Microsoft Surface Tablet Adds Urgency to Defining Enterprise BYOD Policies

The introduction of the Microsoft Surface Tablet means more enterprises than ever will have to decide whether to allow employees to use their own mobile devices to access corporate resources, ban personal mobile devices altogether or establish corporate standards, such as the Surface Tablet, iPad or specific smartphone models.

On June 18, Microsoft pulled the covers off its Surface tablet and stimulated discussions about whether gaining consumer approval will be the gateway for the surface to infiltrate the enterprise.

One way or the other however, if the bring-your-own device trend continues, enterprises are likely going to be faced with a decision to support or not support the Surface.

"I think Surface has a couple of very attractive features that make it more viable for the enterprise space than past tablet devices, such as the keyboard, USB and HDMI ports that come standard with the device, in addition to its compatibility with Microsoft office," Dan Croft, CEO of mobile management vendor Mission Critical Wireless, told eWEEK.

"Features like the keyboard will make it easier for workplace use, while the USB port will make it easier to import files and attach drives for additional storage€¦ However, for it to become a part of the BYOD phenomenon it has to first make its way to consumers, who are going to have to look into their pocket book and decide if they really like this device."

With a growing number of device choices available on the market, Croft expects companies to take a balanced approach and allow employees to choose from a list of approved devices. Anything not included on the list would be unacceptable for use at work, he said.

That approach will likely still run into challenges. A recent Fortinet commissioned-survey of nearly 3,900 employees in their 20s found that more than one in three would ignore a policy that forbade them from using their personal devices at work. In addition, 30 percent said they either have or would contravene a policy banning the use of nonapproved applications, and 50 percent of the respondents said they view using their device at work as a "right" rather than a "privilege."

This reality forces businesses to examine whether they will support employees' personal devices, a decision security pros and analysts say involves a mix of legal, security and cost issues.

The drivers behind BYOD are twofold, explained Andreas Baumhof, chief technology officer at ThreatMetrix. Part of it is that more and more people want to use their own devices; another factor is that many companies see BYOD as an opportunity to get hardware off the balance sheet. If neither of these two drivers applies, there is no need to consider establishing a BYOD policy, Baumhof said.

Cost is a big factor in the decision to pursue BYOD, he said. The biggest factor, however, is "to provide more flexibility in the workplace and empower the employees to work 'more for less'," Baumhof noted. "By providing access to enterprise applications through a Web browser, it greatly reduces IT overhead and costs involved with managing these assets."

"From a productivity standpoint, most organizations should be looking at BYOD to improve end-user satisfaction, reduce corporate mobile expenses and increase user productivity," said John Engels, principle product manager for Symantec's Enterprise Mobility Group. "However, the decision needs to be made on a company-by-company basis. Organizations that need or want very tight data security controls or need to control what users run on devices may not want to support BYOD and instead stick with corporate-owned devices, at least for those users that require that level of control," Engels said.

When making the decision to take a BYOD approach, businesses should consider the legal considerations around controlling and wiping personal content off a user-owned device as well as the legal and corporate costs associated with losing data via user-owned devices, Engels said. Others include the types of settings, applications and the data required on user-owned devices and the testing and validation required to check desired features on each phone type a company wants to support, he said.

Last but not least, companies should also review their mobile-device management, mobile-application management and mobile security solutions to see what combinations of these products' feature sets meets their needs and security requirements, Engels said. Not every vendor supports management features on all devices, he added.

"Here€™s the thing about BYOD €¦ most times security does not even know BYOD is in the company until after the fact," said Eric Ogren, principal analyst with the Ogren Group. "BYOD is an astonishing trend driven strictly by user convenience. It is telling that security could be the last to know, with a trend that is so important and exposes the corporation to external forces," Ogren said.

"Until IT and security discover ways to transparently put security into the cloud and move away from the hosted Windows agent model, they will always be looking at the tail lights of the BYOD express," he added.