This is the second of a three part series on Challenges for Higher Education CIOs – Consumerization of IT.
The particular focus of this challenge is the rise of mobile computing commonly known as “Bring Your Own Device” (BYOD). This trend is changing the education mandate, particularly how faculty teach course materials to their students with mobile devices and how students engage with their schools. This trend also creates a new channel for higher education institutions to engage with their extended communities of students, faculty, researchers and staff. “CIOs must get ahead of the consumerization curve by coming to terms with what is valuable and productive about the influence of consumer IT.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 4)
More and more students and employees demand the option to use their consumer IT devices to work and learn. This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice. “Work is no longer a place you go to, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Organizations will have no choice but to address the demands of their employees and students. IT departments in particular, play a key role in articulating the IT security impacts of BYOD programs on their organization. Blount explores the Consumerizaton of IT – Security Challenges by describing the challenges, the opportunities and the benefits. “This important trend is not just about new devices; it’s about the entire relationship between IT and its user population.” (Blount, 2011, p. 3) BYOD is not just a technology or device specific issue.
Some of the categories this trend impacts: mobile phones, storage, innovative services, dynamic content creation, update cycles and style and customization. (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)
Corporate vs. Consumer IT (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3)
|Corporate Space||Consumer Space|
|Devices with functionality limited to phone calls and email, typically Blackberry||
|Smart phones offering tens of thousands of useful apps, typically iPhone or Google Phone|
|Restricted storage for files and email||
|Providers such as Google and Yahoo offering virtually unlimited storage|
|Static employee directories and cumbersome proprietary platforms||
|Social networks such as Facebook and LinkedIn used for both socializing and working|
|Outdated static content within corporate intranet – centralized maintenance and control||
Dynamic Content Options
|Blogging, wiki, social networking and content services allowing consumers to create, customize, and manage the content they want|
|Long replacement cycles – up to four years for hardware and eight years for software||
|Very rapid updated hardware – immediate download of new apps and services|
|Highly standardized, inflexible and often restricted environment (“beige box”)||
Style and Customization
|High variety of consumer devices, systems, applications and “skins”|
Bernard describes four dimensions of security: physical, data, personnel and operations. (Bernard S. A., 2005, p. 329). These were expanded on by Bernard and Ho into a Security Architecture Framework to eight security layers. (Bernard & Ho, 2007) Their paper used the eight layers to describe the impacts on IT security architecture when organizations implement a BYOD model.
Summary – “Use What You’re Told” (UWYT) endpoints and employee/student BYOD:
UWYT – Employer
BYOD – Employee/Student
|Information Security Governance||Standardized endpoints with a Block or Disregard policy approach – “tightly coupled” control of all layers of architecture – focus on corporate control – this is a corporate liable model||Move to a ‘loosely coupled’ approach to endpoint management. This is not a endpoint centric approach – focus on policy, culture change and controlling the applications, systems and information layers – requires a BYOD policy to be in place describing responsibilities of employer and employee – this is a blend of a corporate and individual liable model|
|Operations||Centrally supported data and endpoint service, standard security, antivirus and data protection – requires an acceptable use policy but no mention of personal endpoints||Expands the scope of support to hybrid model – internal for data, external vendor for endpoint, distributed security, antivirus and data protection|
|Personnel||Lesser level of employee/student technical ability due to central support, no tax implications as these endpoints are considered equipment, standard user experience and support. Lower costs to create and deliver training on standard endpoints||Higher level of employee/student technical ability due to hybrid support, stipend model may result in income tax implications; potential confusion for users resulting in unsatisfactory service, a BYOD policy must be created. Higher costs to create and deliver training especially about information security|
|Information and Data Flow||Centrally provisioned and secured information to meet regulatory and compliance rules and audits. Access controls limit data leakage based on information classification methods||Leverages centrally provisioned and distributed security, need an ability to wipe enterprise data but not personal data, more controls required to meet regulatory and compliance rules and audit – digital rights management|
|Application||Entire application infrastructure contained to corporate endpoints to limit vulnerabilities and data leakage. Provides employees with only the applications they need and typically with a lesser user experience||Focus on open standards that will run on any endpoint; consideration for future applications (buy or build); strategies needed to separate personal apps from enterprise apps due to the possibility of inappropriate data access|
