More shocking, only 30 percent of tablets -- which really means iPads, given that 99 percent of corporate-used tablets are iPads -- are remotely wipable. Never mind that remote wipe is a basic MDM capability that even Exchange all by itself supports or that the mechanism for enabling remote wipe on a tablet (iOS or Android) is the same as for an iPhone, so it should be automatically enabled for any tablet that has email access. "There's no reason that iPads should be less managed than iPhones -- yet they are," Borg says. That suggests IT's approach to them is the problem; it's either ignoring them or trying to impose burdensome high-touch controls that keep many iPads in the shadows.
The truth is, in the last year mobile security has become a straightforward issue to handle. I've put most of InfoWorld's key how-to articles in a downloadable PDF. I've also covered the fact that architecturally, mobile devices are more secure than PCs, so perhaps IT should be viewing mobile more as a security aid than a threat.
If you don't allow access on mobile devices, your employees will work around you. For example, they may forward email from their "secured" desktop clients to Gmail and Hotmail accounts they then access on their smartphones or tablets, where they're both invisible to you and at much higher risk for data loss or breach. In fact, this is so routine, it's not funny.
Aberdeen's Borg points out that IT has a great carrot here that it often is not using: email access. IT should start by securing corprorate email access and tell employees, "'If you want email, meet policies.' That is the carrot that works for everyone." After all, people who have unsanctioned devices almost always want to access their email and calendars from them. Thus, they need to go through your email server -- which can impose policies such as requiring on-device encryption, passwords requirements, and automatic device wipe after a specified number of failed attempts. In other words, telling users they can access email officially gives you the very control lost when you block them from that access.
Because the technology is policy-based, you don't need to know the specific devices a user has or configure it yourself -- the server validates the compliance and acts accordingly. You don't need to manage the endpoints, just the gateways to your data. For those devices that need the user to install specific apps to achieve policy compliance, it's easy enough to provide an intranet page linking to them, along with a list of recommended or approved devices.
Note: That's why you'd also require a VPN to access sensitive data and might use virtual LANs on your wireless network to segregate sensitive traffic from personal traffic. But if you allow remote access into your organization's network and data repositories, you should be doing this already. The fact that the client happens to be mobile is irrelevant.
Some CIOs raise the compliance bugaboo, suggesting that HIPAA, Sarbanes-Oxley, HICAP, PCI, and all the other regulations make it impossible to embrace mobility. That's simply not true. Using an MDM tool, "from the device perspective BlackBerry and iOS can be made compliant with every regulation I'm aware of," Borg says.
That does leave one gaping hole: Android, a platform whose popularity is surpassing the iPhone's. In contrast, Windows Phone 7 and WebOS are also not very securable, but their market shares are very tiny, so they're usually not an issue from users' perspectives. Borg says that eventually Android will be manageable as well, but for now only a few Android devices can meet such regulatory requirements, such as Samsung tablets when managed by Sybase's Afaria product.
Thus, your policy as CIO should be that compliant devices are allowed in. As long as the compliance requirements IT imposes are reasonable, employees will respect them. You may need more than one level of compliance; employees who work with and access nonsensitive information should have less onerous compliance policies.
Companies already do that with, say, financial and employee information, so they should be able to extend that tiered access thinking to device policies. For example, maybe any device is allowed to use the public virtual LAN to access the Internet, but only devices that support on-device encryption, remote wipe, and password requirements can access corporate email and general file shares. Additionally, only devices that support VPNs and certificates can access sensitive data that should be gated within the internal network anyhow, such as through VPNs, certificates, and the like.
The bottom line: In exchange for reasonable freedom of device, users allow IT to manage their devices via policies. Many companies require employees to explicitly to agree to this, others simply assert it as a policy, and some insist on owning the device even if they allow employee choice -- that's an HR or legal issue the CIO can leave to others to figure out. The CIO's job is to ensure the policies are executed at the technology level.
Yes, there will always be rogue users, mobile or otherwise, who continue to forward work email to noncompliant devices. For example, users also transfer data to their home desktops this way, so the behavior needs to be treated more broadly. "The organization has become permeable, so you need to look at the whole picture," Borg says -- not just specific endpoint devices. "You need to move the focus from the endpoints to the core," he says.
As for securing applications -- usually the next objection raised after the device issue is neutralized -- there are tools to do so where it makes sense. The first question, of course, should be whether it matters what games a user might install or what office app they use. Chances are it doesn't matter. Again, the right approach is to apply policies to those applications where there's material risk or other need for direct management, such as licensing compliance and access monitoring. The sandbox segregation of iOS and BlackBerry OS reduces the risk of malware problems, though again Android devices fall behind and may end up being supported only for nonsensitive classes of users.
Mobile costs don't increase appreciably with BYOD
Once an old-school CIO gets over the security excuse, he or she usually raises the cost objection. Given the huge number of devices, IT support costs will skyrocket, and IT will be overwhelmed with calls and need extensive training on every possible device. The internal network will require significant capacity increase -- from bandwidth to available IP addresses for the DHCP server -- to handle the tripling or quadrupling of devices that access it (over Wi-Fi). Telecom costs will skyrocket as everyone gets a data plan for each and every device.
Baloney. Let's take those three cost objections one by one.