Professional Documents
Culture Documents
Introduction
IT is often wary of connecting personal mobile devices to the corporate network. While not without its risks, the benefits usually outweigh the minimal costs. Learn to efficiently and safely manage the influx of consumer technology.
This solution set provides practical steps to take when considering or implementing an official stance on the use of consumer technology in the workplace. It will help readers understand that: Like it or not, consumer technology is invading the enterprise. Recent increases in the prevalence and variety of smart mobile devices make them an unavoidable issue to consider. Allowing personal devices in the workplace boosts productivity and end-user satisfaction. The majority of organizations are allowing them and having great success doing so. There are several different mobile platforms. Each has its own nuances. Understand them and simplify the management of a personal mobile fleet. It is not risk-free. Learn about the technologies that can help mitigate potential damage. Safely merging the consumer and the enterprise begins with compliance. Draft a policy and hold training sessions to help employees deal properly with incidents and keep them from happening in the first place.
If you cant beat them, join them. It is safer to facilitate connecting personal mobile devices to the corporate network than have end-users connect without ITs oversight.
Info-Tech Research Group 2
Executive Summary
The last two years have seen a marked increase in end-user comfort with smart phones, resulting in a greater number of employees bringing in personal technology to aid with performing their job functions. 83% of organizations surveyed by Info-Tech allow personal mobile devices on their corporate networks, though most do so only after an employee has signed a policy highlighting the rights of IT and the end-user regarding data on the device. Regardless of whether users are bringing in tablets or smart phones, the majority of ITs job on the management side remains the same. Focus on policy creation, management and enforcement. Determine what level of mobile security your organization requires Minimum, Basic, Enhanced or Lockdown and implement policies and technology checks and balances accordingly. Remote wipe and over-the-air encryption are the most common security functionalities put in place by organizations at all levels of the security spectrum to mitigate the threat of sensitive data leakage. Understand that all mobile platforms are not created equal; each has its strengths and weaknesses. BlackBerry is the most popular personal device on the corporate network due to embedded infrastructure and advanced out-of-the-box security functionality. Finally, securing end-user compliance with internal mobile policy is the largest contributor to successfully managing a fleet of personal mobile devices on the corporate network.
Understand
Evaluate
Strategize
Implement
Allow personal mobile technology in the enterprise to boost productivity and end-user satisfaction.
Dont dismiss personal mobile devices without consideration; there are benefits to be had by allowing end users to connect their personal mobile devices to the corporate network. Think nobodys doing it? 83% of your peers are allowing personal mobile devices on the network. Determine what level of mobile security is best for your organization.
83%
N = 144
17%
*Respondents were asked to select all that apply, resulting in a cumulative total greater than 100%.
Organizations that allowed devices other than BlackBerry, iOS, Android and Windows Mobile were drastically less successful than those that did not. Allow personal devices on the network, but stick to the major players to avoid being trapped in a mobile device jungle.
Info-Tech Research Group 5
Post-2008
End-users bring technology to IT
IT
The flow of new devices to the end-user was governed by IT. Users were not tech-savvy enough to take advantage of personal technology in the workplace and limited themselves to what was provided to perform their job roles.
IT
End-users have become more demanding about technology. The flow of new technology into the workplace has shifted from a dedicated IT group to the user. Employees are now concerned with using the latest technology to perform their jobs more efficiently, and demand that IT keeps up.
The onus of new technology introduction in the workplace has shifted from IT to the end-user.
Info-Tech Research Group 6
Dont get mired in definitions; manage any mobile device that connects to the corporate network
Smart phones make up the majority of mobile devices connecting to the corporate network, but some users may push for tablets and readers. Dont panic. The variance in devices does not matter if you have the right management strategy in place.
Tablets
Smart phones
Tablets and smart phones access the corporate network in very similar ways. Between iPhones and iPads, for example, there is no difference in the mobile management policies needed.
Info-Tech Research Group 7
Dont try to quantify innovation & productivity benefits, but understand that they are real
There is no accurate way to quantify the innovation and productivity benefits for employees, but understand that with improved business connectivity, you can expect the following changes:
Experience quicker Turn-around time on time-sensitive e-mails. Because end-users will Check and respond to their e-mail more often after-hours. Third-party apps can be your friend. Android, BlackBerry and iOS all have independent app stores, which contain mobile applications, some of which are aimed at improving productivity (though some are productivity killers). Look into apps aimed at corporate productivity and connectivity for quick wins with employees. Apps designed to transfer SMS text messages over data networks as opposed to cellular networks, for example, allow users to send unlimited text messages. Most personal devices can also connect to virtual desktops.
