The entire MDM space is dead when it comes to the bring-your-own-device (BYOD) trend, according to IBRS security analyst, James Turner.
He made the claim during the launch of Kaspersky Endpoint Security for Business in Sydney, explaining that one can not claim to control something that one does not own.
“You have two ways of controlling the data, either by presenting it to the device via HTML5 or by having an encrypted container on the device,” Turner said.
“Either way, you don’t own the device.”
Instead, Turner said MDM is applicable for devices issued by the organisation.
To highlight this disparity, Turner referenced two organisation he dealt with recent, with 10,000 employees between the two of them.
Over the last 12 months, one organisation gave their employees a choice of Blackberry or iPhone.
After that time, Blackberry now only represents 40 per cent of their corporate fleet.
“The second one has been doing it for two years and did the same thing, though also gave the choice of Android,” Turner said.
“In this case, Blackberry represented only 10 per cent.”
Turner highlighted these two cases to show the massive appeal of the non-Blackberry devices among employees.
People who have been interested in these devices are already using them, a trend that Turner refers to as “shadow IT”.
“It is already happening, so organisations are not trying to reclaim control, they are catching up with what users are doing and then provide guard rails around that,” he said.
Field work
When data loss prevention (DLP) was a trend a few years ago, one of the scenarios Turner discussed with clients was how to stop someone from looking at their iPhone, taking a photo and sending it via their Gmail account, essentially passing the IT system.
In terms of gauging what IBRS’ client base is doing in terms of BYOD, Turner said it is already there.
“We talk about BYOD in the same sense of being hacked,” he said.
“Either you’ve been hacked or you’ve been hacked and don’t know it.”
Instead of BYOD, Turner prefers to call it bring-your-own-other-device (BYOOD), because there is a distinction between the gear the company has provided to an employee, and the actual tools used to get the job done.
Turner came to this conclusion after going out and talking to line managers across the field, conducting dozens of interviews with organisations spanning thousands of people, and talking to the staff about how they use the device.
As an example, Turned mentioned one organisation that received a call in the office from someone in the field, who then asked the employee for the information to be sent.
“The person in the field pulls out their iPhone, takes a photo and sends it as an MMS to the other person’s phone,” Turner said.
“That was sensitive information, and it was suddenly there on an outside communications channel that the IT department in the organisation has no record of whatsoever, as well as no ability to control it.”
Turner admits an incident such as this is nothing new, as he has spoken about this for years and it has “been around for as long as IT departments have,” notably with people plugging in their own wireless routers.
“It is the concept of the shadow IT department,” he said.
“That is what BYOOD is about, users out there in the field finding other ways to use technology, which has been consumerised, work for them.”
As such, the best thing an IT department can do is go out and start interviewing the line manager on the field, asking how they use the information and the devices.
“Everyone out there is using Gmail and Dropbox, so how can we provide you with the same capabilities and play catchup, and provide some method of control, which the organisation needs to keep track of what happens with their data,” Turner said.
Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.