Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Byod (Bring your own device) in the professional world

group work about the bring your own device phenomenon. Thank all ma teammates: MONTÉ Clément, MESSOUSSI ISMAEL, CAMBUZAT Nicolas, BOUTRY Romain.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Byod (Bring your own device) in the professional world

  1. 1. The « Bring Your Own Device » BYOD phenomenon is a trend born with the birth of the personnal devices more and more powerful which are now essential with our link to other people. These new tools, created at the beginning for everyone, are prone to step into the professional sphere through barrier porosity between privat and professional life. Indeed, it seems to be vain to ignore or neglect this phenomenon linked to a true mutation that can be qualified of sociological. Millions of customers, in which a lot of employees, bought advanced mobile devices like smartphones or tablets for their personal use and then download applications aimed to get their everyday life better. This tendency of trying to perform their devices have created a new feeling for people: they start to become dependent of these personal devices. As a consequence, this new system obliged people to “bring their own device” in their work place and then, make these devices not only part of their everyday private life, but also their everyday professional life. BYOD may have some important implications regarding the way firms manage their networks, mobile devices and even their employees. Thus, BYOD is giving a new meaning to work at its workplace. Group 16 : MONTÉ Clément, MESSOUSSI ISMAEL, CAMBUZAT Nicolas, BOUTRY Romain, CÉCILE Kévin
  2. 2. INTRODUCTION In 2013, according to a study made by VMWare, 76% of French Information System directors planned to set up a BYOD system in their companies. BYOD means « Bring Your Own Device ». It consists, for an employee in bringing his personal device (laptop, smartphone…) at work and in using it for a professional purpose. Thereby, this is a tendency that blurs the boundaries between work and private life. It is a recent phenomenon that is becoming extremely popular among organizations and employees. We can notice that companies are integrating BYOD in their development strategies since several years ago, in 2011 more accurately, 40% of American companies had already admitted that they wanted to improve their development through the Bring Your Own Device tendency. Nowadays, firms cannot ignore the « Bring Your Own Device » phenomenon because it is a response to a real demand from employees, indeed 62% of French employees think that their own computers and devices provided by their company are not effective enough to meet their needs, contrary to their personal ones. Thus, they wish to bring their own device at work. Therefore, we can wonder to which extents BYOD integrate itself in the professional world. There are several aspects to the problem. First of all, we shall have a look at why the BYOD system? And what are the advantages of this new tendency for competitiveness. Then, we will see if that fact of bringing its own device at work is secure? And to finish with, we will wonder if organizations should provide any alternative concerning BYOD?
  3. 3. I/ What about the BYOD system? 1) Why has the BYOD been introduced to the market? Surprising as it may be, even if we come to speak about the BYOD only recently, around over the past 5 or 6 years, the BYOD started to be introduced from the Lisbon treaty or the so called “knowledge economy”. It was ratified the 13th December by the 27 European Union’s members in order to make the European Union, whose the France is part, the most technologically advanced continent of the world. The aim of this treaty consisted, in some extents, in making the European Union become the most powerful and effective continent in terms of technology. It obviously failed because of the bubble crisis and huge delay with respect to the USA. Nonetheless, it remains that more and more technology have been introduced from this moment on. But today, why is the BYOD being enforced? The BYOD, stands for “Bring-Your-Own-Device” is more and more spreading within firms. This praxis enables people part of the firm to use their own personal devices (computers and mobiles). What does the BYOD represent for employees and employers? What are the advantages? Why have firms no choice but to implement it? With the increasing development of the informatics within firms, notably with the cheaper access to the high speed internet, they equipped with standardised equipment to tighten its security. Nevertheless, all this standardization has a certain cost that is why BYOD was first enforced within the “start-ups” because they did not have enough funds to afford such expenditures. Each employee brought his own computer and this praxis sprawled to each person who was hired in a start-up. Then, the development of mobiles, tablets, smartphones and computers has been skyrocketing for a decade. According to some reports released by Ericsson the number of mobile subscription amounted to 700 million in 2011 and is forecasted to amount to 3 billion in 2017. The smartphone has becoming without any doubt the privileged mean to have access to the internet. Also, previsions of Forrester for 2016 enable us to state that the proportion of people equipped in tablets and smartphones should be in USA 126 million for the tablets and 256 million for smartphones. As said by the Gartner “the emergence of BYOD program has necessarily been the biggest change in the economy of computer client for the firms since computers spread to working place. So, as we have said previously, NTIC were introduced at first within household before being used in working places. The massive adoptions of new smart equipment trigger a true gap between consumers market and tools which are available for employees by employers. Formerly, in the study “The BYOD effect”, some smartphones, like the blackberry, was introduced in the market essentially for firms and other were introduced for consumers, as IPhone, tablets or android. These followings targeted the whole consumers. That is once
