As many states and localities adopt “bring your own technology” policies, they can look to examples from business for ideas on how to handle issues such as device purchase and security measures to protect enterprise data.
Consider ArenaNet, where employees can purchase personal notebooks from a list of more than a dozen high-end machines. The company pays half the cost, says Peter Petrucci, director of IT and network operations, and it also picks up a three-year onsite warranty as well as an accidental damage policy for the devices.
The damage policy and onsite warranty keep employees productive even when the unexpected happens. Employees pay their portion of the notebook’s cost through payroll deductions over a year, interest free, and can take advantage of the program every two years. The catch? For that first year, the machine must be used as a primary or secondary work computer.
The Bellevue, Wash., game developer also lets employees use personal smartphones and tablets. “It took a little bit of back-office architecting to make this happen seamlessly and securely,” Petrucci says, “But we absolutely encourage our employees to come in and use those devices.”
Cisco Access Control Server, with its 802.1X authentication, allows easy yet secure access into ArenaNet’s Wi-Fi network. “Behind that, we deployed a cadre of additional security measures to monitor connections at the edge as well as within our infrastructure,” Petrucci says.
ArenaNet also set standards for everything from acceptable browsers to development tools, including minimum versions and patch levels. Meanwhile, a combination of out-of-the-box and custom applications manage back-end security.
Into the Cloud
Employees at Hawaii Human Resources (HiHR) — which provides Hawaii businesses with payroll processing, benefits and insurance administration, and HR support — have the option to connect just about any personal device to the company’s network.
“We really don’t place any limits on what people can bring in,” says Fred B. Li, the company’s chief systems officer. “Our infrastructure’s totally cloud-based, so everyone works within the Citrix environment.” Employees are welcome to use any device as long as it can connect to the Citrix server.
Internet access is through HiHR’s service provider, which also hosts its Citrix environment. “They have services that we purchase from them [including] firewalls, filters and web filtering,” Li says. Company equipment and employee-owned notebooks must have current virus protection before they’re allowed to connect to the network. An acceptable-use policy ensures that “nothing is actually stored on the person’s personal computer,” he says.
Li believes the Citrix environment helps mitigate security risks considerably. “There’s really nothing much going on locally,” he says, “other than the level of access needed to get into Citrix.” Naina Vaish, CEO at Green N Brown in Clearwater, Fla., says her company, which sells environmentally friendly lifestyle products, made a conscious decision to accommodate users’ own devices.
The company has a virtualized environment, so all data remains on company servers behind the firewall. Vaish adds that Green N Brown has “deployed a firewall and network intrusion prevention system to control traffic to and from key assets.”
It also uses network access control to check that employee-owned devices have the correct security tools installed and are otherwise compliant with IT standards before accessing the network. The IT staff also uses Websense products to ensure that Internet usage meets the company’s guidelines for work-appropriate content.
For ArenaNet, limiting the machines in the subsidy program lets it enjoy economies of scale in everything from purchasing to ongoing support. Allowing the devices did not add infrastructure costs, Petrucci says. “We would have had to implement antivirus, firewalling, intrusion detection and related systems to be responsible custodians of our data assets, regardless of this employee-purchase program,” he points out.
Plus, the productivity and morale boost make the BYOD effort worthwhile, Petrucci says. “It’s one of those things that you can almost say is priceless,” he says.
Innovation occurs organically in an environment where employees are free to develop with product ideas on so many platforms, Petrucci says. Green N Brown has experienced a similar morale shift. There’s a positive energy among the staff, Vaish says. Workers say the open IT policies give them a sense of ownership and responsibility: They feel that management entrusts them with the company’s well-being. There are tangible benefits, too. Vaish says IT costs for the year are running 35 percent under budget, which she largely attributes to reduced hardware expenditures.
HiHR’s Li cautions, however, that other expenses can offset reduced hardware costs. For starters, hosting services can be expensive. But he says his company’s internal support requirements have decreased by roughly a full-time IT person. And he also cites the productivity and morale improvements as key wins.
“We’re very much into keeping our employees happy,” Li says. “If it’s reasonable, we’ll try to accommodate them.”
Security implications are a top priority for any BYOD program. “How do we allow this enhanced access, but at the same time keep the keys to the kingdom safe?” Petrucci asks. “You’ve also got hardware and software costs, and you need to ensure your IT group is adequately staffed and has the depth of knowledge to support the devices.”
Establishing strong network protective measures — against everything from viruses to keyloggers — is a primary concern, Li agrees. “There needs to be some kind of scrutiny of any machine that gets hooked up to your network.”
Is BYOD Worth the Risk?
Consider these five risks when starting a “bring your own device” program:
- Network security: Be ready to defend against unauthorized access in addition to controlling uploads and downloads.
- Device security: Enterprise protection should extend to each authorized device.
- Burgeoning support requirements: Wikis and other passive tools can help your organization manage multiple device platforms without getting buried.
- Growing costs: Carefully consider how to implement security protections, additional access portals and wired/wireless infrastructure before jumping in.
- Compatibility: Evaluate your network architecture to determine if a range of platforms and OSs can easily and safely connect.