Pain Point
Administering and paying for corporate devices was significantly driving up costs. The organization needed to find a way to maintain connectivity with employees, but remove the cost burden of maintaining corporate liable mobile devices.
Solution
Allowed senior employees to keep corporate-issued phones, but mandated that data and voice contracts were personally held. Junior employees were stripped of mobile devices and encouraged to bring in personal devices to connect to the network. Saved $48,000 a year in mobile contracts alone.
Even if they were already given corporate devices, employees can be convinced to attach personal mobile devices to the network. If the cost of managing a corporate mobile device fleet is becoming a burden on IT, consider switching to a personal device setup. Gift formerly corporate devices to soften the blow of transferring the cost to employees. 9
We had a reduction in costs from no longer covering the monthly bills. We were spending about $4,000 a month in contracts and now we spend nothing.
-IT Executive, YMCA
Insight
Embrace the Apple effect: the iPhone 3G exploded by being a multi-function communications & recreational device
The introduction of Apples iPhone 3G in 2008 spurred a smart phone craze among recreational end-users, raising their comfort with technology.
The iPhone 3Gs carriersubsidized pricing opened the doors to smart phone adoption for the common man. With a subsidized price of $200 in 2008, 48% of iPhone 3G adopters were from households earning between $25 000 and $50 000 annually. The iPhone 3G was viewed as the first practical convergence device; it eliminated the need for multiple devices. The price tag of the iPhone and an accompanying plan were not feasible for lower-income markets as a phone. But the value gained from eliminating the need to purchase multiple devices spurred adoption of the iPhone as an affordable does-itall gadget.
Source: comScore
and entertainment, even as consumers weather the economy by cutting back on gadgets.
- ComScore Info-Tech Research Group
10
and the iPhone in particular, are Smart phones,and satisfying demand for a single appealing to a new demographic device for communication
Define your security needs based on the sensitivity of your data, and act accordingly to optimize device management
The level of policy enforcement and security your organization requires is contingent upon regulatory compliance requirements and data sensitivity.
Minimum
Companies that do not provide employees with any sensitive data (e.g. trade secrets, fiscal information, and press releases) do not need to invest in infrastructure to increase device security. Creating end-user mobile device policies and conducting training for such organizations is often unnecessary.
Basic
Companies that are concerned with employees carrying sensitive data in their corporate e-mail accounts must create a mobile device policy to enforce the right to remote wipe user devices and mandate password protection. End-user training on policy and compliance are also required.
Enhanced
Enhanced security measures must be taken by organizations that have highly sensitive data in employee in-boxes and calendars. These organizations must develop a mobile device policy, conduct training, and consider limiting adoption to only devices with over-theair encryption, such as BlackBerry.
Lockdown
Lockdown is necessary for those organizations that must adhere to regulatory compliance and house potentially damaging business data on end-user devices. In general, these organizations should only be considering BlackBerry. Those that accept other devices must implement third-party management tools, policies, conduct training, and limit device adoption.
Organizations with more employees had less success in allowing personal devices on their networks. Large organizations should be particularly stringent in mitigating the risks of incorporating consumer technology, and look towards Enhanced and Lockdown levels of mobile security.
Info-Tech Research Group 11
Understand
Evaluate
Strategize
Implement
Multiple mobile platforms exist for end-users; understand the nuances of each.
RIMs BlackBerry offering excels at security, but iOS and Android have traditionally been more fun; these lines of differentiation are beginning to blur as BlackBerrys get more fun, while iOS and Android become more enterprise-appropriate.
The majority of organizations allow BlackBerrys and iPhones on the corporate network, with Android catching up fast. Match your level of required mobile security to the platforms you can and cannot accommodate on the network.
BlackBerry
Developed by Canadian company Research In Motion, the BlackBerry was introduced to the market in 2002. Unlike the Android and iOS offerings, BlackBerry has a limited app store. Requires implementation of BlackBerry Enterprise Server (BES) or BES Express to integrate with the corporate e-mail infrastructure. Security is the platforms biggest strength, as data is encrypted on the device and over the air with a native BES setup.
Apple iOS
Developed by California-based Apple Inc., iOS runs only on Apple devices, such as iPhone, iPod Touch, and iPad. The original iPhone OS was introduced on Apples first iPhone in 2007. The OS is updated with new releases of the iPhone and also sees regular patching between major updates. The Apple app store is the largest of any mobile platform, now carrying over 300,000 apps. The security offering of iOS (renamed from iPhone OS) is less robust than BlackBerry, but is adequate for most organizations and can be improved with 3rd party technology.