  4. 4. the market integrates these technologies that firms were asked by employees, became users of them, to implement them in their everyday work. 2) How important is the BYOD within firms? Employee disposes, for their personal use, an attracting device, which was chosen personally, whose he perfectly masters the use and the process. He will be therefore logically enticed to spread his use to the professional and privacy life to avoid being forced to use both personal and private device. He is set up to take on him the maintenance of his equipment and an interweaving or certain porosity between private and professional life. We can that the first possible advantage of the BYOD system come up as a gain of productivity of employees and cost reduction linked to the acquisition and the devices maintenance. In return, the employer commits to take in charge some fixings and allocate to employees a monthly sum of money and also to improve some software, if needed. The BYOD phenomenon blurred the barrier between personal and professional sphere and is highlighted by several elements as:  New devices are easier and easier to use and more and more performing.  The increasing mobility of some employees (nomadic employees): the use of only one device is much more convenient.  The very changing firms’ environment whose needs in information are increasing.  The development of collaborative work and the generalisation of devices services (cloud, social networks). But How the BYOD is used by employees? The study Avanade released the following data led over 605 decision makers, in charge of computers field of 17 countries in north and South America, in Europe, and in Pacific Asia. These firms were asked which applications did they let accessible to personal devices:  Messengers, agenda and contacts: 85%  Social networks: 46%  Time and expenditures management: 44%  ERP: 38%  CRM (customer relationship): 45%
  5. 5. This same study let it know that:  72% of responding firms think being confronted, deliberately or not, to BYOD  50% of responding firms deem the BYOD as inevitable, whether there are urged or not  .78% of computer firm’s leader state that employees already use personal devices to professional use. To which frequency do you use your mobile devices as part of your job (answer to your mail included) ?  72% of employees equipped acknowledge working of the private time (out of the office).  33% of responding firms (33% in France and 33 in the world) show most of employees use their tablets for professional tasks. That is why the BYOD has become a reality in the professional field, whether firms are accepting it or not. As showed above, the BYOD is now part of our everyday life, and firms which stepped into the BYOD are quite much performing than other firms.
  6. 6. According to a worldwide study let by Dell, 70% of firms setting up a BYOD strategy noticed a productivity improvement of their employees, notably a responding time to customers faster whilst 59% would be less competitive without BYOD strategy. The BYOD is therefore a factor of flexibility (working everywhere and all the time) but raises a problem of working time because of the interconnexion of both private and professional life. On the other hand, some employees are really sensitive to the fact of using their personal device. That is a factor of autonomy and commitment since they use the device they have chosen which improves the working satisfaction. II/ BYOD : what are the risks, inconvenients and consequences ? 1) What is at stake with BYOD? a. Its implementation is a challenge  The main challenge brought by the BYOD holds the fact that these devices are not conceived for the company but for the general public. According to any logic, the most important brake for the adoption of the BYOD is the security. Every responsible of the security will consider unacceptable to open the access to its internal network in unknown devices by the simple way of an authentication of the user, with any control of the IT. The exposure at the risk could seem limited if it is a question of authorizing only the access to the company messaging; nevertheless the risk is far from being unimportant since the user between his information of identification (identifier and password) of the company about an air terminal for which the reliable level is limited and being able to be compromised by a key logger (spy program). Furthermore, the access to the company messaging service is an open door towards the leak of information: if the tablet or the smartphone are used by an employee, the sensitive information which it transfers on its equipment will be at arrangement of a badly thoughtful person in case of loss. b. There are several risks ENISA (European Network and Information Security Agency) in its document called "Consumerization of IT: Top Risks and Opportunities" classifies the risks bound to the BYOD and Consumerization of IT in three categories: the risks relative to the cost, the risks relative to the legal and statutory aspects, and finally those affecting the data (confidentiality, integrity, availability or respect for the private life).  In the risks bound to the cost, the leak of information by careless behavior by the users and its impacts in terms of image are quoted first of all. The complexity and the variety of peripherals, the theft of equipment can be at the origin of supplementary
