CITE Conference to Tackle BYOD Issues

The bring-your-own-device trend brings IT challenges

As more and more employees show up at work with their own smartphones, tablets or mobile devices -- and ask for access to corporate data, applications and networks -- IT managers are faced with a big challenge: how to support consumer technology at work while maintaining control of sensitive corporate data.

That's one of the main topics this week at the Consumerization of IT in the Enterprise (CITE) Conference in San Francisco. The conference began yesterday and runs through tomorrow. It was created by IDG Enterprise, which includes Computerworld.

At issue is the fact that 83% of companies that support a "bring your own device (BYOD) to work" policy also allow employees to use their devices for both personal and business purposes. And 40% of those same companies allow employees to access and store confidential corporate data, according to Terri McClure, an analyst at Enterprise Strategy Group (ESG).

For example, users are choosing their own software applications in place of IT-sanctioned business tools, particularly for online file sharing and project collaboration. And corporations are supporting those moves. Service providers such as SugarSync, and DropBox that allow file-sharing in the cloud are red-hot, according to McClure.

"Corporations are behind the eight ball in finding out half of their employees are using services like DropBox," said McClure, who is speaking about online file storage and collaboration tools at the conference this week.

Among the more than two dozen speakers at CITE are Tony Lalli, infrastructure architect at the Bank of New York Mellon; Dave Malcom, CISO at the Hyatt Hotels; Brandon Porco, CTO of IT at Northrup Grumman; Kevin Jones, consulting social and organizational strategist at NASA's Marshall and Goddard Space Flight Centers; and Mike Brown, director of corporate development at Twitter.

According to McClure, ESG is tracking 20 file-sharing vendors -- and it's finding that companies are increasingly opening up access to those external file-sharing services.

"Corporations just don't want to have their [users] go through the VPN," he said last week in an interview. "They're saving a bundle in VPN costs by not having everyone have to log in to the VPN, and the end users are happy because they can use any device and they don't have to deal with the performance hit."

McClure said many cloud storage providers are also racing to build tools offering corporate control of end-user file sharing. That way, if a user loses a mobile device or leaves the company, the data can be wiped in the cloud instead of from the device itself.

But for most companies, employees are still able to download confidential information onto their mobile devices.

Philippe Winthrop, managing director of The Enterprise Mobility Foundation, said the issue is not one of technology. It's all about policy.

For example, Winthrop pointed to NASA's recent admission that it lost a laptop that contained the unencrypted control codes for the International Space Station.

"That's a business issue, not a technical issue. There's technology available to protect that data," Winthrop said, referring to data encryption. "Had the owner of the laptop been trained to understand what happens when you lose that data, that could have been averted."

Winthrop, who is leading a panel discussion on mobile device strategies this week, said companies shouldn't support BYOD. Instead, they should focus on a corporate-owned, personally-enabled [COPE] mobile device strategy.

BYOD, Winthrop said, means a corporation must struggle with securing data on devices it can't control.

"You can't fight the war of consumerization of IT, but you can pick your battles," he said. "It's not about data security. It's about risk management. We need training by the corporations not on how or what to use, but what the impact is."

With a COPE strategy, companies allow employees to choose any device they want, but those devices are owned by the company and IT secures the data on them. "So they allow the individual to download Angry Birds, but in a controlled fashion," he said.

Rick Bauer, research director at the Computing Technology Industry Association, agreed with Winthrop that BYOD brings with it a myriad of security and regulatory issues. He also sees corporate ownership of mobile devices -- and the virtualized infrastructure needed to support them -- as having its own set of issues.

Bauer, who is speaking on organizational change in the face of consumer IT adoption, said the "interim" solution appears to be deploying a virtual desktop infrastructure that presents corporate applications to users.

"In other words, let's give the end user an experience of having access to corporate data without the ability to scrape it, send it or save it," he said.

Corporate-run mobile apps also mean a need for more wireless network bandwidth, Bauer said.

Another issue involves corporate control of personal data, meaning when a mobile device is lost or stolen, the company has the ability to wipe the device of all data.

At the RSA Conference earlier this month, Bauer said he listened to one large corporation wax over the fact that its corporate policy is to delete all data on personal devices that are also used for business purposes. That policy, Bauer said, is not tenable for both legal and regulatory reasons.

"In other words, the employee is going to trade their privacy for convenience," he said. "I don't think today's knowledge worker is going to make that trade, not in America and certainly not in European Union nations, where such a policy would run afoul of some stringent privacy regulations."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed . His email address is .

See more by Lucas Mearian on .

Read more about smartphones in Computerworld's Smartphones Topic Center.

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.