Android
Seeded by Google in 2005, Android-based handsets started to become available in 2008. Unlike BlackBerry and iOS, Android is not a manufacturerspecific OS and runs on handsets from a variety of manufacturers. The OS is the only one of the big three available as open source under the Apache Software License. While not as large as the iOS app store, the Android application pool is growing quickly, and contains over 100,000 apps. Security offering is slightly less effective than iOS out of the box, as Android does not support as many ActiveSync IT policies. Ranked first among all smart phone OSes sold in the US for the 2nd quarter of 2010 at 13 33%.
BlackBerry dominates the market in terms of security features, but offers little to recreational end-users
68% of businesses allow BlackBerrys on their corporate network. Strengths
Company
Research In Motion (RIM) Security. Native security features beat out iOS and Android. Dedication to enterprise. RIM dominates in the enterprise, and would like to keep it that way. BlackBerrys and the upcoming RIM PlayBook tablet will continue to focus on business features but are rapidly catering to the consumer market as well. Physical keyboard. Most business uses require quick textbased communication. Many users find that a physical keyboard has an advantage over the touch-screen-only input of the iPhone and some Android devices.
Headquarters
Waterloo, Ontario
Primary Advantage
Security features are largely ahead of competitors.
Challenges
The ugly duckling. With the exception of the touch-screenequipped BlackBerry Torch, the buttons and menus of BlackBerrys are starting to look dated. A non-intuitive interface means more help desk calls asking which thing to press to make it do that thing. Smaller app store. Having fewer apps than other platforms may limit on-the-go productivity that requires specific software, and be less appealing to users.
Primary Disadvantage
Smallest app store
Bottom line: as the security leader, there is no reason to disallow BlackBerry. For businesses with compliance regulations or sensitive data, it may be the only option.
Info-Tech Research Group 15
Offering the largest app store & strong multimedia capabilities, Apples iOS is the peoples choice
50% of businesses allow iOS devices on their corporate network. Strengths
Company
Apple Inc. Employee demand. With the recent introduction of the iPhone 4 and iPad, iOS devices lead in new connections to corporate networks in 2010. Ease of use. A user-friendly interface and walled-off app store mean more employees using their devices without issue, and fewer cries for the IT departments help. The most apps, the most fun. There are plenty of productivity apps in Apples massive store, allowing employees to keep in touch on the go. The hardware is ideal for consuming media.
Headquarters
Cupertino, California
Primary Advantage
Largest app store & community
Challenges
Enterprise ready? Although Apple is finally taking enterprise seriously with iOS 4, the corporate environment is still not the iOS devices native habitat. BlackBerry is at the top of the enterprise food chain. The most apps, the most fun. The same multimedia and app capabilities that aid productivity can distract from corporate goals. More apps also means more potential for security breaches or accidental sharing of sensitive data.
Primary Disadvantage
Security is lacking in comparison to the BlackBerry
Bottom line: give the people what they want. Allow iOS devices unless there are specific reasons not to.
Info-Tech Research Group 15
Android remains the only open source offering in the big three, and is gaining market share quickly
30% of businesses allow Androids on their corporate network. Strengths
Company
Google Inc. Future proof. Androids are taking over the world. Googles OS is the fastest growing platform of 2010, with a thriving ecosystem of hardware and apps. Android is unlikely to self-destruct any time soon. Open development. An open development platform allows easy access to productivity apps, or development of custom apps to fit the organization's needs, without the hassle of requiring thirdparty approval.
Headquarters
Menlo Park, California
Primary Advantage
Open source OS
Challenges
The cost of openness is security. Fraudulent apps can and have been developed to gather and transmit sensitive information for nefarious purposes. Determining an apps trustworthiness is left to the end user, who may not always be the best judge. Fragmented. With a variety of devices made by several different companies, some with custom versions of the OS, demand for support may be more frequent and more taxing compared to the more focused iOS and BlackBerry lineups.
Primary Disadvantage
Concerns about applications storing and distributing private information
Bottom line: you will encounter an Android soon. Learn to deal with its potential security limitations.
