In the last few years, technology and connectivity hav been making the line between personal and professional life more and more blur, like never before. Often this distinction is clear and precisely dictated by working days and hours, but more and more people, not just professionals, find themselves to do business activities (email, calls, documents, etc.) in places different from the office.
Working from home requires tools that allows to access the business’ resources while granting a minimum level of security and reliability. Cellphones, notebooks and tablets can connect to the networks in a secure way, send and receive emails, produce documents. It’s fundamental to always at hand devices that can access to the environment and to the resources of the company. In order to grant a minimum level of security, companies essentially have two approaches: allow the employee, or the partner, to use his own devices, or directly provide him them, as it used to happen in the past
The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to an tendency inversion. We talk about users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. A specific English term to describe this trend exists: “consumerization”, the closing gap between the professional and the consumer world.
Let’s try to analyze a few data: according to a survey of the Innovation Group made in 2013, out of 70 medium to big companies more than 80% allows, or is planning to adopt, a BYOD (Bring Your Own Device) policy; this option was previously limited to higher level employees, like managers and executives.
According to Gartner, BYOD and Cloud are the future of IT, it is therefore appropriate for companies and professionals to be prepared and understand the advantages and limits those solutions will offer in the near future.
The analysis on business mobility performed by VMware (june 2015) is interesting as well: on a record of 1000 companies all over the world, even though only 14% has already moved one or more business processes to the mobile model, a noteworthy 61% is going to adopt this policy in the short period. In the specific case of BYOD applied to the single employee the spread is even greater: 66% of the companies analyzed already ask their employees to utilize personal devices.
Pros and cons of BYOD
Let’s start by analyzing the pros, the advantages. The employee owns a device that has choosen according to personal preferences and needs. This approach consciously leads him to follow the business of the company outside of the working hours. The company only has to provide him with the security and the remote connection to the internal resources, while the costs related to ownership, hardware update and maintenance are at the expense of the worker, which is an evident advantage in economic terms. However, the list of the potential cons, the limits, is way wider. The first consideration is about multiplatform systems: because the device choice is not limited by policies of the company, mail services, VPNs and applications must be supplied for the greatest number of terminals possible. In the specific case of the mobile world, that means supporting to Google’s Android and Apple’s iOS is required. We can cite some solutions to that: for instance it’s possible to grant VPN connections with IPSEC and OpenVPN are compatible with both platforms.
At this point it’s inevitable to deal with the considerable problem of connectivity. If on a company basis it’s easy, albeit expensive, to implement a complete wireless coverage of the working areas, the same is not true anymore when the communication mean becomes the Internet. In many areas of our country the residential connectivity is still ADSL based with speed in the order of tens of Mbps in download and less than 1 Mbps in upload. That’s a remarkable bottleneck. The mobile status is slightly better: the recent 3G and 4G solutions provide greater speeds. Speaking about numbers, in April 2015 only 22.3% of the italian population had access to ultrawide bandwidth (optical fibre with download speed equal or greater than 30Mbps), while 4G coverage varies from 33% of 3Italia to 88% of Vodafone (July 2015); in this case the mean download speed is in the order of 10-15Mbps with peaks of more than 40Mbps. Numbers and statistics tend to cite only download speeds, but in an off-premises productivity context the main limit is usually the upload speed of the user to the company. In this situation mobile solutions provide the best results, too.
Once the problems regarding the user-company connection are sorted out, those regarding data security have to be faced. Safeguarding information is difficult even when they are kept inside the walls of the company, and saving documents, emails, contacts and sensible data on
personal devices exposes the company to even greater risks. Losing the devices and data leaks are the first to be considered, even the damage of the whole infrastructure of the company is possible in case of infected machine or used as Trojan horses.
Many of these risks already existed when the employees were using the company’s terminals, with the advent of BYOD the main difference is that the managements is left to the single user, it’s not the case anymore of computers and mobile devices prepared and controlled by the IT staff with dedicates Operative Systems and specific programs. Some solutions can be implemented to achieve the goal of security but leaving the owner to use the device as whatever he likes. The installation of a professional antivirus program is fundamental as much as the check of hardware and software properties of the new device must suit the requirements of the company (for instance, the OS version and an hardware adequate for the company applications). In addition to that, the installation of software apps for data protection, device block and even remote wipe in case of loss or theft must be considered.
