What more can organisations do to embrace applications that are built specifically with the enterprise in mind? Are recent trends, such as the Apple/IBM partnership, pointing to the fact that the use of consumer applications in the workplace is in decline?
We spoke to Claire Galbois-Alcaix, Cloud Solutions Director at Accellion, about these and other issues pertaining to BYOD and BYOA.
TechRadar Pro: To what extent has BYOD, for all that it has enabled workers to be more productive 'on the go', also made enterprises a far less secure environment?
Claire Galbois-Alcaix: Today, employees all over the world have become far more technologically savvy than ever before, and are now demanding the types of mobile solutions from their office that they use in their personal lives.
This includes the ability to use their device of choice, and to utilise productivity enhancing apps to get more done faster. Organisations that don't provide these kinds of solutions for their workers increasingly find themselves falling behind the competition, as their employees will be unable to keep up with the pace of daily activity, and choose to go elsewhere where they can use these tools, impacting the company's bottom line.
The upshot of this is that, along with an increase in the number of consumer devices in the workplace, we've also seen a sharp rise in the number of consumer-focused applications being used within the enterprise.
Let's be clear about this – for the average user, the security of the applications they are using is not a primary consideration. The vast majority either believe that the devices and the applications they use are secure enough for their needs, or that the IT department will step in to prevent them from doing anything that could potentially put sensitive data at risk.
There are even some who are completely ignorant to data security risks, and don't even consider that the use of consumer devices and applications could result in a security breach.
For all of these reasons, many of today's enterprises are a far less secure environment, with some only learning the error of their ways and implementing a sensible mobile security policy when it's too late.
TRP: What are the security risks of employees using consumer-focused applications in the workplace instead of those specifically designed for use in the enterprise?
CG: A security system is only as strong as its weakest link, and there's no doubt that public cloud file-sharing services that are aimed at consumers pose a big security risk. There are a number of reasons for this.
Firstly, many of these applications, such as Dropbox, typically co-mingle data from different customers. While this provides the storage vendor with economies it also reduces the control a customer has on where their data is stored and who has access to that information. Additionally, public cloud providers own the encryption keys to the data housed on their servers, rather than the customer, further increasing the risk of data exposure.
For most enterprise organisations these risks are too great, and they lead corporations and government agencies to select private cloud file-sharing for the additional data protection.
Compliance is also a major issue, and users sharing confidential data, such as financial records, outside the approved and monitored processes defined by the IT department, put the enterprise out of compliance with regulations such as SOX. Users at healthcare organisations can violate HIPAA by improperly sharing patient health information.
Because applications like Dropbox do not integrate with most DLP solutions, it also limits the ability of enterprises to monitor the content of individual files, which can cause them to be non-compliant.
TRP: To what extent could awareness of these risks be forcing the hand of those who have, traditionally, had more of a consumer focus, such as Dropbox, to move into the enterprise space?
CG: Apple's decision to move its iCloud services away from applications and further towards collaborative services with the introduction of iCloud Drive is a great example of how cloud storage providers with a traditional focus on consumers are now setting their sights on the enterprise.
Whether or not their hand has been forced by an increased awareness of the fallibilities of their own security protocols as far as secure use in the enterprise is concerned is, however, another question entirely. The likelihood is that the likes of Apple and Dropbox have primarily identified this market as a lucrative means of expanding their revenues, rather than having any alternative, altruistic motives.
Nonetheless, it does demonstrate that these consumer cloud vendors are at the very least beginning to acknowledge that enterprises need tools that have been specifically designed for use within their environment. It also demonstrates that they realise the importance of striking a balance between providing robust security controls that can ensure data integrity, while also providing the ease of use that means their employees don't have to rely on freemium, consumer versions of the same products.
For enterprises, this can only be good news, although the question remains as to whether or not they would rather invest in and deploy solutions that come from vendors who are completely enterprise-focused, as opposed to those that see it as an extra way to drive revenue.
TRP: What are the other reasons why consumer hardware and software vendors are taking an increased interest in the enterprise space, and what could be the potential impact of this sector becoming increasingly crowded?
CG: As the world slowly recovers its financial footing following the global economic difficulties, so have consumers found that they have more disposable income to spend. What the consumer technology industry has done well is to provide innovative 'added value' hardware and software solutions that help customers to part with this newfound income.
It's proven to be a clever approach, as the focus on providing value-added services has had a profound impact on the way we not only live our personal lives, but also the way we work. With these consumer devices now also safely ensconced within organisations, enterprises have, as a direct result, been forced to wake up to the fact that they also need to invest in solutions that will ensure that the devices and the applications that are used within their ecosystem are able to operate securely.
From this perspective, the decision made by consumer technology firms to move into the enterprise space, as evidenced by the partnership between Apple and IBM, makes a lot of sense.
However, the potential danger of this approach is that, as this space becomes increasingly crowded, and the push to differentiate services through extra value-added features continues, there's a real prospect of the security of data becoming less of a focus in the stampede to provide the best user experience.
