Is the industry hyping ‘Bring Your Own Device’ (BYOD) as the next big thing? I don’t think so. It’s much more a forced response to users driving the issue by deciding to use their own devices. AND this is the big point: it’s the cloud that allows them to do this. No, not your Enterprise IT idea of a cloud defined by its role in supporting Enterprise IT, but genuine cloud technology accessed via the internet as an extension of the web. This apparently universal situation of users moving beyond smartphones and into tablets, and at the same time changing how they work, is now an established reality almost everywhere.
This is a very worrying situation. Why? Because by definition this is an uncontrolled situation and good IT management and practice is based on firm controls and governance. This, TOGETHER with rethinking how the use of cloud technologies can benefit the IT environment, creates a huge spread of possibilities equaled only by the huge spread of security risks that goes with it. There is a further dimension to this and that’s doing business with customers, suppliers and others externally, certainly through the use of ‘content-driven’ forms on websites and increasingly via orchestrated services and apps using a cloud. All of these activities are in play at once with great pressure on delivering or accepting their deployment.
Put Governance for Security in Place before Tackling BYOD
No wonder this resonated with me when I read a new whitepaper by colleagues at Capgemini entitled ‘Secure journey to the cloud – a matter of control’. I will leave you to read the full paper, which separates the various ways clouds are used and defines the appropriate approach to address each one. As is usually the case with dauntingly complex topics, the paper succeeds by breaking the whole down into addressable parts. This is important because before tackling BYOD there is a need to identify and put in place this level of fundamental governance for security.
Dismissing BYOD as ‘Not allowed’ is not the Answer
I want to focus on BYOD because it is simply a huge ‘out of control’ reality that pretty much everywhere needs to have a spotlight shone on it. There is a tendency to try to dismiss it by saying that it’s not allowed. But that doesn’t work and won’t work, particularly as there are too many board level executives in leading roles who have adopted BYOD! I have heard the iPad in particular called the ‘executive revolution’ and there is plenty of evidence in support of the desire to adopt and deploy. Interestingly, this support is coming from some of the major IT vendors too. SAP published a compelling article entitled ‘iPads have helped some of this company’s salespeople double their sales’ in which they quote not only themselves but IBM as commercial leaders. It’s hard for Enterprise IT to argue against adoption on the grounds of endangering the ERP systems when SAP is arguing for adoption!
There are whole sites now dedicated to using iPads in business with lots of good examples of making commercial benefits in different areas, as well as practical tips on the technology and its management. The somewhat wrongly (to my eyes, at least) entitled iPadCTO site is a good example, though I think it should have been called iPadExecutive given the content. I recommend a visit to get a really good grounding in the business iPad revolution. There are indexed vertical industry sector examples to be found at the ipadtowork site and frankly any business press has plenty to say on the topic. Clearly the ‘not here’ argument isn’t going to work at any level in the face of this level of factual examples.
How to Approach Cloud Security and BYOD
So onto practical steps: there is obviously a need to assess the risk posed by the device itself. And there is surprisingly little information on this because, as you will discover on the eSecurity Planet website the simplicity of the operating system and its design features limits the threat opportunities. Equally, its operational manner via the Apple app shop (which is a cloud by-the-way, albeit an interesting example of a publicly accessible one with strict private management and access) makes for further security. And of course iPads and other BYODs are naturally being operated by users, and should be maintained by conscious policy as devices ‘outside the firewall’. The concept of defining this as ‘outside-in’ (see the Capgemini whitepaper on this) is catching on in the industry and it means that Enterprise IT ‘inside the firewall’ or ‘inside-out’ is safely isolated.
The big risk is the users themselves and their behavior. This is particularly so with email and attached documents or passwords stored in contact files. In short, the number one issue to ‘secure’ is the user! This is a recognizable fact in conventional security too, but with BYOD the IT department’s ‘controlling’ capabilities are too limited for real safety. I may be wrong but I reckon that something beyond the rules and guidelines is required to shock users into the reality of the personal risk. One good answer is to include a reference to the pwnedlist website where a quick anonymous check can be made on any email address to see if it has been hacked. I would also urge a monthly check of your email address at https://www.pwnedlist.com/ to test if you are one of the more than 12 million currently known to have been compromised. Now that makes it VERY personal!
So two routes in combination: go ‘Enterprise out’ towards the cloud using a structured approach and tools; at the same time, opt for ‘User in’ around BYOD and the new level of personal risk. If you can break up the ‘haze’ then the safe adoption of the many beneficial aspects of the cloud is achievable.