  7. 7. costs. Finally, costs are to be considered so that the company takes into account the modifications in the architecture of security to pass a parametric model protection in an end-in-end security, the adaptation of the policies of security, the sensitization and the training of the users.  In the legal risks category, the lack of control over terminals held by the employees complicates the traceability of the actions towards the assets of the company, the management of the incidents of security and the respect for the statutory conformity. By the mixture between private life and professional life which involves the BYOD, it becomes more difficult for the company to make sure of the respect for regulatory requirements bound to the human resources, for instance telecommuting hidden, overtaking of working hours. The lack of distinction between the personal and professional data can add some difficulty in the research for proof to the electronic form (e-discovery) and increase the probability of disputes between companies and their employees in the field of respect for the private life.  The last category of risks concerns the data themselves what is the focal point. The increase of the risk of information leak is the most significant risk in case of more lose control of the application of safety policies over peripherals; the diversity of equipment adds difficulty for their control; their maladjustment in the constraints of the company due to the lack of technological maturity favors the uncontrolled distribution of critical data. By their lower level of security making them more sensitive to malware and a strong exhibition, these terminals can become favored targets to obtain the access to critical data of the company. Other studies as that produced by the Cloud Security Alliance "Top threats to Mobile Computing" raise the same types of risks concentrated around the leak of data whether it is by loss, theft) or decommissioning of terminals, theft of data by malware or negligence in the protection or the behavior of the users. One of the recommendations of Symantec (company specialized in security software): “Concentrate on the information and the places where it is visualized, passed on and stored.” In front of these risks, the maturity of the company in terms of security is structuring: what is the gap to pass of an infrastructure of security where all the terminals was - in the best case - controlled and where all the efforts were concentrated on the parametric protection in a dynamics of access control concentrated on the data? If a system of classification of the data is already in position and if the access control in the data is based on a serious management of the identities and strong authentication, the way to go to take into account the BYOD will be clearly less difficult. On the contrary, if the management of the security of the company and the protection of the access to its data is more random, the risks to open to the BYOD concept will be more hazardous.
  8. 8. To summarize, the challenges put by the BYOD are relative to the lack of control of terminals bound to their diversity and to the fact that they are not the property of the company, a mixture between the private and professional data, a maladjustment of the model of parametric protection. This exposes to the risks of information leak and failure to respect statutory conformity. 2) What are the reasons and the consequences a. Architecture of secure access The security is doubtless the main subject to be considered within the framework of the BYOD. It implies a questioning of the approach of parametrical protection which is now inappropriate for the security of the information system. The BYOD requires to authorize on the internal network of the company new type of equipment whose level of security does not correspond any more to the criteria defined by the security policy. Transformations are to be envisaged to welcome these tablets, smartphones or terminals of every type, while supplying them an access to the resources and the services of the company which will be a function of various criteria as the level of security of the terminal, the strength of the authentication of the user, asw. The infrastructure in charge of the security will have to undergo transformations and adaptations to take into account the new scenarios authorized by the arrival of the BYOD and the challenges in terms of security which it brings to the foreground. b. Structure of security policies Security policies already in position take into account the mobility by defining a number of requirements on workstations or telephones directly managed by the company; for example the policy can impose the use of the encryption of disks on mobile posts to limit the leak of information in case of loss, or the use of a PIN code and a possibility of remote disappearance for telephones supplied by the company. The authentication is classified according to four levels: →The authentication of low level corresponds for example to an authentication by password for which no restrictive security policy is imposed: the user can select a password with a reduced number of characters, a choice among the list of the most common passwords (for example: in 1st place for year 20121, "password ", then "123456"). → An average authentication will correspond to an authentication by password but to which a more "serious" security policy is applied imposing for example least 15 characters with criteria of complexity, a management of the history, etc.
