Dec 13, 2012
At first, it was felt that the major issue was around how an organization would manage these devices, and how they could ensure that all the cloud services chosen by the organization would be provisioned and managed on these disparate devices sourced by employees.
I doubt that organizations will find that this is the biggest issue, however. Cloud service providers will take an approach of ensuring that their solutions run on as many platforms as makes economic sense. It is not good for their revenues to say “Hey, we’ve got the best solution to your problem… provided you are running Android that is. You’re running iOS? Tough — we don’t support that”. Just look at the App Stores on different mobile platforms and see the commonality of apps, or look at the services that just run through a browser.
No, the biggest problem is far more likely to be that once an individual has their hands on a device the first thing they are likely to do is not bring it in to work and ask for IT to make sure it works with the business. The individual will start to download apps from the App Store, and by the time the device makes it to the business will already have a load of “things” loaded on it: stuff like Dropbox and Google Docs which bypass existing enterprise systems, and dedicated apps for travel and entertainment which step outside the policies and procedures set by the organization.
A kind of “Bring Your Own Cloud”, then. Such a do-it-yourself, pick-‘n-mix approach not only has security issues, but also re-introduces the problems that IT has spent so long trying to solve: islands of functionality and silos of information. Unlike the way in which access to such services can be monitored and captured if the individual is tethered to a laptop or desktop within the organization, these services can be downloaded without IT having the faintest clue as to what is happening.
However, there are a few glimmers of hope out there. Agentless systems management tools can audit a range of devices, creating an asset list of known apps and cloud services that are on such a device. The issue then becomes one of whether it is legally and morally right to audit an individual’s device in this manner, including their own personal software and services.
If not, then coming up with a solution will be far more problematic. Virtualizing an area on a device is an option, and enforcing all business access to be through this “sandbox” is possible, but it does mean that IT must have the capability not only to implement such virtualization not only on devices that exist today, but also on new devices as they come through. It also means that each device will have to be provisioned with this capability, and that security will have to be managed to stop users from just bypassing the sandbox and using their own chosen tools anyway.
BYOD offers some great opportunities to organizations in enabling individuals to work with devices of their own choice. To work well for the organization, however, DIY BYOC has to be avoided.
You cannot bury your head in the sand on this one — research, investigate, plan, and implement to avoid corporate information being splintered across multiple cloud platforms.
Image credit: Phil Roeder (flickr)