Saturday Oct 21
Consumerization is not BYOD, and what that means for security
Updated on Wednesday, 7 March 2012 04:15

…and BYOD doesn’t necessarily mean consumerazation. Here are some key differences that affect how we’ll manage and secure devices following these two trends.

One of the points I made during my talk at today’s CITE (Consumerization of IT Expo) conference here in San Francisco was to differentiate between trends in consumerization and BYOD. Right now, the thinking is there’s a lot of overlap, and while that may be the case at the moment, I anticipate a change in the near future. Here are some key differences that affect how we will manage and secure devices following these two trends.

BYOD (Bring Your Own Device) is the emerging trend of organizations allowing managed users to supply and use their own device of choice at work. These are personally-owned devices that will be, in most cases, dual-purpose, hosting both personal and professional applications.

I see a lot of hurdles in this trend, mostly centering around psychological aspects, and a drastic change in mindset to one that can accept the comingling of personal and corporate applications and data. There will also be a slew of new technical complications; support and troubleshooting on various platforms, working through web-based business apps that only work well on one or two browser platforms and I certainly anticipate issues with compatibility of installed applications and maybe even antivirus and web browsing habits.

It’s possible that BYOD devices may not even be consumer-grade devices in the end. With the complexities of platforms and interoperability, we may see organizations negotiating with vendors for special pricing and bulk discounts for employees to purchase enterprise-class machines to use, for home and work. If you can have a solid state drive, more memory and a better OS for the same money, why not?

It’s possible that BYOD devices may not even be consumer-grade devices in the end.

It’s going to be a bumpy ride for BYOD, but we’ll reserve those thoughts for another discussion. Let’s move on to consumerization.

Consumerization is the matriculation of consumer devices in to the business market. It’s been a term used since the early 2000’s, and in today’s discussions we use the word to directly address consumer devices being introduced directly to the enterprise environment. Consumerization at this moment seems to be a phase of “introduction” versus “adoption” or “adaptation”.

Organizations are now purchasing these consumer-grade devices and managing them alongside the already-established enterprise-class devices. The best example is the rampant adoption of tablets – from hospitals and doctors’ offices to government facilities and enterprises all over. These things were designed to be toys; to watch movies, read books, play music and games. They weren’t designed with manageability and security in mind. And, because of that, we have some unique hurdles to overcome in the next 6-12 months as we introduce these little misfit devices in to our networks.

Organizations are now purchasing these consumer-grade devices and managing them alongside the already-established enterprise-class devices.

I’ve worked with two organizations recently that returned entire batches of tablets because the entire OS choked and died after indeterminate periods of time being connected to secured 802.1X (WPA2-Enterprise) wireless networks. After much research and digging, I found the issue to be a common chipset and driver. It was apparent the manufacturer had no plans to address or fix the issue, so back in the box they went. In environments like hospitals, pre-shared key schemas aren’t an acceptable level of security for these devices.

Another great example came from my friend Gal Shpantzer, when he pointed out that most of today’s FDE (full disk encryption) solutions authenticate at pre-boot and aren’t set up to take input from touch-only devices, such as tablets. At least one vendor has worked through this, and I expect we’ll see other FDE solutions following suit.

These are just a two examples of special considerations we’re making so we can introduce and secure these devices. As the months pass and more organizations jump on the bandwagon of adding toys to the environment, I’m sure more gremlins will pop up, and the market will respond in its usual Whack-a-Mole style, addressing each as it rears its little head!

To summarize, there’s a lot of anticipated overlap between BYOD and consumerization, but to secure them effectively, they need to be addressed as two different trends, with different sets of challenges and solutions.

# # #

1 Comment
  1. CommentsBrian Duckering   |  Thursday, 08 March 2012 at 3:54 pm

    It seems to me that the primary vendors of so-called “consumer” devices have come a long way in the past year or so in regards to supporting the needs of businesses to secure and manage these devices. Even some of the most consumer-centric vendors have added a tremendous amount of manageability features into their operating systems, to the point where businesses can now use MDM solutions, such as those from the company I work for, to manage applications, security and network settings and wipe corporate data from the device without touching personal assets. Given this, the distinction between BYOD and consumerization today seems more about who will pay for the device than any differences in philosophy or strategic approach to mobility.

    Brian Duckering

Leave a Reply