BYOD caught IT departments napping

Is the bring your own device to work movement finally reaching maturity, or should it be renamed work at your existing desktop through your device instead? The closer we look, the more we see that while the device may be the same, the familiarity of local apps and the iOS or Android UI is sacrificed in the name of monitoring and compliance.

BYOD is a phenomenon that caught big IT sleeping. People were bringing in their iPhones to the workplace and demanding that IT hook it up to the internal email systems without thinking of the consequences. After all, if it is this easy to use an email app or to use Facebook, why should enterprise applications be so boring and difficult? It took IT a while to catch-up and the consequences in terms of compliance issues were dire. Responses ranged from burying heads in sand to locking down IT systems to the extent that people could not work.

Fast forward to today and the idea of bringing your own device to work is taken as given - but the way technology has developed to comply with data security regulations has changed what we have come to expect.

The phone or tablet is left as nothing more than a glorified thin client. At least in Microsoft’s world view.

Microsoft Thailand server and tools business group lead Panjaporn Vittayalerdpun explained that when it comes to email compliance, Windows devices can enforce a multitude of rules. Examples include being able to forward only to full-time staff, or prohibiting reply all and forwarding, or even stipulating that certain attachments can only be opened for one month in Office and stay for three months on Outlook.

Linking active directory servers allows this sphere of trust to extend to contractors and third parties outside the organisation.

But while this works fine in a Microsoft-only ecosystem, what of iOS and Android, I asked. While some of the more basic controls such as enforcing passwords and remote wipe could be enforced in their native email clients, the preferred way out in Redmond was for people to use their iPads and Android tablets as a thin client to a virtual Windows desktop running in the organization’s data centre somewhere.

She explained how it was easy to run Outlook Express in a browser, in a way that is secure and complies with all the data controls imposed.

So many controls could also be put in an Office document but again, without native office apps on alternative mobile platforms, it was a luxury for a Microsoft-only ecosystem.

“One nation’s army uses iPads with everything running via VDI. Everything is in the army data center. If the iPad is lost all they get is a blank device,” she continued.

Upon reflection, much of Microsoft’s work in virtualization has been working to this vision. The ability to run traditional virtual desktops in the data centre but with differing levels of local execution - from just graphics to entire secure Windows desktops temporarily downloaded for local execution - is a technical tour de force.

But is it missing the point? Having access to one’s Windows desktop anywhere might have once been the answer back when Windows was a legal monopoly. But in an increasingly heterogeneous world, one cannot help but feel that Microsoft has missed the point in not providing full control and compliance via native apps on iOS and Android.

Or, to put it more tangibly, the Microsoft world view might prevent data loss by preventing people from opening a Word document on an Android phone natively with Quick Office, by forcing them to log in to their VDI and do so with a full Excel running data locally. But that only frustrates users who may turn to finding a way to bypass security entirely and take the file out of the control loop. Or perhaps just give in and buy a Windows Phone, which may be the point after all.

Another idea is security and compliance from the network side.

That was an idea put forward to me by Bluecoat, specialists in WAN acceleration and web gateway security. Being at the network border, the company already needs to see what is going in and out so as to offer WAN acceleration and de-duplication, and it is only a small logical step to add data leakage protection logic to the existing infrastructure.

“We’ve been advocating network-based DLP,” Jonathan Andresen, Bluecoat’s Thailand country manager told me when I asked him about the challenges of mobility.

The way most data leakage prevention solutions are rolled out today is at a minimal level. IT managers are terrified of disrupting business and preventing people from doing their work, yet they need to be able to keep an eye on things - and need the records to see if anything has been leaked which should not have been.

“Even the banks we talk to, they look, they might want to control it but right now they just want to see,” he said.

“With BYOD there is a need to control that and a need for visibility and transparency; to go in and actively shape the network and ensure that only the right folks have the right kind of access,” Daryl Dickens, VP for marketing at Bluecoat said, finishing off this line of thought.

Virtual desktops pose a bandwidth and latency challenge to smooth operation - especially for agents out in the field - while making the network more intelligent to provide the visibility needed from a network monitoring point of view is no less a challenge.

Of course, the two world views are not mutually exclusive but it will be interesting to see how things shake down with the passage of time.