|System||Centralized control of access to applications, systems and information using IAM and PKI security, IT controls the access process instead of relying on HR business processes||Strong reliance on HR business processes to timely notify of changes in employee status; IAM is a critical technology and security strategy and needs investment to properly create role based access and remove access in a timely manner|
|Infrastructure||Layered security approach to network access that restricts access to the wired network for accessing enterprise applications, systems and information. Blocks external endpoints from accessing the network||Layered security approach for network access gets augmented by implementing a Limited Access Zone for BYOD devices; use Network Access Control to verify adequate malware and patch protections before allowing access|
|Physical||This is a key security layer for UWYT as it restricts physical access to key applications, systems and information. This security layer is compromised as soon as an endpoint is taken out of the physical protection of the corporate workplace.||Physical security is ineffective for BYOD as most of the endpoints are mobile; reliance on the other key security layers is mandatory to reduce risk|
Some final overall considerations for moving from a Block/Disregard strategy to a Contain/Enable strategy for BYOD are (ProfitLine, 2011, p. 2):
- The major pricing and contractual benefits that are lost when moving to individual liable
- The hidden IT support costs and potential user experience issues
- The increased security risk and policy ramifications
Each organization needs to consider the impacts of the endpoints supported, the data on those endpoints, identity management, employee/student on-boarding and off-boarding and providing an endpoint independent platform to deliver data and information.
A Proposed Approach to Introduce BYOD for Higher Education
This proposed approach requires executive leadership and strong project management. The project plan should allow for conducting the policy and research activities in parallel. Implementing the Policy and Technology strategies requires budget and resources for successful deployment and ongoing support in a BYOD Contain/Embrace strategy.
Bernnat et al suggest two approaches to accommodate using consumer IT. The first option is the “Bring In” approach. This approach “involves opening the corporate IT environment to private use and letting employees’ digital lives freely enter their work environments.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6) The second option is the “Reach Out” approach. This approach “reaches out to employees, allowing them to use their personal devices – even PC’s – to do their work.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6)
Each of these approaches has different resource, policy, support and oversight requirements.
|BYOD Management Plan||Resource Alignment||Standardized Policy||Decision Support||Resource Oversight|
|Bring In Approach||Use existing resources for endpoint management because the endpoints are employer owned||Implement Information Security and BYOD Policy for private Web use on employer owned endpoints||Employees have a wide variety of employer supplied endpoints to chooseEnterprise apps are pre-installed and employees can add personal apps||Employees use company owned endpoints and there continues to be a high degree of employer control|
|Reach Out Approach||Increase support resources for endpoint management because of the mix of employer and employee owned endpoints||Implement Information Security and BYOD Policy for employee endpoints and private Web use||Employees/students bring their own endpoints for use at workAccess to enterprise apps are controlled by virtualization technologies for apps and desktops||Employees/students need to ensure their endpoints comply with employer standardsEmployers need to establish standards and monitor security access|
The management plan also addresses Risk Management issues for BYOD programs. Key areas for risk management are: (Bernnat, Acker, Bieber, & Johnson, 2010, pp. 7-8)
- Security – specifically network security and data leakage
- Productivity – potential lost productivity with web surfing distractions
- Legal and Compliance – ensuring compliance to privacy and copyright laws
- Reputation – employees and students making poor judgements when interacting on social media
- Support and Maintenance Costs – heterogeneous endpoint environments increase support costs
- Risks – employees and students may not be able to do their work (in a timely manner) when their personal endpoint fails and requires replacement
All of these risks must be considered and planned for either in the creation of policy and the development of technology/security solutions for the consumerization of IT.
The next post will be on the third Challenge for Higher Education CIOs – Cloud Computing Services.
Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse.
Bernnat, R., Acker, O., Bieber, N., & Johnson, M. (2010). Friendly Takeover The Consumerization of Corporate IT. Retrieved from booz&co: http://www.booz.com/media/uploads/Friendly_Takeover.pdf
Blount, S. (2011, Aug). the consumerization of IT: security challenges of the new world order. Retrieved from Computer Associates: http://www.ca.com/us/~/media/Files/TechnologyBriefs/Consumerization-of-IT-Tech-Brief.pdf
ProfitLine. (2011). The Hidden Risks of a “Bring you own Device” (BYOD) Mobility Model. Retrieved from ZDNet: http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_Device_BYOD_Mobility_Model_1_19_2011.pdf