George Watt, VP of Strategy for the Cloud Computing organisation at CA Technologies IT organisations are not ready and not reacting to this exponential growth.
Many have done little more than providing basic connectivity for their tablet users. And that means more than just devices themselves. It means SaaS: the cloud, mobility, social networking, new app delivery and support models and all the inherent opportunities, rewards, and risks (security, privacy, and so on) that come with these. IT organisations that adopt a posture of simply accepting devices into the workplace, and fail to proactively evolve processes and platforms to optimise productivity and minimise risk, are ceding competitive advantage.
Sources
http://www.infoworld.com/t/byod/byod-you-aint-seen-nothing-yet-182028?page=0,2
http://www.infoworld.com/t/byod/the-new-byod-businesses-are-now-driving-adoption-181887
http://www.infoworld.com/d/mobile-technology/lessons-managing-12500-ipads-181083?source=footer
