BYOD: Not so inevitable after all
Just because employees want e-mail and Web access on their own devices doesn't mean agencies have to provide it. And there are some good reasons for them to think carefully before agreeing. (FCW image)
So far, the debate over bring-your-own-device policies has focused on device management, security and trustworthy apps for accessing and sharing agency data. But there’s an even more fundamental question: Once you have a BYOD environment, what is it good for?
That determination should be the main driver for any agency seeking to institute a BYOD policy. Despite all the talk about how inevitable BYOD is, if allowing employees to use their own smart phones and tablet PCs at work doesn’t benefit the agency, why go through the pain of developing and securing such an environment?
Daniel McCrae, director of the Service Delivery Division at the National Oceanic and Atmospheric Administration’s Office of the CIO, is taking that position. He said he doesn’t believe BYOD is unavoidable, “though certainly doing a BYOD business case would be an essential item for all agencies. Whether or not that points to an actual BYOD implementation would be a function of all the risk, mission and cost factors involved. So I don’t think it’s at all a foregone conclusion for all agencies.”
NOAA has a highly mobile and dispersed workforce, with employees sitting at desks in agency offices, logging on from ships out on the ocean or hiking across glaciers to monitor the weather. McCrae acknowledged that BYOD offers the potential for reduced hardware costs and increased productivity because employees are already comfortable using the devices they bring from home.
“Our biggest challenge would be to replicate the virtual work space that would be needed in a BYOD environment,” he said. “Getting beyond the typical voice and e-mail applications you use mobile for is where you will start to achieve some of the biggest gains in productivity.”
Supporting efficiency and collaboration
The Agriculture Department is one agency that has done its homework when it comes to how BYOD could cut costs and transform business processes. As a result, it is a leader in using mobile technology to become more efficient.
Former Associate CIO Owen Unangst was one of the leaders of a movement at USDA to see how BYOD and mobile computing could be used to transform agency operations. “We looked at one business model where field inspectors had to go to a site eight times in order to complete a job,” said Unangst, who is now director of enterprise mobile computing at Unisys Federal Systems. “But we found that if they had the right mobile device in the right form factor, they were able to reduce that down to just three trips.”
The problem for agencies is that the mobile devices that are most applicable to their needs vary tremendously and change quickly, so it is hard for them to provide their employees with the latest devices, he added. In other words, agencies must decide whether being behind the curve on efficiency gains is a fair trade-off for giving employees a small set of devices that can be easily managed.
“That’s the dilemma they’re facing right now,” Unangst said, “because employees, and particularly the mobile elite, are saying they don’t want a device that makes them do things in a less efficient way.”
For many agencies, the issues go beyond providing access for their employees. They must also accommodate contractors and others partners who need access to government data and services and who increasingly rely on mobile devices for those activities.
McCrae said NOAA needs to enable its employees to collaborate within the agency and has to do the same for its many outside partners, such as university research labs, “and BYOD could certainly help with that.” However, he added that officials would have to make sure that the BYOD environment supported the applications and virtual work space some of the employees and partners would need to access.
Protecting agency data
Fortunately, mobile technology is maturing at a fast rate and so are the options for using the devices, said Donald Kachman, director of mobile and security assurance at the Department of Veterans Affairs.
“For example, there are far more ‘secure container’ products than there were six months ago,” he said. “This allows VA to explore more options, primarily focused around the integration of those technologies into an existing infrastructure.”
BYOD probably produces more challenges for developers if they try to deliver a VA application to a device rather than a virtual environment, he said. In the former case, they would need to ensure that the device’s owner had not tampered with the operating system (known as rooting or jailbreaking) and that the data the application would process was encrypted in transit and at rest.
“So far, the VA has reduced the number of devices for its staff who occasionally travel by allowing them to securely connect to some VA applications using their own devices through our virtual access gateway,” Kachman said. “Long term, as the technology matures more, there should be options to further reduce government devices and increase the number of remote staff who have secure access to VA applications and software resources.”
