IDC estimates that 55 percent of all phones used in business will be employee owned by 2015. The BYOD trend, driven by employees' increased technical proficiency and expectations for using mobile devices to access business services and applications has taken away from IT the tight control that they are used to. Today's social media-savvy employees expect near instant gratification from applications, and these expectations carry over to their jobs. No longer will this new breed of employees tolerate the out of date devices that IT typically supplied them in the past.
BYOD may be the most visible aspect of this new "Consumerized IT" (CoIT), but the real trend is increasing employee control over how they interact with enterprise resources in performing their jobs. CoIT also manifests itself as the same employees' expectations to use the same applications and application models that they use in their non-business life.
Mobile devices are small computers. But they are not just small computers. Mobile devices, more so than laptops, desktops, and mainframes, spend most of their existence with a particular human user. We like our phones, we like to have them with us as we go through the day, we are stressed when this bond is broken. The personal connection employees feel for their devices (whether BYOD or not) has a number of implications (both challenges and opportunities) for an enterprise confronting mobility.
While the fact that the phone stays with the employee increases the chance of loss or theft (and so potential compromise of the business data on it), the employee is likely to take more care of the phone given that they will have personal applications and data installed as well as business applications. More concretely, because employees feel attached to their phones, they are far more likely to have it with them throughout their day than something IT would try to impose on them. Consequently, such devices can enable powerful new authentication models that leverage modern phones' connectivity, computing power, and UI. In the old trope to describe authentication models of 'something you know, something you are', mobile devices are 'something you already have'.
But, of course, the fundamental opportunity associated with mobility is how a mobile employee is likely to be a productive employee - at the simplest level, there is real value to the enterprise in employee's being able to 'get things done' on the morning commute. Arguably more important than the mathematical gain in working hours is how mobility can lead to employee empowerment through the greater control over their work schedule it affords them.
"The goal of any company is to enable their employees to get work done when and where they need to. The employees are going to take data, turn it into information and then knowledge. They then act on that knowledge."
In other words, if your business data is perfectly secure, but your employees are unable to actually do useful things like sell, partner, expand business, etc. with that data, then "you are doing IT wrong."
Mobile devices, more so than other platforms, are distinguished by there being two parties who have valid interests and rights over how they are used. Because the device is used to access sensitive business data, the enterprise has a valid concern over the security of the business applications and data on that device. If security were the only requirement, the solution would be simple: Completely lock down the device as in the Mobile Device Management (MDM) model. But the coarse granularity of MDM is incompatible with the enterprise's desire for productive and empowered employees and those same employees' desire for autonomy with respect to the device's personal usage.
A modern mobile architecture must therefore balance:
Application and data security--protecting the sensitive business information accessed by and stored on mobile devices.
User enablement--ensuring that employees can perform the duties of their role when and where they wish to, fundamentally allowing them to 'get things done'.
User privacy--acknowledging the employees' rights to 'be left alone' so that the enterprise does not have complete visibility into their personal applications and data on the device, particularly for BYOD.
Finding the right balance point is not trivial. In a series of blog posts, I'll present four technologies that can help.
Mobile-based authentication--leveraging the capabilities of smart phones to provide secure and easy sign-on.
Single sign-on across web and native applications--giving employees a seamless user experience for both web and native mobile applications.
APIs--granting access for business data only to authorized applications and users.
Work/personal separation--isolating business applications and data from the applications that the employee installs for their personal use.
In the next installment of the series, I'll explain how modern phones enable powerful and usable authentication models (and the standards that are emerging for this), and how marrying this with a single sign-on (SSO) experience allows all applications to benefit from the enhanced security (and how standards are changing here).