Last week at Interop, New York’s Javits Center was abuzz with IT professionals seeking practical advice on IT management good practices (and the technology to support them). The conference element included the following tracks:

• Applications
• Business of IT
• Cloud Connect Summit
• Collaboration
• Infrastructure
• Mobility
• Risk Management & Security
• Software-Defined Networking (SDN)

This BYOD* and mobility-related blog is the first of a number of SysAid blogs based on the Interop sessions – with the intention of spreading the Interop advice and good practice wider than its physical attendees.

---

BYOD and Star Trek

Michele Chubirka, a security architect and best practice researcher, presented on “BYOD: Beating IT’s Kobayashi Maru.” For those of you not up on their Star Trek folklore, Kobayashi Maru refers to a no-win situation, or the need to redefine the problem. In this case, that in Michele’s opinion: “The answer to BYOD cannot be, “No,” but a qualified “Yes, and….””

The point is that BYOD is not something that can be prevented, bar situations where industry legislation or regulations limit the use of certain technology – corporate or otherwise – in the workplace. And, instead of fighting BYOD, corporate IT organizations should be looking to ensure that they are ready for, and accommodating to, BYOD – and both protecting business assets and operations, and optimizing employee productivity.

BYOD Needs Policies and Standards

Michele stated that organizations need to have the following in place for BYOD:

• High-level BYOD policy
• Acceptable use policy (AUP)
• End-user agreement (EUA)
• Data classification and handling standards
• Basic user roles/classification
• Supported application list
• Resource matrix

And that organizations don’t need to reinvent the wheel here. Instead they should use Google to find existing examples of the above, which can be tailored to suit their own needs. For example, the White House’s BYOD guidance for government, or SANS’s AUP.

Guidance on Access Control

Michele also offered the following security-flavored advice, that:

• Data has value and should be organized according to:
  • Sensitivity to loss
  • Disclosure
  • Unavailability
• Appropriate application of controls creates the handling standards
• User roles or personas determine privilege levels
• Access controls are determined by the intersection of data classification with user classification

But it’s not just about security.

Employee Support Needs to Be Well Thought Out

No IT support organization could realistically support every BYOD device, personally-acquired application, or personally-chosen use case. So organizations need to be very clear on what they will and will not support. Michele’s three key support points were that:

• Even though you don’t own the device, what applications will you license and/or support on it?
• How will you communicate this?
• Many support costs don’t go away, they simply shift

She also pointed out that a resource matrix should be used, based on data classification and the level of risk the organization will accept, to document which applications and facilities are approved, provided, and supported for corporately owned devices, employee BYOD devices, and office guests.

Common BYOD Misconceptions

Michele finished with a short list of BYOD misconceptions:

• BYOD is less secure
• I can say “no” to BYOD
• BYOD will always save money
• I have to buy expensive solutions
• I have to reimburse users to force adoption
• We don’t need to consult HR or Legal

Key Takeaways

And some key takeaways for the audience (and now you):

• Controls should focus on data/resources, not technology
• Policies become requirements, don’t jump to solutions; you will pay for it later if you skip this step
• Get executive buy-in on policies and sign-off on design, otherwise you’ll be redesigning later
• Training and end-user support is critical
• Offer options: full device management vs. containerization**
• BYOD is no longer optional

So there’s a lot to consider from a BYOD management and service delivery perspective. But, importantly for us at SysAid, one has to remember that mobility isn’t really about mobile devices and apps. Rather, it’s really about supporting employees and customers while they are on the go – it’s about service delivery and service experience, and the pursuit of business over IT outcomes.

If you want to hear more from Michele Chubirka you can find her on Twitter as @MrsYisWhy.

* BYOD = bring your own device, the use of personally owned devices in the workplace
** And not forgetting mobile virtualization options such as Nubo.

Please share your thoughts in the comments or on Twitter, Google+, or Facebook where we are always listening.