Should users be left to their own devices?

A growing number of firms are allowing staff to use their own personal devices to do work. So what is driving the trend, and are there any potential pitfalls?

Organisations are increasingly allowing employees to use personal devices for business purposes. This so-called consumerisation of corporate IT is attractive to the business for several reasons, not least because it is cheaper – the company saves the cost of the device if the employee uses their own.

But there are pitfalls, too. For example, how can an organisation control the flow of information if it does not even own the end points? And in terms of security, who knows what malware an employee could unwittingly release onto the corporate network when using their own laptop with out-of-date security software?

In short, there are arguments for and against consumerisation, also dubbed “bring-your-own technology”, but how widespread is the practice?

Although the idea of letting staff use their own personal kit has been around for some time, it is only now starting to catch on. According to Tim Pitcher, vice president, international region, at 3PAR, some large enterprises are building private clouds and asking employees to provide their own means of accessing them.

“They’re saying, ‘Have £100 per month and go and sort out your own IT’,” he said.
Pitcher added that these organisations do not care what the access device is – iPad, notebook, BlackBerry, iPhone or whatever – so long as they enable their staff to access services in the cloud.

Andrew Kellett, senior analyst at Ovum, explained that some companies that follow the bring-your-own philosophy create virtual environments on the devices so that company applications can be accessed but the data itself remains behind the firewall on corporate servers.

“EMC is running a significant pilot project at the moment, in which it is applying a virtual image so that when employees link to business systems, they are doing so within a controlled environment, like a walled enclosure,” he said.

This can work in two ways. The controlled environment can take the form of a USB stick that a user plugs into his device to create the virtual partition – sometimes called “PC on a stick” – or it can be downloaded from the corporate network. Either way, the result is the same.

“In effect you’re quarantining the area of the machine that is connecting to the corporate network,” he said.

Kellett explained that EMC is implementing the project to allow staff to work more flexibly, without providing dedicated machines.

According to a recent survey commissioned by IT security firm McAfee, the key drivers for consumerisation are increased employee productivity and greater flexibility and turnaround time. Employees feel they can work faster and more easily using their own technology, and the familiarity with their own devices reduces both training and support costs. And Stephen Prentice, Gartner fellow and vice president, recently argued that allowing staff to use iPads in the corporate environment can improve recruitment and retention rates.

But the fact remains that giving employees access to potentially sensitive corporate data on whatever device they choose is risky. Often these devices are mobile, which means they are easily lost or stolen. Compliance issues arise from the difficulty of verifying whether the data is secure. And finally, a lack of adequate malware protection can open an easy route through the corporate firewall for hackers.

For these reasons, many enterprises will naturally be reluctant to jump on the consumerisation bandwagon. However, they will only be able to stand by the wayside for so long. A recent report from IDC estimated that the global mobile workforce will grow to nearly 1.2 billion by 2011.

“Companies need to enable employees rather than try to control them,” said Eugene Buyakin, chief operating officer at IT security firm Kaspersky. “A proper anti-malware strategy is the answer.”

Other tools that can minimise the risks posed by personal devices include network access control (NAC) systems, which can ensure that devices comply with company security standards before they are allowed to access the network.

Pitcher added that strict control of access policies can also help. “Just because people have access to information today on company equipment, does not mean they don’t back it up, or take it offline anyway. You have to operate to policies.”

Jason Hart, senior vice president of CyptoCard and self-styled ethical hacker, said end point security is another key element of safe consumerisation.

“Organisations need to set up controls and policies for these devices as if they are non-trusted users,” he said. “Do I start trying to push policies down to the iPhone or iPad, which is impossible to do anyway? Or do I verify that the user is valid?”

Hart explained that this is possible with two-factor authentication. Companies can issue a token to the user which generates a one-time key, confirming their identity and allowing them to access corporate resources.

With these security tools, companies can at least minimise and manage the risks, while being able to enjoy the rewards.

According to Kellett, we are currently just seeing the tip of the consumerisation iceberg. “It’s still at the early stages, and organisations are starting to consider the benefits,” he said. “I think five years from now it will be a lot more widespread.”