To secure BYOD, involve the business in managing its mobile privacy

Opaque policies drive users away – and compromise management and security

IT security organisations can boost adoption of bring your own device (BYOD) programs by delegating control over employee data privacy to business owners, a VMware security specialist has advised as the 18,000-employee company reviews lessons learned during its own successful BYOD program.

As at many companies, VMware had been working to progress its BYOD program but found that it had to step back to reassess its approach to ensure that users weren’t put off by privacy concerns.

“We as IT organisations often try to dictate what our users are utilising instead of engaging with them to find out what they require,” VMware sales engineering specialist Andrew Price told the audience at this month’s VMware Evolve conference in Melbourne.

“But with many employees citing poor user experience with applications within their environment, and many more dropping out of the BYOD program because they fear Big Brother is watching their every move, you can use the lose the user base that you’re trying to achieve results for.”

A recent Gartner survey suggested that BYOD had already become “a new workplace standard”, with two-thirds of respondents using personally-owned mobile devices for work and just 23 percent of those surveyed given corporate smartphones; around 21 percent of employees use tablets, whether corporate or personally owned.

There is a difference between using personal devices and managing them as part of the corporate security infrastructure, however. And with businesses finding new usages for mobile devices – by 2020, Gartner believes 20 percent of organisations will replace physical access cards with smartphones – BYOD devices need to be able to be managed securely to ensure compliance with corporate governance requirements.

Making that happen requires employers to develop mutually acceptable security models for device usage that respect personal information as well as providing secure and manageable workspaces.

“The environment has now changed,” said Christopher Campbell, VMware director of solutions product marketing, in his keynote discussing the challenges of “stitching together a lot of silos in innovation” across application virtualisation, desktop virtualisation, enterprise mobility, networking, and more.

“There are a lot of people working on their own silos and worrying about security,” Campbell explained. “You now have to stitch everything together – and insert security into the different layers, making it comprehensive and making it seamless.”

“That’s why the security conversation can’t happen at [the IT] level; it has to be comprehensive, and it has to happen at a higher level. You have to think of security as a way to make your business more agile, and even to celebrate the way you support your organisation.”

VMware has targeted this market with its Workspace One, which draws on the company’s virtualisation credentials to put secure ‘containers’ onto mobile devices.

The container approach had emerged as a more user-friendly way of controlling work data on mobile devices, Price said, noting that built-in controls allow administrators to restrict the transfer of data out of work containers but leave personal data alone.

“We wanted to alleviate those concerns and show users that we’re only doing things to corporate data,” he explained. “We’re taking away that distrust in IT, building relationships within the organisation, and educating users on the tools that we have available in the BYOD scenario.”

As well as providing a way for IT organisations to better engage with users, VMware had also sought to improve BYOD takeup by providing mechanisms for delegating responsibility over some of the data and device management. Its AirWatch mobile device management (MDM) tool, for one, supports the appointment of a dedicated Privacy Officer who is given responsibility for managing privacy settings on the console.

Assigning this role to a business person – a representative of Human Resources or Finance, for example, who wants to ensure compliance with particular corporate policies – allows IT to escape the perception that mobile management is a top-down mandate, instead building buy-in for the BYOD program across the organisation.

“They can turn on and off functions that the users can and can’t see on their devices,” Price explained. “When you’re implementing BYOD, that really becomes more important from the business side than from the IT control policy perspective.”

VMware’s user-focused strategy has extended as far as the creation of an entire site explaining how its tools work and what privacy controls it gives to users. Backed by a range of resource kits to help IT and business organisations sell the programs internally, Price says, the more user-friendly design is intended to break down the walls that have made so many users sceptical about BYOD enforcement to date.

Upon completing BYOD device enrolment the platform includes a Privacy icon, for example, that lets users see what data the mobility is collecting and not collecting, Price said. “It really provides the user with the granularity and information they need.”

Backed also by capabilities such as a single application catalogue, the team had been able to develop a more open and trusting relationship with BYOD users – and it quickly paid benefits as the company recorded an “immediate” 30 percent uptake in BYOD devices coming into the environment.

“As an IT department we’re no longer in a position where we can dictate or control what the user needs,” Price said. “You’re working with people that are waiting in line for 3 days for new devices and want them to be available to use in the business as soon as they are out. We want to be evangelists for that – and work with them to help them adapt and change to the various BYOD scenarios that we want to deploy.”

Tags BYODGartnerVMwareIT Securitycorporate securitymobile privacyVMware Evolve conference

Show Comments