In-depth: Securing the consumerisation drive

One of the greatest challenges for any company at the moment is to embrace the trend to encourage and allow the consumerisation of IT but to do so while keeping the network safe and secure, writes Amro Gebreel.

One of the greatest challenges for any company at the moment is to embrace the trend to encourage and allow the consumerisation of IT but to do so while keeping the network safe and secure, writes Amro Gebreel.

The growth in the bring your own device movement has proved to be unstoppable with staff working around hurdles set up to stop them connecting with their own smart phones and tablets.

So over the past 12 months the industry has encouraged customers to go with the flow and the focus has been on making a whole range of potential ways of connecting to the corporate network safely, regardless of the device being used.

There are some serious reasons why companies have started to let staff bring in their own devices (BYOD) beyond just showing more flexibility towards staff.

"Firstly, employees are more productive using devices with which they're comfortable. Secondly, staff morale improves because they can use their gadget of choice and thirdly, procurement generally spends less resources to constantly re-equip employees with the latest technology because they're upgrading themselves," says Stuart Facey, vice president of international at Bomgartold.

"Although some organisations may bristle at this phenomenon, expressing valid concerns over manageability and security, it's important to remember that resellers of all sizes can mitigate these threats.

"IT support organisations need to re-examine their current policies, IT management and support tools, and asynchronous incident handling processes to become a more efficient, flexible and collaborative support team if they are to make BYOD policies a success in the workplace," he adds.

One of the vendors that has been pushing BYOD as hard as anyone has been Citrix, which believes that is has the tools to make it all work and will benefit from the trend.

But as Kevin Bland, channel director for the UK, Ireland and South Africa at Citrix, explains, it's not just a question of thinking of allowing more devices onto current systems.

"In order to respond to true consumerisation businesses need to deliver applications and user environments that can be experienced on any user-selected device, whether smartphone, laptop or tablet.

"This requires the separation of the application from the operating system that it was created for. Corporate applications are not designed for consumer devices, hence this provides great opportunity for trusted advisors to support businesses through the technology transition required," he says.

That is one challenge for the reseller and there are others, with infrastructure also being a key question, along with security.

"Channel partners should focus their efforts on providing the most reliable, affordable and simple network infrastructure to deliver robust and secure access for any device, application or piece of software their customers choose to use," says Jonathan Hallat, VAR director at Netgear.

Those messages are filtering through to resellers, with some already seizing the opportunity to cast themselves as trusted advisors to help customers navigate themselves through the consumerisation challenges.

Alastair Broom, Solutions Director at Integralis, says that consumerisation is not only a challenge but also an opportunity, and the channel needs to address this.

Users now take it for granted that they can access information anytime, anywhere, and on any device or application of their choice. This has set expectations around the way they work, and it creates increased pressure on IT departments to develop and maintain security policies to protect and manage the risks involved.

"The important thing is to set out the whole roadmap and understand that consumerisation does not just mean iPads accessing the company network, but it includes the use of any technology or application that was designed for the consumer market," says Broom.

"We also help our customers by offering the whole environment as a managed service, which helps to take away the fear of adopting a new consumerised business model. Flexibility in the way we work and share information does not necessarily have to mean compromises in security.

"But it needs to be acknowledged and controlled with robust security policies and procedures based on business goals, and a flexible mix of technology and process controls to enforce these policies," he continues.

Other resellers agree. Rick Gray, sales director at Synetix, says that for a while now the lines between work and home have been blurring and it shows no sign of slowing down. As a VAR it is already getting to grips with what that means for its customer base.

"There is an ever fading boundary between work and personal IT activity on the network at the moment, which will only accelerate over the coming years. Users are pressing to bring their own smart devices into work, to work from remote locations and choose to use certain collaborative applications they know and use outside of the work place, which is creating challenges and headaches for the management of organizations," he says.

Those headaches are mainly around security, and there are real fears that BYOD will compromise defences that firms have set up based on being able to keep the number of devices connecting to the infrastructure to a limited number.

Terry Greer-King, Check Point UK managing director, says that consumerisation is indeed an issue for companies, because it means they often don't know where their data is and what needs securing.  

"If a firm doesn't know how many personal devices are being used, it's got a security problem. In November 2010 Check Point did a survey of 130 UK IT managers and senior IT staff in both public and private companies," says Greer-King.

"52% of respondents said they do not use data or device encryption to secure their business laptops, and a further 8% admitted they didn't know if encryption was in use," he continues. "It also showed growing concern over consumerisation of technology - employees using personal devices like laptops or smartphones for work purposes."

