The Box Syndrome

Adopting a BYOD initiative, by definition, leads to corporate data making its way onto a broad range of devices. Unless you provide a secure enterprise alternative that controls the documents themselves, users will often turn to consumer-grade file-sharing services that don’t prevent documents from being forwarded to the wrong people. As recent security issues with Dropbox and legal issues with Megaupload have shown, the consumer cloud is no place for sensitive corporate documents. A recent Palo Alto Networks survey found that organizations on average handle traffic from 13 browser-based file-synchronization services.

BYOD initiatives have to be carefully managed to comply with an alphabet soup of regulations that pertain to how certain sensitive types of data are handled. Whether it’s a spreadsheet full of customer credit card information that makes its way to the Droid of a marketing employee (a payment card industry violation) or the corporate secretary sending confidential, unpublished financial results to a chief financial officer’s iPad in a consumer cloud storage service (a Sarbanes-Oxley Act issue), potential violations abound. If that data is sent or stored unencrypted and one of those devices goes missing, the problem is compounded.

Supporting BYOD means acknowledging that corporate data will be transmitted to and stored by a device that IT cannot fully trust. If IT does not prescribe an alternative, it’s likely that users will find their own ways to access their documents and other data, often turning to personal email accounts and insecure file synchronization services. Once a document is on an unsecured device, it can easily be leaked to any external party, unless IT protects the documents with digital rights or other permissions to actively prevent leakage.

From a legal perspective, a variety of information types can be relevant for litigation. This electronically stored information (ESI) increasingly includes emails and documents stored on smartphones and tablets, which presents problems for both discovery and retention processes. If users are putting documents on those devices using consumer-type file-syncing applications, things become even more challenging.

Large organizations lose dozens—or even hundreds—of mobile devices per year. Those devices may contain regulated information, such as electronic health records or customer information. For most companies that have customers throughout the world, breach notification laws will apply, unless that data is encrypted. For partially managed devices or “sandboxed” applications, organizations may be able to remotely destroy corporate data, unless they run afoul of a different issue: employee privacy.

IT departments often try to use traditional approaches like device management to support BYOD. In countries with strict privacy laws, such as the members of the European Union, enterprises are prohibited from remotely wiping smartphones and tablets that contain employees’ personal data along with corporate data.

BYOD initiatives often lead to the adoption of mobile device management (MDM) or partial management technologies that establish an enterprise container on an otherwise unmanaged device. This approach means that IT becomes responsible for a large number of devices that it did not previously have to manage, extending already-stretched support teams.

The other side of the MDM/containerization coin is, of course, unmanageable devices. Not all containerization solutions work on all platforms, leading to issues when adopting “true” BYOD. For instance, many vendors support Android in a limited way or support only certain versions or form factors, which may not be available from all carriers.

IT help desks are often ill-equipped to support end-user issues with smartphones and tablets, especially when running enterprise applications and handling corporate documents on those devices presents both usability and access issues. For organizations for which bring your own device means “bring your own Apple,” or BYOA, this burden may be eased, but for broader BYOD initiatives with support for Android and other platforms, the challenge is even bigger.

BYOD has taken off in a hurry, leaving most IT organizations struggling to find the right technologies to cope with the radical changes to compliance and security models that BYOD entails. In the rush, many organizations have not managed to update their policies to reflect BYOD issues, which may mean advising users of their new responsibilities and support limitations, as well as security and privacy measures.