Now that the BYOD phenomenon is old news and reality has begun to settle in, IT and business units can make the important strategic decisions around information management in an era where employees are working on a variety of personal and business-issued devices (smartphones, tablets, and/or PCs) in a variety of locations (at the office, at home, on the road, and/or at client sites).
Even if you don't support BYOD, the fact of heterogeneous computing means you need an information management strategy that is BYOD-like. Whoever buys the devices, you're still dealing with knowledge employees who work anywhere, any time, and increasingly on any device.
[ Read InfoWorld's comparison of mobile security capabilities in iOS, Android, BlackBerry, and Windows Phone. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]
These decisions are not new ones, but they've typically been deferred as companies navigated the acceptance process that most knowledge workers no longer do their jobs only at a fixed location on a single device.
Also, many companies that made decisions about information management in a heterogeneous environment did so in a piecemeal, stovepiped approach that creates huge management complexities and inconsistent deployments. For example, it's typical for companies to disable attachments access on mobile devices but not home PCs, to require encryption on mobile devices but not on PCs, or to limit VPN usage to just PCs or provide remote storage options that work only on Windows PCs. No wonder many employees roll their own cloud storage, forward email to personal accounts, and engage in other compliance-avoiding workarounds -- IT has given them no choice.
What should you do? It depends on what you're trying to protect, but there is a single guiding principle you should follow when making those decisions: Use common policies for information access and common tools where possible for managing them.
Password policies, access policies, encryption policies, editing permissions, and the like should be consistent across all devices: PCs, tablets, and smartphones. Your baseline decision should address those policies.
Three aspects to the deployment of the policies need to be worked out:
- What capabilities must devices support to be allowed access to corporate data, applications, and networks
- What information should be visible and accessible to each group of employees (based on role and perhaps individual trust level) -- it's easier to protect data at the source than to worry about what happens to it after it has been made available, yet most companies focus on managing data once it is out the door
- What environments are considered too risky to provide access even for devices and people who meet the first two aspects of trust for a given type of access
Intel is one company that has worked through these three aspects to information accessibility and can provide a good conceptual model.
Tech tools at your disposal
On the technology side, Microsoft's Exchange and System Center 2012, as well as various third-party tools that use the Exchange ActiveSync (EAS) protocol, can enforce common password policies across all these devices, and encryption policies on mobile devices. System Center can also enforce encryption policies on Windows PCs and, through third-party extensions, on Macs; Symantec offers multiplatform tools similar to System Center. Likewise, mobile device management tools from MobileIron and AirWatch, as well as Apple's own OS X Server, can enforce encryption policies on Macs and mobile devices, in addition to password policies, attachment policies, and the like. You may not get down to one management tool, but you should be able to hit two or three.