"Employees use personal devices for work in 55% of the organizations surveyed; yet 39% of the respondents said they had no formal process for deploying security to these devices.  Only 37% of the organisations prohibit the usage of laptops or smartphones for professional purposes.

"So the responsibility for security cannot be passed onto individuals: corporates wanting to secure their assets and data have to take these steps and pass them on to employees, or at least offer the employee some methods by which security can be delivered," he adds.

At that point the channel needs to step in starting with finding out just what devices are being used and how many staff are trying to connect. From there the reseller can advise on steps that need to be taken to provide protection.

When it comes to smart phones and tablets, things are developing at pace. Those keeping an eye on this market are already aware that even with a corporate BYOD policy in place events can overtake those policies.

"Employees are bringing in their own smart phones, without necessarily asking their employers, and connecting them to the WLAN and even using them for corporate e-mail access as they already know the relevant passwords, etc," says Martin Cross, director at Connect Communications.

"This seems to be happening even if the company doesn't have a BYOD policy.  As such the employer needs to find ways of identifying these devices and managing the risks, as these devices can bring in attachments containing all sorts," he adds.

As well as facing up to the challenge of allowing a range of devices to connect to the network, resellers must take other things into consideration to ensure that a transition to a more fleixible workplace is both secure and workable.

The first reality is to acknowledge that customers are doing this against a backdrop of constrained budgets.

"The current economic climate means that customers are constantly being pressurised to do more with less; tight budgets and limited technology spend means they must embrace innovation in order to increase efficiency and of course, the bottom line," explains Andy Lintel, director of corporate sales UK and Eire at Kaspersky Lab.

"The trend of consumerisation addresses this challenge as businesses already possess the means for employees to be more productive without further investment. However, by allowing an unknown device onto the network, businesses face an evolving security challenge," Lintel continues.

The next obstacle might be the systems that the customer is currently using. Legacy infrastructure is not often a good starting point to introduce more flexibility into an organisation.

"Corporate technology is often two or three years behind what consumers are using, making working from home increasingly more efficient than being in the office," suggests Etienne Greef, professional services director at SecureData.

"Digital-savvy employees are becoming increasingly mobile and demanding the freedom to use a wide variety of tools and services. The challenge for resellers with the consumerisation of IT is that they need to encourage businesses to embrace this new technology, rather than shy away from it," says Greef.

Another consideration has to be made to corporate culture and to the responsibility that staff will have to take if they want to enjoy BYOD.

Nessa Lynchehaun, UK and Ireland channel director at Mimecast, believes resellers will have to help customers come to term with the changes that consumerisaton means to their business culturally.

"The rapid consumerisation of IT has presented a variety of challenges, not just from a systems perspective, but also from an organisational culture point of view. For IT managers, the emergence of personal devices and online tools in the workplace have meant a re-think, not just of hardware and software, but also on anticipating potential threats arising from changes in end-user behaviour," she says.

Those end-users themselves have to bear more responsibility as well if they are to enjoy changes in working securely.

"It is vital that the reseller works with their customer to ensure that the selected IT security solutions act as a business enabler while at the same time allowing control.As the consumerisation of IT ramps up it is vital that employees are aware of the risks of potential data loss that could occur from using their own devices," says David Caughtry, director of core technology at ComputerLinks.

"Resellers should advise their customers to implement a thorough training programme to educate and advise staff on how to ensure that their personal devices have the same level of security as the company network.

"The reseller should encourage the company not to let defences and policies become out of date. The chances are that ways of working will continue to evolve - particularly as cloud becomes more commonly utilised and additional new devices are introduced to the market," he adds.

But if all of those things can be done, and it's going to take a reseller that understands all sides of the BYOD challenge to deliver them, then the solution starts to become clearer.

The demand for BYOD is not going to diminish and the hunger from staff for more flexibility will not ebb away over the next few years. Tablets, smart phones and netbooks have all posed a challenge to the traditional corporate desktop and laptop estates.

Security is essential to ensure that BYOD does not leave firms open to threats. But it is also a sale that doesn't simply involve a few products. The reseller has to sell a solution that helps customers develop.

Barrie Desmond, business development director of VADition believes that getting this challenge cracked is one that will fundamentally help resellers in the future.

"As enterprises continually evolve to cope with the dramatically increasing scale and complexity of the traffic on their networks generated by application-rich end devices, the reseller must be able to talk them about security, how it can be managed most effectively and how it can indeed become a management tool, and thus become valued by the organization," he says.

"Indeed, being able to understand and advise on the 'mobile-social' enterprise is key to keeping resellers in business," he concludes.

Read more on Data Protection Services