Why Big Australia is gaga for BYO Computing

Telstra has joined a growing list of large Australian companies considering allowing their employees to bring their own computing devices into the workplace, in an attempt to extract savings and efficiencies from various business units.

Telstra chief information officer Patrick Eltridge told iTnews that the telco is conducting proof-of-concept trials across several areas of its business.

The trials also involve the use of desktop virtualisation and the development of new interfaces for staff accessing corporate applications via mobile devices such as smartphones and tablet PCs.

Large organisations are under creeping pressure to make systems nimbler and more user-friendly, and increasingly are yielding to staff demands to bring to work their own smartphones, tablet computers, laptops, and sometimes even 3G dongles and Wi-Fi routers.

Whilst the BYO Computing trend was in the past framed as an inevitable problem created by the ‘consumerisation of IT’, many of Australia’s top CIOs now view it as a means of attracting better staff and even reducing costs.

BYO Computing schemes have proven attractive to bean-counters realising savings by allowing staff to salary-sacrifice IT equipment.

Legal firm Norton Rose, for example, “fully supports” the connection of personal mobile devices to its information systems and is weighing up a future in which staff also bring in laptops and other PCs.

“A lot of new technologies are being released and we clearly see major business benefits in having access to office systems while outside the office and travelling overseas,” said Phil Scorgie, director of business information systems at Norton Rose.

“This is particularly important to support our growing international practice. It enables our lawyers to work anywhere in the world as virtual lawyers.”

Jetstar CIO and head of IT Stephen Tame said the airline had not yet formulated an official policy, but employee-owned iPhones, iPads and MacBooks were allowed to co-exist on the network.

“I foresee a time in the not-too-distant future when mobile phones, laptops and PC equipment will be a personal choice and a self-managed device,” Tame said.

Jetstar deploys virtualisation to cater for staff-owned machines, shipping set-up and updates on SD cards to remote workers.

“Deployed on virtual machines, corporate IT still has control over the systems accessing the corporate environment,” he said.

KPMG director of innovation Bruce McCabe said many of the firm’s clients were experimenting with BYO Computing. Many saw the practice as inevitable, he said.

“It’s now firmly in the consciousness of IT leaders in Australia, much more than a year ago, but in terms of implementation - only a few have scratched the surface,” McCabe said.

Any cost benefits associated with not issuing company machines would be offset by equipment allowances, increased IT security expenditure and testing, he said.

“Long-term, the support costs should be less expensive as we move to self-service.”

Security concerns

The number one roadblock to BYO Computing tends to be security concerns.

The premise of a miscellaneous fleet of devices operating in the high-rise offices of corporate Australia does not impress security analysts.

Gartner analyst Laurence Orans expects BYO programs to increase the threat of botnets.

Orans estimates that between four and eight percent of enterprise PCs already have an active botnet client installed and argues that consumer-owned PCs will bring even more Trojans into work.

“The threat of higher botnet compromise rates on consumer PCs is very real and security teams will need to invest in additional resources to mitigate these threats,” Orans said in a security paper.

Uri Rivner, head of new technologies and identity protection at security vendor RSA noted in a February research paper that 88 percent of Fortune 500 companies already had Zeus-infected employee PCs.

Orans forecasts that 80 percent of enterprises adopting BYO computing would see their compromise rates increase by 100 percent or more by 2013.

Read on for a checklist of management policies to consider for your BYO computing deployment.... we also talk to some IT managers that don't like the idea...

Virtual solutions

Graham Titterington, principal analyst at Ovum said the ideal solution for managing BYO computers was client virtualisation – particularly if the solution allows for the employee’s machine to support at least two virtual environments: one for business, the other for personal use.

“The IT department can then stop managing the laptop and just provide a standard VM for business use on all clients,” he said.

The alternate route involves too much work, he said. “Potentially, there are great difficulties in requiring an over-pressed IT admin function to manage a wide range of devices that are out of their control and not ideally suited to the corporate role.”

Sophos senior technical consultant Sean Richmond said there were many ways to ensure security, from use of virtualisation to new IT policies.

“Treat the machines as un-trusted and hostile,” he advised. “Quarantine it to a certain area of the network until you’ve loaded agent software to allow access to the virtualised infrastructure or to the gateway. Ensure before people add a device that they scan and update the software until it’s approved for use.”

BYO policies should ban jail-broken devices, he said.

The policy should also note that the organisation has the right to deny access to non-compliant machines, and it should specify and limit the provision of technical support to employee-devices, Richmond said.

Microsoft chief security advisor Stuart Strathdee made some further recommendations.

Individual documents should be locked or only accessible until an expiry date, he said. Web applications would also be secured to assume the client is hostile and track transactional behaviour (as banks have done for online banking). Systems would also require role-based permission and it would be mandatory for staff to use encryption.

The policy should also restrict the local storage of company data on BYO machines and instead make use of administrator-approved cloud storage solutions.

“Cloud can be a half-way house,” Strathdee said. “While it’s not a traditional way to look at cloud, it can be done for security.”

A quick checklist when formulating policy:

• Apply to BYO computers the same security settings as an outsider connecting to the network.
• Only allow BYO computers onto the network after administrators have cleared the machine for use.
• Consider use of virtualisation to lock down a virtual machine for work use.
• Ban the storage of corporate data on the device and offer secured cloud services as an alternative.
• Ban jailbroken devices.
• Insist on encryption.
• Lock sensitive documents to devices and/or time-limits.

Not for everyone

But even as these policies mature, BYO is clearly not for everyone.

In researching this piece, iTnews spoke to two large software houses that are dreading the trend. Both declined to be identified.

One said non-corporate devices were strictly forbidden as is desktop virtualisation.

“We’re heavily into standardisation,” the IT manager said, admitting that BYO Computing was a “touchy political subject” internally.

Another IT controller said although there were potential cost-savings associated with BYO computing, it “was not a good deal”.

“It would make sense if we didn’t have a budget, but we do, so as a company we provide the tools for the job – the computer, the smartphone plus the security on the devices,” he said.

Many large companies approached by iTnews declined to comment on their policies - either because they had not yet formulated one, or because they were not ready to unleash staff demand for flexibility.

Rob McMillan, research director for security, risk and privacy at Gartner recommended that those making the BYO decision in the enterprise fully understand the company’s security risk profile.

“The person who makes the decision should bear the risk,” he said. “If that person happens to be the accountant, then they need the security budget and the authority to control it.

“I don’t want to discourage people from it – I can see the budget and the cultural attraction of it. But highly security-conscious environments like government, share trading and customer service are not the industries to do it. Unfortunately in IT, we sometimes get carried away.

“It will be good, but only for some,” he said.