How to Avoid the Five Biggest BYOD Mistakes
By Jon Rolls, Quest Software, for, CRN
The Bring Your Own Device (BYOD) trend is picking up momentum, particularly in the tablet space, with the popularity of devices such as the iPad and Samsung's Galaxy. Managing all those not-issued-by-corporate devices can be a challenge, notes Jon Rolls, vice president, product marketing for User Workspace Management at Quest Software. While smartphones are increasingly used for work, there is an equal explosion in device variety in the laptop and tablet worlds; Rolls explains how you can productively and safely enable users to use their own tablets and laptops.—Jennifer D. Bosavage, editor
Bring Your Own Device (BYOD) is getting increasing focus as the variety of platforms and devices consumers choose for their personal computing tasks explodes, and they expect to be able to use those same devices and platforms in the workplace. This expectation brings many challenges and concerns. Because being forewarned is forearmed, here's a look at the five biggest mistakes made when considering a BYOD program, so solution providers can guide their customers appropriately.
Mistake 1: Fearing BYOD
Many IT departments are paralyzed with fear that the security or liability problems cannot be overcome, that they will be buried in support problems, or that users will just bring viruses and malware onto the network. Done badly, those are all possible consequences of a BYOD program. The prevailing wind, however, is leading us to a future in which IT is decentralized, users operate outside of corporate boundaries, and tight control of an inventory of computing devices is not required or possible. BYOD is just the latest step in this evolution and, done correctly, it can be embraced.
BYOD is not just about placating demanding users and flashy executives with their shiny new milled aluminum computing toys; it also enables extended and more flexible work styles, and attracts a more creative, forward-thinking, and problem-solving class of employee. A successful BYOD program can be a great way to break a culture of corporate dependence in an organization where every worker expects everything to be done for them, and to empower workers with a sense of ownership and team-building, where the organization values their contribution and doesn’t just want to them to show up.
Embrace BYOD before it happens despite an official sanction. The fact is that users can do so much for themselves; if IT gets in the way, they will simply bypass it. Users can have massive email quotas, online collaboration and file sharing, their own CRM, Internet connections, proxies/tunnels, etc. in minutes, if they want them. The balance between user freedom and corporate control is shifting and requires a new approach.
Mistake 2: Losing control of what data the user has on their own, personal devices
To be fair, this varies by industry. Some workplaces have less to protect than others, and only protect their most sensitive files and documents, trusting employees to take appropriate measures and protect less critical information. Other organizations have few liability concerns and believe it is not worth the time and investment to restrict user activity, preferring a culture where individuals are aware of a corporate policy, but it is not systematically enforced.
So, the real mistake here is to not make the decision, and just let BYOD happen. Once the balance between corporate control and user freedom has been set, including the decision on how much data can be allowed onto user devices, it is time to look for a solution that gives that control, and this is where virtualization is my favorite approach.
Virtualization was originally designed to provide a layer of isolation from the underlying hardware in a desktop or server, allowing multiple virtual machines to share the same physical hardware, and preventing problems in a virtual machine from affecting others, as well as allowing greater portability of operating system images across hardware. However, another benefit of this isolation is that virtual machines can be sandboxed, in such a way that data cannot get in or out of them without corporate approval. There are two approaches relevant to BYOD – (a) virtual machines in the datacenter with remote access from any device, anywhere and (b) virtual machines on endpoints, managed and secured from a datacenter.
Approach (a) is cleanest because you can completely prevent data from leaving the datacenter, and access is easy from almost any device with an Internet connection, including Mac and PC laptops and desktops, tablet devices, and even some smartphones. It does require the user to be continuously connected, as well as investment in datacenter hardware and software, but it’s a well-established solution that comes in flavors known as session virtualization, Terminal Server, and more recently, desktop virtualization.
Historical resistance to this technology has come from three objections. First, users no longer own their own desktops. This was one reason VDI was seen as a worthy successor to Terminal Server/Session Virtualization, in spite of higher hardware and licensing costs. Second, virtualization was seen as having incompatibilities with endpoint hardware peripherals. Again, VDI offers some significant improvements in this area. The final objection is that some applications do not behave well in session virtualization/Terminal Server. Again, this last point was partially addressed by VDI, but VDI is a lot more expensive and there are now excellent automated solutions on the market that solve the problem of testing and preparing applications for use in session virtualization, easing transition to a hosted model for delivering corporate Windows applications.
Mistake 3: Thinking that desktop virtualization only works for online users
I’ve already made the case that desktop virtualization is an excellent solution for BYO laptop users. However, in its traditional and best-known form, it requires users to be always online. An alternative approach is called client-hosted desktop virtualization, where the virtual Windows desktop actually lives in a secured sandbox on the endpoint. The best solutions support both PC and Mac laptops, and offer a choice of hypervisors – type 1 (directly onto the bare metal hardware) or type 2 (running inside an existing Windows or Mac operating system). They require more hardware resources – typically at least 2GB of RAM for type 1 and 4GB for type 2 hypervisors – but can be completely secured and protected from a hosted administration point, to protect their contents in the event of theft or loss of the device. They also can be remotely destroyed or wiped, and encrypted to ensure the VM cannot just be copied elsewhere.
The beauty of this approach is that users can work online and offline, and, if they go the type 2 route, they do not have to surrender their laptop to IT. The virtual machine can just be dropped onto their existing environment. It also offers better graphics performance than datacenter-hosted solutions, since the graphics activity is not sent over a long network connection.
Mistake 4: Not considering data sovereignty
One topic that has had a lot of focus in cloud circles is data sovereignty – the geographical location of data, and policies and regulations that restrict where and when it can be stored. With uncontrolled BYOD and data stored on endpoint computers, there is a real risk of breaching these policies, leading to legal and contractual problems. There are at least two approaches that can mitigate this:
1. Policy-based access using user location. This covers multiple solutions, including Identity and Access Management, User Environment Management inside a Windows desktop, and connection brokering in desktop virtualization; but, good solutions exist that enforce access policies based on the originating IP address of the user.
2. Datacenter-hosted desktop virtualization. Yes, that’s my recommended approach from 2a again, but it really does address this problem because the data stays in one known place, and is only viewed and manipulated remotely.
Mistake 5: Requiring use of a VPN to get to the network
In these days of cloud-hosted services, users could be forgiven for even asking what a VPN is, as well as why they should have to set one up and use it. The challenge is that some services, especially client-server apps, still require one. Fortunately, times have moved on and there are firewalls with LAN extenders that automatically set up a tunnel into the network when a user hits your corporate website, and there also are solutions that use a reverse proxy in the corporate firewall to provide secured access to hosted systems not directly accessible from the Internet. My point is that in order to ease the adoption and acceptance of BYOD, removing a barrier like setting up a VPN is a good step.
So, those are five of the top considerations in implementing a BYOD policy, especially for laptops, and, to a lesser extent, tablets. Solutions are available for all of them, although I recommend solution providers try to minimize the number of vendors used. Few organizations can solve all of the issues under one roof; but, with the right partner, you can embrace BYOD and increase user satisfaction and productivity.