Consumerisation of IT: How to strategise enterprise device management

Amid the rising consumerisation of IT, the traditional “one-size-fits-all” strategy can fail. IT must develop an open approach to consumerisation of devices and use VDI.

This article can also be found in the Premium Editorial Download: IT in Europe: NAC technology evolves in a BYOD policy world

With the growing popularity of mobile communication devices and consumerisation of IT, the traditional “one-size-fits-all” enterprise device strategy is likely to fail. In this tip, business and technology expert Clive Longbottom explains why it is important now more than ever to revise your IT strategy and to develop a sound plan for managing devices.

Shrinking devices; growing problems
Life used to be so easy when certain computer workloads were carried out on a central device (a server) and the results of the workload were accessed through an endpoint that did very little itself (a terminal).

Personal computers didn’t radically change how information was managed. Although the end-point device became intelligent and was able to store information, it remained “tethered” to a fixed position. 

Then we saw the development of ever-smaller mobile devices. First, it was the luggable; then the laptop; then the rise (and fall) of personal digital assistants (PDAs); and now the evolution and rise of smartphones and tablets. 

Problems introduced with those devices, such as the wide distribution of data, loss and theft of devices and the fact that data tended to be taken by ex-employees along with the device are compounded as prices have dropped to levels that relegate them to almost being disposable items. When laptops cost an average of £2,500, few employees would dream of buying one themselves if the company weren’t offering them one for free. But with tablets costing less than £500 now, they are well within the purchasing power of employees.

Amid the growing mix of device ecosystems and their entry into the enterprise, any attempt by an organisation to maintain a “one-size-fits-all” device strategy -- in order to validate existing applications to work across a known set of IT devices -- will be doomed for failure. We have seen companies purchase and provision laptops and mobile phones for their employees, just to find out that employees then strip the licence codes from the laptop onto their preferred make (eg, buying a Sony Vaio rather than using the provided Lenovo ThinkPad) and transfer the SIM card from the provided phone into their choice of smartphone.

Chaos ensues, and now that many organisations have moved away from a standard, Windows-based platform to iOS, Android or another operating system, it is difficult to track application usage and ensure standardisation across document formats and workflows. At the smartphone level, individuals go for their own contracts and expense them to the business, so the business is not given preferential business tariffs nor the ability to aggregate bills and to benefit from discounts for large usage. Pretending that consumerisation of IT is not happening can be expensive in real terms and in business productivity terms.

Steps to manage consumerisation of IT
When putting into place a well-managed approach to such mixed-device environments, the key is to embrace the dynamic evolution of technology. Do not create a strategy that is dependent on certain device types. For example, having a strategy that sounds modern, in as much as it supports the Apple iPad, is OK for a moment in time, but with Android tablets becoming competitive, you will need to review capabilities and continually re-code device apps just to keep up. Any strategy, therefore, must be “open.” The good news is that strong industry standards -- such as HTML5, Java, virtual private network (VPN) security -- are making this easier than it used to be.

You can define a minimum platform capability that a user-sourced device must have and then specify things like support for Java or the capability to support certain VPN technologies [not vendor-specific, but industry standard, such as Secure Shell (SSH)]. This base platform will define a set of capabilities -- not the device itself -- so new devices can be embraced as they come along with only minimum need for testing and validation. Any device that does not meet these basic requirements can be locked out from accessing the business network. However, the IT team may have to assist the general users who may not understand how well a certain device aligns with the corporate requirements.

Next, you’ll want to adjust the application and data access strategy in order to protect the business in the best possible way. It is better to have a strategy that is built around each device being seen as a “terminal” rather than as a hyper-intelligent device in its own right.

Virtualisation is the key here; a virtual desktop infrastructure (VDI) brings all the business logic and data back into the data centre where appropriate controls can be applied.

The majority of VDI approaches, such as those by Citrix and VMware, support standard access approaches through a browser or through a functional device app that ensures a good user experience in terms of usability and speed of response. Virtualisation can also “sandbox” the corporate environment from the consumer one. By fencing the corporate environment within its own virtual space, interaction between the access device and the virtual space can be controlled or even completely blocked. And by blocking interaction, no data can be transferred outside of the corporate space, and the access device remains only as valuable as the device itself -- it will not hold corporate data that may have commercial or legal value if the device is lost or stolen. 

Also, no matter how poor the user’s understanding of Internet security is, the corporate environment can remain “clean”. Even if a device is riddled with viruses, worms and other malware, there cannot be any transfers of malware between the device and the corporate network.

An open approach to consumerisation of IT
An open approach to consumerisation of devices, combined with the use of VDI, gives enterprises a means of dealing with their users’ desires to embrace the device of their own choice. However, IT teams must implement tools that will make the devices work for the business. Vendors such as Check Point, Cisco Systems, Landesk Software and Symantec provide asset management software, network access controls and end-point management systems that deal with occasionally connected devices and should be able to identify when new devices touch the network.

The device will then need to be interrogated to ensure that its base capabilities meet the corporate needs and, where possible, geo-locational tools show that the person is accessing the network from an allowable location. It may then need certain functions such as VPN capabilities or specific access apps which should be automated to allow the user to get on with his work quickly and efficiently. Tools should be able to lock out devices that do not meet requirements and should be able to identify and lock devices that have been reported as lost or stolen to safeguard the corporate network.

Finally, tools must be able to provide comprehensive reports on the user’s activity and be able to advise the user in real time if he is attempting to carry out activities that are counter to corporate strategy, such as accessing highly secure data over an open public WiFi connection. For example, Check Point’s solutions give an organisation the ability to use data leak prevention to identify if someone is trying to carry out an action that is against corporate policies. Users can be completely blocked from performing the action and be presented with a bespoke message stating why they are being blocked. Or, the user can be presented with a “Do you really mean to do this?” option (again, along with reasons why it is not recommended and an input box for them to put in the reason they still want to carry out the action). This will allow them to carry out the action -- but under full audit of the tools so the organisation knows who has done what, when, where and why. 

Such advice is presented in understandable terms (as opposed to technical terms such as “Error 612: Action counter to profile 164/2012”) informing users why such an action must be avoided. Whenever possible, it must give alternative options for users to meet their requirements. For example, a message along the lines of “You are currently connected to the network via an insecure public wireless access point; transmitting customer details as in the attached document may be open to others capturing the information. Are you sure you want to continue?” This is definitely more meaningful and empowers the end user to make an informed decision.

Consumerisation of IT is unstoppable and has major implications for how corporate applications and data have to be dealt with, which will have a knock-on effect on the data centre itself. Embrace the change, and the organisation will benefit from it. Fight it, and your competitor will overtake you.

Clive Longbottom is a service director at UK analyst Quocirca Ltd. and a contributor to

Read more on Datacentre systems management