Clear policies for a consistent infrastructure
A brief and general analysis of the BYOD approach has revealed a clear situation: there are so many possible solutions that specific policies must be implemented. The only way to maintain a manageable environment of this kind is to have strong references during the phases of purchase, configuration and usage of the devices. The definition of those references and requisites is an important problem that must be dealt with. Rules have to be consistent yet -as the consumerization dictates as we talked before-flexible and constantly updated in order to keep up with the technologic progress.
For instance, in the business sphere most PCs run Windows 7 while an user that buys a computer for a personal use probably will end up using Windows 8 or 8.1. An Apple enthusiast manager may own a brand new iPhone 6, but some consultant into new technologies to a lesser extent may keep on using his old but trusty Blackberry. The transition to BYOD has to be carefully evaluated and pondered over every facet. The definition of detailed and up-to-date policies and technical specifications is fundamental because a wrong planning of the approach can bring with itself severe damages under a technical and economic aspect to the company infrastructure.
CYOD: a possible alternative
As it often happens when two solutions are available, a good approach is to get the best from both worlds. We’re talking about CYOD, which stands for Choose Your Own Device: in this scenario the user can choose the device to utilize, but that device must be choose among a list drafted and approved by the IT staff. Usually the company owns the device, freeing the user from buying it while granting a proper configuration, policies application and the control of the devices in use. Another advantage is the possibility to regulate the offering according to the grade or role of the employee.
What the employee thinks
BYOD involves both the company and the employee. Let’s analyze the approach and the perspective of the two, trying to offer some useful advice.
Let’s start with the employee: we already saw that using a personal smartphone or notebook has some cons, in addition to that it brings some difficulties in the practical use. For instance, the internal IT staff may be very keen to do maintenance and assistance on private devices, so it’s the user’s duty to autonomously intervene in case of problems.
Email and business calendar are the two most common activities but also the ones that expose to risks linked with carelessness. Using a personal account instead of the business’ is easier than you might think. The consequences of a private email sent as a business one, or the diffusion of sensitive information to external people might be very severe. It’s not enough to separate the business account and a personal account with two completely different emails (perhaps a Gmail and a @companydomain), using dedicated clients may be of help. In the Android sphere, Gmail app offers a total integration with Google’s email accounts, but it can’t be configured for other accounts; Acquamail and the native client e-Mail are free and multi-user, but they are far from professional solutions like Microsoft Outlook Outlook is offered in the Office 36 Business package, includes calendar, address book and agenda and has a complete integration with the business Exchange infrastructure and the desktop client. Speaking about desktop computer, the most common alternative to Outlook is Thunderbird by Mozilla, while Apple offers the client Mail natively on desktops as well as on mobile devices; Mail is complete, functional and offers a good integration with the main email services.
We’d like to make a note on the multi-user solution implemented by Android on tablets. Since version 4.2, “Jelly Bean”, it is possible to create two or more users with completely separated data, applications and settings, an excellent solution to let private and business life live together on the same device. In the recent 5.0 release, “Lollipop”, this feature has been finally implemented without limitations. For instance, regarding the importance of constantly updated policies, this is a situation where an update of the Operative System becomes determinant in the choice of the smartphone to be used as a BYOD device.
The notebook world is different as both Microsoft and Apple have a native data and application multi-user separation. Other useful solutions to separate the private and the professional life
include the use of dual-sim smartphones, mostly based on Android OS offering good performances and the opportunity to have two different phone numbers on the same device and not on two different, unpleasant to carry, awkward cellphones.
The approach of the company
While the user has to evaluate problems relate to the daily usage of the devices, the company has to take into account many more factors. We’ve already talked about data security, connectivity and remote access to services; another side of BYOD is its employment in the different sectors of the company. We’re obviously talking about medium to big companies that have several departments and in this case too it’s fondamental a specific evaluation for each enterprise.
Granting a safe remote access, beyond the bandwidth limits imposed by the national network service, some consideration on a system administration side must be pondered upon. In some case opening some ports on the firewall could be enough to guarantee a proper connection between off-premises applications and internal service. It’s self-evident that this kind of communication can’t be unencrypted, they absolutely need some kind of encryption, for example the TLS/SSL technology. An alternative approach on which planning the internal access from the outside is to utilize VPN solutions which guarantee a dedicated and secure access to the business network for instance allowing an employee’s notebook to function as it were connected to the office LAN. The advantages are clear: the off-premises can accomplish his business jobs wherever an Internet connection is available.