All of this begs another question: Is BYOD good for everyone in the enterprise or just for certain groups of employees? When the cost, mission and risk factors are weighed, is BYOD sustainable across the enterprise or only for targeted groups?
Kyle Keller, cloud business director at EMC Federal, said he believes the answer is a little of both. An agency might want a BYOD policy to include everyone, but there are barriers even if security is strong, he said.
A major hurdle is protecting data under all circumstances. Agencies need strategies and mechanisms for keeping control of the data on its networks while still giving users ubiquitous access. And if an agency allows employees to download data to their own devices, it must have a way to delete that data remotely if an employee’s device is lost or stolen.
“That’s the hard part,” Keller said. “It’s the classifications and application rationalization that are needed and that the [Defense Department] and even some civilian customers are looking to embark on. Because of that I think there will be specific use cases for BYOD that come to light first, and those will enable agencies to better understand the technology and see some measure of real value for BYOD overall.”
The benefits of virtualization
In the end, how and to whom agencies allow BYOD access might depend more on the available technologies than the demand. Security is one of the biggest concerns right now, and it’s still unclear when — or if — all those issues can be resolved.
Ideally, Kachman said, any application that runs on a government-owned mobile device should be able to run on an employee-owned device. But the technology does not yet provide the same type of assurance with regard to data ownership and use.
“Truly segmenting data with no possibility of data leakage is hard to get today without looking at a virtual environment,” he said. “With an enclave that provides a bubble that can be destroyed — and there is a high level of confidence it is destroyed — then you could deliver any app to both BYOD and government-furnished equipment.”
Virtualization could be the easiest and most important route that agencies take to implement BYOD if they decide BYOD is worth the effort from a business standpoint. Virtualization is already prevalent for servers and is on its way to becoming widespread for desktop PCs.
Because agencies are already implementing it for other purposes, virtualization becomes a relatively easy plug-and-play activity, said Jeremy Sherwood, product manager of virtualization and cloud at ScienceLogic. So “instead of fighting the BYOD battle, they can embrace it.”
“The concerns over the security of virtualization itself, which were still there a year ago, are much less now, and so that plays into the security concerns of BYOD,” he added. “If the server and desktop and now the BYOD interaction between them is also virtualized, it builds this nice, pretty umbrella of security around all of these assets.”
McCrae said virtualization is crucial to the way NOAA will carry out its mission in the future, and a BYOD policy would have to fit with that.
“It’s where you can really begin to leverage some advantages, whether it’s with traditional desktop computing or mobile platforms,” he said. “Being able to virtualize your work space...is when you can really start to see the major improvement in productivity.
” So how does BYOD fit into what agencies see as their IT future? In this case, the chicken probably does come before the egg.
“I think it’s mobile that’s transformative,” Kachman said. “BYOD is a component of that transformation [that also] brings a reduction in costs to the government.”
BYOD and the generation gap
Many bring-your-own-device proponents argue that the government must allow personal devices in the workplace if they want to attract millennials and the younger generation of so-called digital natives. Those workers are reputedly so attached to their mobile devices that they’d give up just about anything before they’d go without their wireless connection.
GovLoop recently surveyed its members about BYOD issues with the help of Cisco Systems. One question specifically asked about the influence of BYOD on employee recruitment and retention. The responses were split fairly evenly between those who thought BYOD was important and those who didn’t.
On the positive side, respondents were attracted by the increased flexibility afforded by BYOD and said it showed potential employees that a government office was “forward thinking, savvy, and efficient.” But a significant number of respondents thought it was too small an issue to be a factor in whether someone chose to work for a particular agency.
However, Pat Fiorenza, a research analyst at GovLoop and author of the survey report, said he believes the generational divide in the way people view technology is often over-generalized.
“I think people entering the workforce now might be more accustomed to using collaboration software that things such as BYOD can help facilitate,” he said. “But I also think all the generations have things they do with this new technology.”