In a sense it comes down to the age old question of whether or not you need to compromise security in order to make a solution that is user-friendly and vice versa. Although this isn't quite as black and white as it sounds, and there's not necessarily a need to make an either/or choice between the two, it's nonetheless clear that only the solutions which refuse to compromise security will be effective within the enterprise.
The question is whether or not consumer technology vendors are better placed to be able to deliver this than those who are more established in the enterprise sector. In the end, it could come down to who can be trusted more.
TRP: What are the risks associated with partnerships like the one between Apple and IBM, that are designed to allow consumer-focused businesses a smooth passage into the enterprise space? Could they muddy the waters between consumer and business applications further and result in an even greater risk?
CG: I don't actually see this as a risk, as I think that more vendors need to marry ease of use for end users with strict enterprise security. Since Apple focuses on the first, and IBM on the latter, I believe that their partnership is going to up the ante in enterprise mobile applications and solutions.
End users are going to choose the types of devices they prefer, and Apple dominates a large part of that market. By working with IBM to improve security capabilities, they are ensuring that IT departments will be happy to choose their hardware and software solutions for use within the enterprise. In this way, data stays secure as workers share content and collaborate, but enterprise workers don't lose any productivity through clunky, unmanageable solutions.
TRP: What can those who develop enterprise-class productivity solutions do to mitigate these risks and ensure that organisations remain secure?
CG: There are a number of things that those who develop solutions with the enterprise in mind can do to ensure data security. When it comes to developing critical business applications, ease of use is an absolute must, for example. There's no way around it. Even if IT is thrilled with the promised features and functionality, if an app is clunky, frustrates employees or eats up valuable time, users will abandon ship and find a suitable workaround.
We see this all of the time in the world of mobile file-sharing. Employees are drawn to consumer-based applications such as Dropbox and Google Drive because of the user-friendly interface and the ability to quickly get a file out the door. The problem is that, in many cases, employees are using such applications without the IT department's knowledge – putting enterprise data at risk.
The job of IT professionals is to make sure that confidential files remain confidential, and those providing enterprise solutions share the same burden of responsibility. Put simply, they need to ensure that enterprise-class applications not only have the same ease-of-use as those they become accustomed to as consumers, but that they also have to provide the level of security that these same individuals have come to expect in their working lives.
The ability to marry up these two disparate aspects within solutions is the key to keeping data secure within the enterprise, and ensuring that users do not venture outside of the ecosystem to use other technology that could cause problems further down the road.
TRP: How much education do businesses need concerning the danger of workers bringing their own applications into the workplace, and the potential consequences of getting it wrong?
CG: It's an area that organisations are increasingly waking up to, and several high-profile data breaches have played an important role in reinforcing this message. The fact that iCloud and Dropbox accounts have been so publicly breached in recent times underlines the fact that if you, as an IT professional, are serious about the security and integrity of your data, then you need to be using a serious, enterprise-grade solution.
Having said that, there will always be those who continue to treat security as an afterthought, and for these people, education is particularly important. Many small or emerging businesses, for example, tend to de-prioritise security, as they are short on resources, and feel that they are better investing what little they have in other areas. However, this mind-set misses the point that, in the long run, failure to address security concerns could prove to be a much more costly expense.
TRP: How can enterprise-specific applications help to free up restrictive MDM policies within organisations, and ensure that workers have access to the data they need, where and when they need it, without compromising security?
CG: Some organisations believe that the best way to approach device management is to restrict the freedom of employees in terms of what they use, and how they use it. This, of course, can result not only in reduced productivity, but also an unhappy workforce, which can be hugely unproductive.
Although BYOD poses a number of security concerns, there's no reason why MDM policies should be restrictive, as long as a number of steps are observed.
The key to a secure BYOD-enabled enterprise is having well-managed content, but there are obviously a number of ways to go about this. There are three key security concerns that companies should consider as they navigate BYOD territory…
1. Where data sits and for how long:When data is in motion it's at a higher risk of being hacked, no matter how strong the encryption levels are. Many public cloud solutions constantly sync content between all devices, putting sensitive corporate information at a higher risk of a breach. Also at higher risk for data leakage is public cloud storage, which many companies choose to utilise for mobile access.
Before choosing a solution to support a BYOD program, companies should consider looking at private cloud architecture, so that data is only synced when an employee chooses to sync, and when data is at rest it remains inside of the corporate network.
2. Access permissions: A crucial element of implementing a BYOD policy is establishing how users can access your network from their personal devices. Many companies integrate their LDAP or Active Directories into this process to ensure that only authorised employees are accessing data. For instance, just because a marketing employee can access the network from a mobile phone, doesn't mean they should be able to open HR documentation – all established information access protocols need to be left in place, no matter the device.
3. Authentication methods: Approving any number of new devices to access a network requires updated authentication methods. Whether this is done through a protocol like Kerberos or through password-authenticated key agreements is up to each individual enterprise. Businesses that are especially serious about their security are creating triple-layer architectures so that the web, app and data layers all have their own authentication tokens, dramatically decreasing the risk of data loss, no matter how many devices are accessing the network.