Info-Tech Research Group 16
Windows Phone & Symbian round out the top five, but are significantly less popular among North American end-users
Windows Mobile
Microsofts Windows Mobile OS has been on phones since 2000. Windows Mobile is being phased out to make room for its successor, Windows Phone 7. Early buzz pegs Windows Phone 7 as impressive, but it remains to be seen if it will be another mobile OS contender, or too little too late. Open development, but tightly controlled app store. Typical security features present, with some extra protection for good measure. Exchange and Mobile Office are useful in enterprise, but primary audience is consumer market.
Symbian OS
Originally owned by Finnish corporation Nokia, the Symbian OS has been on smart devices since 2000 and became open-source in 2010. Symbian is the worldwide leader, powering nearly half of all smart phones sold, but lacks penetration in North America. Runs on a variety of phones. Open development platform, but certain capabilities require authentication. Security has been a problem, but increasingly stringent app requirements have alleviated most threats. Compatible with Microsoft enterprise solutions, such as Exchange ActiveSync.
webOS
First appeared on the Palm Pre smart phone in 2009. Palm was recently purchased by Hewlett-Packard. HP is dedicated to updating webOS and leveraging it into new smart phones, as well as tablets and other devices. Although webOS does not currently have a large market share, HPs enthusiasm makes it worth watching. Runs only on Palm branded devices. Uses existing technologies such as HTML5, Java, and CSS for easy development. Development requires registration, but is open and free for in-house applications. Focus on integrating email, calendars, and social networking (including Exchange ActiveSync support) facilitates constant connectivity.
17
BES
3rd
Party
Exchange
The sharpest divide is between BlackBerry and all other platforms. Management solutions such as BlackBerry Enterprise Server only work with BlackBerry. Third-party solutions like Good Technology, MobileIron, and Sybase iAnywhere, work with everything but BlackBerry.
18
Understand
Evaluate
Strategize
Implement
There are various risks involved with each platform; learn what they are, and how to mitigate them most effectively.
Data leakage and increasing support costs are the organizations primary arguments against personal mobile device adoption. Remote Wipe and Over-the-Air (OTA) Encryption are the most effective ways to ensure lost or stolen devices do not leak sensitive information, and that information is not intercepted while in transit.
Third-party infrastructure, such as Good Technology, Sybase iAnywhere, or Mobile Iron are effective tools for organizations with Enhanced or Lockdown mobile security requirements.
Technological features, such as remote wipe and over-the-air (OTA) encryption, decrease data security risks
Native functionality on the BlackBerry via BES and BES Express, iOS and Android devices require third-party infrastructure, including Exchange ActiveSync, to implement remote wipe and OTA encryption.
Remote Wipe
Remote wipe functionality provides IT with the access to wipe a device back to factory defaults in the event it is lost or stolen. Organizations that require Enhanced or Lockdown levels of mobile security must include a remote wipe agreement in their mobile policy and invest in 3rd party infrastructure to enable remote wipe on iOS and Android devices.
OTA Encryption
OTA encryption allows IT to encrypt messages in transit between corporate mobile devices. The encryption prevents them from being intercepted and decoded by a third party. Again, this is largely a concern for organizations that require Enhanced or Lockdown levels of mobile security. An investment in third-party infrastructure is required to enable this functionality on iOS and Android devices.
20
Leverage Exchange ActiveSync mailbox policies across Android & iOS personal devices to minimize security threats
Exchange ActiveSync mailbox policies enable IT to apply a common set of policy and security settings to individual or grouped users to efficiently control data connections to personal devices.
At a minimum, implement the following Exchange ActiveSync policies across varying levels of mobile security:
Minimum
Basic
Enhanced
Lockdown
Enhanced, plus the following: Require encrypted S/MIME messages Require storage card encryption Minimum device password complex characters Maximum failed password attempts
Basic, plus the following: Require device encryption Minimum, plus the following: Device encryption enabled Password expiration Over-the-air encryption via 3rd party infrastructure
A full listing of available Exchange ActiveSync policies is available via Microsoft TechNet, here.
Info-Tech Research Group 21
45%
of organizations that are facing issues with enduser policy compliance adopt third-party infrastructure to manage personal mobile devices.
Organizations that use third-party infrastructure to manage personal mobile devices were 20% more successful than those that did not.
+20%
Third-party infrastructure, such as Mobile Iron, iAnywhere Afaria, and Good Technology enable advanced encryption and management functionality. Degree of Success Organizations that adopted third-party infrastructure to aid with personal mobile device management were markedly more successful than those that did not.
a [third-party] server is a little bit Using than not, but with sensitive data itmore costly is the best option. The third-party server makes our iPhones as secure as the BlackBerrys we have on the server.
