By Tanu Sood on Jan 14, 2013
The BYOD Culture
Author: Mike Nelsey
Ask most employees what they want from their IT department and they will say “useable devices that connect to services that are there when I need them…”, “always on” or something akin to that. What they are really saying is “I want something like what I use at home – in fact, why can’t I use mine as it is far better than this outdated pile of junk you’ve given me and insist I use?” And they’re right in many cases, save for highly secure or confidential environments.
The challenge of the everything-everywhere culture that modern users – not just Generation Y – have come to expect can come at a price. We’re not here to tell you how to run a BYOD scheme, what policies you should have. They are well documented and it is accepted that a good BYOD approach can improve productivity. How organisations now securely extend the range of data that can be made available, manage who can use their device, where, when and how becomes an expanded security challenge, particularly around identification, audit and compliance.
In the last article we touched upon boundaries moving, disappearing or being pulled in to surround our data; In effect data, but more importantly, identity of those accessing the data is becoming the new boundary.
What’s really new, then? Arguably, we are turning our internal users into consumers, treating them in the same way as – for example – media companies are – where a consumer’s rights can be managed by what they are accessing, from which location, which device and even time bounded. Let’s learn from this for our internal users.
Such an approach will require an update of risk and threat models to build a consumer orientated approach to drive context based access control. Our systems will need to be able to assess the overall risk of access and supply the data accordingly. After all, the data being accessed in many cases is the same, be it for the consumer or the employer’s users.
However, we make the step to a consumer based model not only with the risks mentioned above, but also with the risk of disenfranchising our users, because we still want them to prove who they are , and prove this to us, depending upon the risk matrix of the data requests. Again, we should be able to learn from and replicate the innovation of the consumer side model. For example, if our users are logging on to review low level information, say shift rotas, then can they use their social media logins. If they then want to move on to look at more sensitive data, we can step up the authentication at that point. Appropriate access control designed with the needs of the users and the business in mind.
Separating out the controls in this way means that we can have fine grained privilege and authorisation layers to set who can see what how when and where, removing the complexity of a multi-layered security approach for the underlying applications and removing this layer from the applications per se. Simplification driving improved security and improved user experiences.
So BYOD in isolation is insufficient. Come to that, BYOD is an opportunity to take a broader approach to data and identity controls as a part of a considered approach.
In the next blog we will look more closely at how consumer and social identities are being used as a foundation to accelerate application development and simplify the end-user experience, encouraging faster and broader adoption of new services.
About the Author:
Mike Nelsey, Managing Director, aurionPro SENA
Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.