  9. 9. → A qualified, strong authentication can lean on the use of a certificate software. → Finally, a multi-factor authentication will base on a solution implementing several factors as the ownership of a smart card partner to that of its PIN code. It is necessary to take into account the sensibility of the data and the services which are reached and the security policies of the company which are established. Any security policy stands out as obligation to make a classification of the assets of the company according to their level of sensibility. The last element of the equation is the security policy of the company: it is it which will decide on authorized scenarios; according to the sensibility of the information or the targeted department, it is the security policy which will decide or not to authorize the scenario of access according to the reliable level of the context of access. 3) Protection of the device In a company context, the level of basic security offered by the device chosen by the user is an important criterion. Even if it is a question from mobile devices targeted for the general public, the company can impose requirements of security on those which it would authorize to connect on its network. Among these requirements, we can quote: → The reassurance of the sequence of starting up which strengthens the resistance against malware. → The robustness of the operating system and the regular update of the correctives of security to minimize the exploitation risks of security flaws and defaults. →The encryption of the device which guarantees in case of theft that the stored data cannot be reached nor modified in their integrity. →The strong authentication for the unlocking of the device. →The authentication by certificate for the access to the Wi-Fi allows to assure a secured access to the network of company and avoids the local storage of the identifier and the password which the user uses. →The architecture of the operating system of the mobile has to offer an insulation of the applications between them to avoid that a hostile application cannot compromise the other applications as well as the operating system. The security is one of the major challenges bound to the transformation engendered by the BYOD. The model of security based on a protection of the perimeter has to evolve towards a model taking into account the notion of context; now companies have to introduce on into the equation of the access control the reliable level in the equipment allowing to reach the information system, the identity of the user, the strength of the authentication and the place of connection. III/ Should organizations provide any alternative concerning BYOD?
  10. 10. 1) Legal aspects. a. The context. We have seen that BYOD presents real assets for a company, both for the development level and the organization within the system. But today, there are still some legal constraints preventing the entry of BYOD in the professional world. Actually, the fact is that BYOD basically goes with a lack of control, and of course a lack of control embodies a real risk for the company as we know. But most importantly, these risks represent also a legal breach. For instance, it becomes more difficult to control the number of hours an employee is working when he is using its own computer, as a result this employee may exceed its time of working, and therefore in this context BYOD is a phenomenon leading to break the law. We can set up the legacy model defining the best BYOD system: Employees used to work with the equipment lent by the organization only for business purposes. Then, employees were granted the right to work with their own devices (for instance webmail were the typical tool used for both business and non-business purposes). As a consequence, they explicitly and deliberately use personal assets (such as iPad or iPhone) to achieve business purposes. Then, they were able to access customer records or a lot of other non-public files. But the problem is that these files were potentially confidential or restricted to professional uses only. This is one of the reason why this situation has been taken into consideration by some institutions in order to implement a range of laws to separate privacy from professional world. Finally, before getting into details, it is important to understand why rules have to be implemented: this is a matter of different perception, different views as for an employee and an enterprise. In fact, it is helpful to understand employees’ point of view towards the perception of devices. Thus, this difference seen on the graph below explains the conflict about the question of BYOD. How do employee and enterprise products differ? Enterprise Employee Conservative Innovative High cost Perceived low cost Manageable Manageability? Why? Enterprise scalability 1 user -> Global scale Extend support Limited lifespan High quality/robust Throw away Security and compliance What’s security? Gartner.