59%
- IT Director, Entertainment
22
Understand
Evaluate
Strategize
Implement
4
Draft a policy and conduct training sessions to ensure users abide by it to mitigate security risks.
Having employees sign a personal device mobile acceptable use policy that outlines the rights of IT is critical to data security, especially in the event of loss or theft. Signing a policy isnt enough; run training seminars with employees to ensure they understand the policys nuances.
Draw a line in the sand: tell end users what they can and cant do to decrease the effect on support costs
Do support end-users with the following problems:
My phone wont receive e-mails.
My phone is frozen.
My screen is cracked.
52% of respondents strongly agreed with the following statement: Help desk support requirements have increased [since allowing personal devices on the network].
n = 113
The majority of survey respondents interviewed saw an increase in support costs after permitting personal devices on the network. Those that did not focused heavily on developing a policy that outlined resolution options for common issues.
In short, when it comes to personal device support, focus on mitigating connectivity issues with corporate infrastructure. Leave end-users to manage their own devices when it comes to hardware and support issues.
Info-Tech Research Group 24
Maximize the potential for success by securing user compliance with internal personal mobile standards
Policy training and enforcement, coupled with technological enforcement, are the largest drivers of user compliance.
User Compliance Drivers
Policy Training
7%
Organizations that saw mobile security incidents decrease were deemed more successful than those that had not. Helpdesk Support Requirements
Policy Enforcement
54%
User Compliance
Organizations that saw helpdesk support requirements decrease were deemed more successful than those that had not. Costs Organizations that saw costs decrease were deemed more successful than those that had not.
Technological Enforcement
35%
Accessibility for Remote Employees Organizations that saw accessibility for remote employees increase were deemed more successful than those that had not.
User compliance is the single largest predictor of success when allowing personal mobile devices onto the corporate network, accounting for 13.5% of the variance in success.
25
Develop a policy to ensure that end users are informed of what is & is not acceptable
ITs right to refuse access to the corporate network to any end-user deemed unfit.
The expectations of the end-user to adhere to strict data confidentiality standards. The requirement that end-users implement alphanumeric passwords on mobile devices. The level of support end-users can expect from the internal service-desk regarding personal mobile devices.
26
Conduct training sessions to reinforce the policy & provide behavioral examples
Use the Personal Mobile Device Policy Training Slideshow to reiterate and highlight:
The purpose of the personal mobile device acceptable use policy. The major points of the personal mobile device acceptable use policy, especially security and expectations. A case study highlighting appropriate actions in common situations, such as device loss or theft. Consequences for failing to adhere to the policy.
ITs rights regarding wiping, restoring, and managing personal mobile devices.
27
Respondents cited security as the foremost reason for not allowing personal mobile devices on the corporate network
Data and corporate security remain the largest factors against personal mobile devices in the workplace, but support, policy enforcement, lack of control, and corporate liability also remain significant detractors from adoption.
28
Android will be the number one mobile platform by 2013. Current industry rates show Android to be the #2 player in the mobile platform market, and gaining quickly. Info-Tech believes that the development potential of the platform and the multi-manufacturer support it has received, Android will be the uncontested market leader by 2013.
The differentiators between app stores across platforms will move from quantity of apps to quality & usefulness. App stores are currently using the quantity of apps as a selling point for the recreational user. Info-Tech believes this driver will begin to dissipate as app stores converge on functionality, with resulting quality and usefulness becoming primary drivers.
29
Summary
Consumer technology is invading the workplace. However, unlike an alien invasion, incoming personal devices bring great potential benefits to humanity and to the IT department. Reduced costs and increased productivity follow tech-savvy employees into the enterprise.
The current big three mobile platforms BlackBerry, Apple iOS, and Android each have their strengths and weaknesses. Understand how to leverage the strengths and avoid the weaknesses of every personal device that comes in.
Stick to the major mobile platforms to avoid management headaches, but be up to speed on the less popular offerings, and realize that a variety of platforms does not always mean a variety of management techniques and technology. Define your security requirements and take a personal device stance that aligns with them. At a minimum, have a password policy and enable remote wipe as an option. Consider more advanced options and/or third-party management technology, if users are storing sensitive data. Focus on the biggest determinant of success: user compliance. Have a clear policy, and train users to be aware of how to properly use their device in conjunction with the corporate network. Put down limits on what IT can help with, to avoid increased support costs. Info-Tech believes that corporately-owned devices are being driven off the planet in favor of the new rulers-of-mobile in the enterprise: personal devices. Adapt or face extinction.
30