Severals solutions do exist, but given the professional nature of the matter it’s essential to consider well-known, reliable and qualified platforms like IPSec or OpenVPN. It goes by itself to say that those software must be properly installed and configured before the actual usage, we still insist on the importance of the centralized control of the adopted devices by the IT staff. The utilization of a VPN has some aspects that must be treated with care: since remotely working is like locally working from the employee’s perspective, resource access should be regulated. For instance, an user that has administrative access on machines (servers, network devices, storage, etc..) when in the office may not have the same access permissions when working from the outside.
Those who haven’t installed a commercial firewall yet, should be considering the open source project pfSense (www.pfsense.org); base on FreeBSD, it can be installed without any particular problem on a common computer, even an older one, as a virtual machine or on dedicated appliances (like PC Engines’ Alix based platforms). Developers also offer, if needed, commercial support (available in English exclusively, starting from 400$ US).
pfSense supports IPSec, Pprtp and OpenVPN. It’s interesting to note that creating a VPN with OpenVPN, one of the most complex technologies available, can be assisted by means of an helpful wizard and of a plugin (Client Export) that directly exports the necessary files for the connection to the main Operative Systems (Windows, Linux, Mac, iOs, Android).
An interesting commercial alternative is Kerio Control (www.kerio.com), very easy to use, with an intuitive interface and with control on content, a feature not implemented on free products. Most operations are easily performed thanks to the ease of the interface, which is completely translated in Italian. Furthermore, there’s the opportunity of a complete support thanks to the two italian distributors (Coretech, www.coretech.it and Multiwire, www.multiwire.net). The price is quite interesting too: 258,64€ (including VAT) for the first 5 users.
We saw that a fundamental aspect of a functioning BYOD in the company is a complete WiFi coverage, but that can expose the internal resources to an too easy access by employees or, if not properly configured, to former employees or even guest users.
Regarding this topic, it’s a good habit to provide Internet access (or access to a limited set of business functions) to those who use the WiFi connection in an occasional way by means of a dedicated Guest network. This network usually doesn’t grant access to the infrastructure of the company (server, network devices, storage, etc..). This solution can be implemented in different ways, the best approach is to buy devices that feature a native management of Guest networks.
Ubiquiti (www.ubnt.com) offers the UniFi platform to create such networks: it’s a series of Access Point with centralized management software. Those devices can implement a native Guest network, the configuration is easy and they can be managed by a centralized control interface. Creating several subnets is possible as well as defining sets of policies for their access. UniFi is distributed in Italy by Sice Telecom (www.sicetelecom.it). Naturally many other solutions are available on the market, like D-Link and Netgear.
This type of solutions are however closer to a domestic or SoHo usage rather than a corporate, but the dimensions of the company architecture and the criteria for security must grow together. When talk about medium to big enterprises it’s essential to switch so advanced solutions based on the WPA protocol and integrated with Active Directory in a Windows Server environment, for example. Those systems use a centralized authentication system called Radius (Remote Authentication Dial-In User Service) that requires one or more dedicated servers. This kind of management, albeit being more demanding in terms of hardware and software resources, guarantees more advanced security features, like access ban to not anymore authorized personnel without changing passwords on the entire network.
Another possible solution often utilized when the number of guest users is high, like airports, stations, public areas, is the implementation of a Captive Portal. With this technology, the first access of a device requires an authentication from the gateway, and from that moment onwards the session is uniquely bounded to that very device. It may not be the most comfortable system, but it’s surely useful in many contexts. This feature can be directly managed by the firewall (like the aforementioned pfSense or Kerio Control) as well as centralized WiFi infrastructures like Ubiquiti’s UniFi.
Devices under control
Once decided to adopt a BYOD policy, it’s essential that the IT staff is prepared to handle such situation.
Manual management of each device is to be obviously excluded, the solution is clearly the use of dedicated software for an automatic and centralized control of the devices. Even if the notebook can connect without any bandwidth problem, some things has to be inspected: the presence of an updated OS and an updated antivirus program, the presence of potentially dangerous files, the correct configuration of the remote connection and so forth. When one of those security conditions is lacking, it’s the system’s job to acknowledge of the problem and to temporarily isolate the device until properly restored.
Untill a few years ago, a separation between the analysis of the mobile (smartphones and tables) and the notebooks world (be it PC or Mac) was necessary, but the quick evolution of the mobile Operative Systems practically puts them on the same level. Nowadays a notebook and a smartphone are capable of storing tens of GB of data, both platforms have problems linked to upgrade releases and the number of malicious software available is ever increasing. Who manages the machine compliance has to guarantee the access only to those who utilize hardware and software perfectly in order.