  11. 11. b. Institution’s preventions (NCIL mainly…) In concrete terms, the judicial problems raised by BYOD which can be summed up by the following questions: who should secure the devices? Can any organization impose the installation of any software? Who is responsible for any intrusion? Who is the owner of those professional data collected on this device? In order to fill out this judicial gap, the employer has to provide a charter in which all these aspects are responded. This charter ensure protection, control and determine the ownership of these data. BYOD have to consider an investment in order to provide a system which is able to filter the outgoing access of the employees since if they are dealing with illegal contents it is the same issue whether they are using their own device or one of the company regarding the legal aspect. We have to keep in mind that several rules have been established by the National Commission on Informatics and Liberty (NCIL). This organization has a strong and powerful influence on BYOD since it punishes the non-respect as well as the violation of private life through informatics system. Indeed, using a personal computer with its personal files may interfere to some extent with professional files because these personal files will be accessible by the firm. That is the reason why it is highly recommended to pay attention to the way you are using your own device in the professional area. As a consequence, the user will have to be informed of any system being able to collect personal data. The NCIL also grants an importance about geolocation. A structure has to take into account that whatever informatics system they are using, they need to be secure in order not to let their files accessible by others organizations. c. Act of Nikon. At the time BYOD is getting more and more importance, problems of responsibilities are occurring. In order to react against these problems. On October 2001, the issue of Nikon’s case led to recognize the right for all the employees to set a private place within the resources of the company. This allowed employees to utilize their personal assets as part of their working method. Unfortunately, this case remained an exception but a solution was suggested to turn this exception into a global one. The idea was to inverse this method: actually, the Freedom and computer correspondent (FCC) introduced a new way of working outside the working place to make it legal. It consists in creating within the private environment of the employee, a place where he will be able to manage its professional work. As for the technical aspects, these files must be duplicated within the company resources. Eventually, regarding the judicial aspects to make this idea legal, first a hierarchic approval is required and then a validation from the informatics department. According to the employee, he will have to sign a document of utilization acceptance. 2) The alternatives. a. COPE: Corporate Owned Personally Enabled We have seen that BYOD could represent a “threat” for some organization but at the same time it is a great opportunity for productivity and effectiveness. Consequently, other methods
  12. 12. need to be created not to lose efficiency and to avoid BYOD. One of this new practice is called COPE (corporate owned personally enabled). What is COPE? It is an IT business strategy which consists in providing to the employees computers or any other devices coming from the company. COPE revolves around how much an organization is able to provide informatics tools to its users. These devices are not limited: it includes laptops, smartphone tablets… as a result, COPE is, by definition, the complete opposite of BYOD. Of course, companies turning to the strategy of COPE detains the ownership of the devices they lend to their employees. But this methods avoids the constraints of mixing personal and professional data. Furthermore, the main asset remain the complete control and monitor handled of the company. By reducing the risks coming with BYOD, COPE seems to be a good solution because it also leaves the employee using its device for personal activities. In such a way, there is no constraints regarding legal aspects since the computer is owned and handled by the company. Therefore, whatever the employee is using it, the company is able to monitor every process of these devices. On top of that, the employee may buy the device which will be way less expensive than if we would have bought one by itself since the company basically buy these devices less than retail price. To conclude, COPE system benefits from the same flexibility than BYOD and even presents advantages that cannot be find in other IS strategy. But of course, such a great system necessarily goes with some constraints. The company must shoulder an important investment which is the cost of all the devices provide to all the employees… Contrary to BYOD, it gives no place to discrimination in the case where an employee is not able to afford one of the latest smartphone or laptop. In that case, everybody is at the same level with devices provided by the organization. NB: A very similar system exists, it is called CYOD (choose your own device): the employee choose and buy a device that he will be able to use for professional issues. b. KNOX The growth of mobility tends to push people to seek out solutions corresponding with BYOD tendency. That is the reason why companies like Samsung are innovating by developing new platforms conducting to security called KNOX. Samsung suggests a complete security by incorporating an independent database within the smartphone. Samsung KNOX allows an effective and constant management of several terminal platforms and contents through EMM solutions (Enterprise Mobility Management) based on the cloud computing system (it involves distributed computing over a network, where a program or an application may run on many connected devices at the same time). This includes an autonomous and practical use of the users. It paves the way to the access with a simple click to all the professional applications with an additional support by “Active Directory”.
