The BYOD struggle: From writing custom apps to defining security

As employees bring own iPads, iPhones and Android devices to work, cost savings and security are questioned

Companies are grappling with the question of whether and how to let employees use their own smartphones and tablets at work even as a huge push is being made to set up internal "app stores" of approved and custom-built corporate mobile apps.

"We identified our needs, and we're planning on custom mobile apps," says Lincoln Cannon, director of sales and marketing technology at Utah-based Merit Medical Systems, a maker of medical equipment. The company has few reservations about allowing employees to use Apple iPads, including their own, to present information to business customers and allow access to cloud-based services, such as Google Docs, where product-related documents and videos are placed. While a few apps from the Apple App Store have worked out, the business has determined that to really gain the functionality it wants on the iPad to synchronize with its salesforce systems, it needs to design some apps on its own.

BIG QUESTION: Can employee-owned devices save companies money?

BYOD: There is no stopping employees' devices on your network

Merit Mobile is the first in-house customized app the technology team came up with for Apple iOS 4.0, for the salesforce group. "They open the app and it checks whether new content is available," Cannon said. It's typically used to download new content overnight so the latest information in the form of brochures, videos and more is ready for them in the morning.

This is just the first of what's expected to be more apps tailored for mobile use, says Cannon. Having to get an Apple software developer's license and certificate for designing apps was "a little time-consuming" and "painful," he notes. But in the future, if the coding is done in HTML5, there won't be the need for the Apple certificate, he adds.

Merit Medical is hardly alone in its decision to build custom apps. According to the Symantec 2012 State of Mobility Survey of 6,275 technology managers in the private and public sectors in 43 countries, 71% "are now looking at implementing a corporate 'store' for mobile applications." The report notes that 11% have already set up an internal app store for line-of-business applications.

For others in the healthcare industry, the pressure to figure out a suitable mobile strategy seems to be far more difficult to sort out. At Kaiser Permanente, with medical groups and health plans and more than 150,000 employees, IT security has held to a traditional discipline of tight controls that eschews the idea of employee-owned mobile devices.

"The security group has set definite standards," says Mark Kadrich, senior security architect at Kaiser Permanente, who says his role is to help define strategy in cooperation with a separate security group responsible for ongoing operational needs. If outsiders, such as contractors, needed to connect to the Kaiser network, they have to use the Cisco Connect VPN client for Wi-Fi, for example.

But the great debate in recent months between bring your own device (BYOD) and corporate-owned mobile devices has now taken center stage.

"The clinicians were pushing to get iPhones and iPads, and the security group was pushing back," Kadrich says. Executive staff decided to tackle the BYOD question by setting up a Mobile Center of Excellence staffed by Kaiser employees to identity standards for what might be accepted use of Apple iPads and Google Android devices, including employee-owned ones. Several hundred iPad and Android tablets are now undergoing pilot tests as software and security needs are explored.

Kadrich acknowledges having strong reservations about the idea of BYOD, based on both cost and security. Mobile-device management (MDM) software is often viewed as a way to have some control over these devices for inventory and remote-wipe purposes, but Kadrich remains skeptical. "I'm not convinced MDM is cost-effective or appropriate," he says.

In addition, since the need for building custom apps for both clinical and business use is apparent, the question is how to start this software-development process in a way that will enforce a high level of security assurance both in-house and with outside software developers. Kaiser Permanente currently is in negotiations with mobile-software vendors, asking them to define what processes they use to identify and track business flaws in software. This takes the whole process beyond the iTunes and Android store approach, in an effort to define strict coding practices for an in-house apps store. There is huge momentum around BYOD, and Kadrich acknowledges that one day it is likely to be a component in Kaiser Permanente's IT strategy.

Like Kaiser Permanente, a number of IT consultancies have expressed doubts about whether BYOD is truly cost-effective. Although it may look at first glance as though a company is saving money by having employees buy their own mobile devices, perhaps with a corporate stipend, there are management costs that may not work out to the company's advantage. Aberdeen analyst Hyoun Park, for instance, notes that telecom rate plans, for example, cost less through traditional contract negotiations than through individual contracts.

As far as cost-savings go, "the jury is still out on BYOD," says Joe Nocera, principal in the IT security risk practice at PricewaterhouseCoopers. He thinks the BYOD "promise of cost-savings" is largely "unrealized" today.

BYOD raises questions about security controls and how forensics will be done on a device owned not by the company but by the employee, Nocera notes. He also is skeptical about how far MDM software goes today to meet strict security requirements. "Its functionality is very limited," he says of current MDM packages. "All they do is secure email fairly well."

The main goal has to be securing the data on the device and having a way to validate it through risk assessments, he says. In regulated industries, such as healthcare and finance, there are going to be audits of these BYOD mobile devices and the apps that are used, Nocera points out. Unfortunately, in too many cases, businesses are thinking about these questions only after they've rolled out BYOD practices.

Some user discussion groups have taken up the topic of BYOD so that IT and security managers can share ideas. Austin-based Wisegate IT community, for example, a group in which Kadrich participates, recently published a report titled, "IT Peers Share Advice on Effective 'Bring Your Own Device' Strategies." The upshot: There appears to be little consensus so far.

Some 27% in the survey on BYOD said they'll only allow "fully managed and secured devices to utilize corporate services," while 24% said, "We are moving from a 'device centric' strategy to a 'user centric' strategy and don't think that devices can be fully secured. We focus on securing the sensitive transactions." Another 20% claimed to have a "hybrid approach" in which more secured devices get more access and less secured/managed get less access.

Tellingly, 6% revealed how painful dealing with BYOD is by answering, "This issue just gives me a headache, and I'd really like it to go away."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Join the discussion
Be the first to comment on this article. Our Commenting Policies