In 2007, Ford Motor Co. began exploring bring your own device (BYOD) programs for more than 70,000 salaried employees. By 2009, corporate- and individual-liable device programs
had been introduced to employees in 20 countries. In this second part of a two-part interview, Randy Nunez, senior network engineer at Ford's Mobile Computing IT Enterprise Technology Research division, discusses the security practices behind the BYOD programs; how the consumerization of IT, including mobility, is changing the way IT supports and delivers services to the business; and how users can help keep enterprise wireless network costs down. In the first part of this interview, Nunez talks about how and why the automaker deployed a BYOD program, the risks involved, and why a participation agreement is so important.
SearchCIO.com: What are your security
requirements for BYOD?
Nunez: One of our requirements is encryption of data in transit and at rest. Encryption of data in transit is pretty ubiquitous, but at the time we introduced our program, encryption of data at rest was really varied among different smartphone operating systems. We had to find smartphone OSes that had that capability built in, or some kind of tooling that enabled that capability. You need to understand what your passcode policies are, and what passcode policies can be applied to those smartphone OSes. Do they have remote wipe capabilities, for example?
How did you handle the issue of data ownership in terms of what the IT department could and
could not wipe from these devices?
Nunez: Initially we had a full device wipe approach, because that was really the only thing that was available to us and we considered the data to be of such a significant critical nature that we would require that. However, it is possible based on technology solutions or the mobile OS platform to leverage a more selective wipe approach.
For example, what's become somewhat popular is a sandbox approach, where you have an application that's running inside a sandbox and can be encrypted, but it also allows you to only wipe out that particular application. So, you can wipe out the corporate data and leave the personal data as it was. I think what's going to happen is, as more technology supports selective wipe, users are going to expect that capability. So, you will see more options and more platforms with that ability.
Did virtualization play a role in your BYOD program or with mobile
Nunez: Not at this point. One of the challenges with virtualization -- and at the same time a benefit of virtualization -- is [that] there is no persistent data on the device. However, with mobile devices you don't always have ubiquitous wireless coverage. When you're out of coverage, you lose connectivity and you don't have, for example, access to calendar entries, unless you're connected to the back-end system. So, we haven't used virtualization at this time.
I think [adoption] of virtualization for mobile devices is really around the use case. If you have a use case where you're in an area that has very reliable connectivity and sensitive data that you don't want to be persistent on a device, it can certainly be a good solution. The other aspect would be, if the user experience would be acceptable to the end user. So, it's definitely something we would consider.
On the mobile application side, what do you think about contextual
Nunez: I think context-aware computing is going to change the way we fundamentally work and live our lives. Adding the mobile component to it, now you will be able to, for example, shop in a store and receive a coupon while in that store for an item they understand you are more likely to purchase.
In a corporate environment, for example, if you're working on a piece of equipment, you will be able to bring up the schematic for that exact piece of equipment without having to try to search and find that information. It's very complex, and like a lot of these complex technologies, it may take some time to work through it. But incrementally with things like location-based services, we will be able to build on that information and help move us toward a more contextually aware environment.
What is the most beneficial and challenging aspect of moving to a BYOD program?
Nunez: The most beneficial part of the program is that you give a broader community of users access to information at their fingertips, while at the same time trying to reduce the cost issues, which include devices, data plans and the support for that broader scope of people.
I think what's going to happen is, as more technology supports selective wipe, users are going to expect that capability.
Some of the more challenging aspects are deciding what level of support you're willing to offer and what level of support your customer needs. That has a lot to do with the culture of the company, because there are people who know how to use technology and devices, and they just need you to connect them up. There are other people who don't understand the technology, but want to get involved in it.
So, one important aspect of a BYOD program is, if you start with the people that are subject matter experts or who are familiar with technology and incrementally add people, you will grow that knowledge population.
With telcos shifting to a usage based billing model, how can you counter those costs on an
Nunez: You can train individuals to use lower-cost Wi-Fi hotspots for data communications when they're available. I think this is one case where the individual is going to end up helping the company. When I'm at home, I switch to Wi-Fi because I have better bandwidth and I have lower usage charges. If individuals have that behavior in their personal lives, they will bring that behavior into the corporate world as well. The consumerization-of-IT trend will benefit corporations.
Are IT departments changing the way they support end users and deliver services because the
of IT -- mobile, cloud and social media -- crosses so many IT silos?
Nunez: Consumerization, democratization and externalization of IT all require IT to think a little differently about how they offer services. The tools are becoming available outside of organizations faster than IT can bring them in. So, we need to work really closely with the business to understand what their requirements are for using these solutions.
At the same time, we need to educate the users on the risk around security and support. I think IT needs to also think about moving away from this command-and-control paradigm to one of accommodation. We don't have the resources to scrutinize every single aspect of our business, so we need to focus on what we feel are those more important and critical things and secure that information, as opposed to trying to secure everything.
Let us know what you think about the story; email Christina Torode, News Director.