  13. 13. c. To which extent does the BYOD should change to be totally integrated in the professional area? First, we have to keep in mind that BYOD is changing the way a structure is organized. This new practice gives both more liberty and constraints by the same time. How can we improve it?  External factors: as we have seen above there are still some factors preventing BYOD to spread itself in all companies. Laws mainly coming from NCIL are those trying to limit the power of this system. Therefore, even if it remains highly recommended to insist on security in order to avoid troubles, cyber authorities should give more freedom to this emerging concept to facilitate industry life. On the one hand, there are still some laws which are not really helpful for the security of documents but considering as a real constraints for companies trying to adopt BYOD. As a consequence, the external environment must accept the evolution of society by delegating the power of choice to the enterprise itself and leaves it manage its way of working rather than imposing strict rules against them.  Internal factors: on the other hand, companies have the duty to make the effort to consider this lack of security and find out a way to control and dissociate private and professional life. This can come through the cloud computing system. Indeed, by centralizing all the professional files on one unique platform, it is a way to monitor the work done by the employees. Another alternative would be to impose the creation of two sessions for people bringing their laptop: one session dealing with the professional area and the other will contain the privacy of the employee. One session could be monitor and then handled by the direction committee, besides, our technology today leave us lock are sessions with security. To finish with, another technical solution could be the MDM (Mobile Device Management). It is a way to resolve some problems caused by BYOD since this software enables to manage a fleet of mobile devices suggesting the following services: manage the applications, manage strategies, manage security, reporting tools…
  14. 14. CONCLUSION To conclude, we can assert that the innovative information system that is Bring Your Own Device is not a new trend which will disappear but a real tendency that will keep on increase and grow in the future, because it relies on information and communications technologies. However several companies hesitate to implement it because this system raises a lot of issues, regarding the legal aspect or the security of their data. And for employees, the boundaries between professional and private life are blurred. However, BYOD could integrate itself perfectly in the professional world, it represents a major change in the management of information system and an organizational, corporate challenge that enhance competitiveness, productivity if it has a proper framework and structure. Moreover, technologies are evolving quickly, that is the reason why we can forecast that in the future BYOD will keep on develop and integrate new devices, such as wearable devices, like smart-watches or the Google Glass which will come out early and enter the professional world. Thereby, what are the new opportunities for users/employees and challenges for companies that technological innovation in mobile devices can create, in order to enhance productivity?
  15. 15. Today, BYOD is becoming an inescapable fact within organization but if we look forward, since several years public and professional are using more and more cloud computing system in their everyday life. To sum up, in the future firms could implement cloud computing system like Samsung Knox. Therefore, employees won’t bring their own devices to replace computers and devices provide by their company but they will bring their own devices to use them with the company devices, and create an Information System synergy gained by the use of both systems. Thus, we can wonder, if cloud computing could be a solution in the future for BYOD. Since it provides the advantages of BYOD and prevent some of its issues. Eventually, we can assert that Bring Your Own Device has become a standard in today’s corporate world, because of the opportunities that this trend offers and its future prospects.
  16. 16. Sources: 1/ Links: 1http://www.infodsi.com/articles/129050/mobiles-part-croissante-smartphones.html Traffic and Market report, Ericsson, June 2012: http://www.ericsson.com/res/docs/2012/traffic_and_market_report_june_2012.pdf http://www.cnil.fr/es/english/ http://www.globalsecuritymag.fr/BYOD-ou-quand-l-exception-devient,20120201,28177.html http://www.sans.org/reading-room/whitepapers/legal/legal-issues-corporate-bring-device- programs-34060 http://business.financialpost.com/2014/02/03/beyond-byod-welcome-to-the-era-of-cope- corporate-owned-personally-enabled-devices/?__lsa=8df1-c678 http://www.samsung.com/fr/business/solutions-services/mobile-solutions/security/samsung- knox http://www.it-news.fr/byod-letude-vmware-confirme-linteret-des-salaries-francais-a-cette- pratique/ http://france.scc.com/news/communiques-de-presse/le-byod-vers-une-evolution-du- phenomene?from=2 2/Book: BYOD For You: The Guide to Bring Your Own Device to Work [Kindle Edition] Daniel J. Lohrmann (Author).

    Be the first to comment

    Login to see the comments

group work about the bring your own device phenomenon. Thank all ma teammates: MONTÉ Clément, MESSOUSSI ISMAEL, CAMBUZAT Nicolas, BOUTRY Romain.

Views

Total views

206

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×