Mobility Management and Security. A Customer Panel.


Learn from a panel of industry peers the solutions and the best practices that have turned consumer mobile technology into a competitive advantage for their companies.

This post is based on the recording of the panel that I moderated at the IDC mobileNext Forum in December 2011 in San Francisco.

Eric Erickson
VP Information Systems
Liberty First Credit Union

Bill Troyak
Team Leader End User Devices
Navistar

Jeff Jackson
Partner
Acumen Technologies

I’d like to start by asking the panelists to briefly introduce themselves and the size and scope of their BYOD programs.

Eric: My name is Eric Erickson. I have been at Liberty First Credit Union for seven years as the VP of Information Systems and in the technology field for almost 25 years, 17 of those years with financial institutions. Our mission is to provide security for our members and provide our staff with the tools that they need to be able to work with the members to be able to get their accounts opened in a timely fashion or to get the documents that they need. We are looking to the mobile device to be able to move beyond our physical location so that we can go out to the community and work with the members where it’s convenient for them.

Jeff:  My name is Jeff Jackson. I’m a partner and CEO of Acme Technologies, based in Vancouver. We’re a managed service provider, and we specifically target security compliance assessment for small and medium business. We have worked with a number of customers who are really starting to exploit the mobile space and we have kicked off a number of projects around enabling them to use this more strategically. And I think some of my examples will be specifically around an insurance company that we work with in Vancouver and too, transCanada wide, who definitely needed to make mobile part of their infrastructure to make mobile part of their infrastructure as they have a very mobile workforce and some of their sales people actually don’t ever come into an office.

Bill:  I am Bill Troyak. I am the enduser device team leader for Navistar, a Fortune 200 company, 15,000 employees. We have about 6,000 mobile devices. Our approach to mobility is putting the technology that the end users prefer and feel comfortable using and making that applicable to our business needs.

Thank you very much. So let’s start with a first question and let’s start again from Eric. In my opening comment I mentioned a three steps approach to turn consumerization into a strategic advantage. The first step is to have a conversation across the organization and involve everyone from HR, to legal, to line of business owners as IT really wants to be a partner of them instead of being just a cost center providing infrastructure. What has been your experience with that when you started your BYOD program?

Eric:  We found that with the movement to smartphones, that was the first introduction, that everybody had a smartphone. And they were looking to access their emails. We found a lot of our personnel, mainly the loan officer or member service groups, they work directly with the members, but also the executives, where they wanted to take information with them. So we kind of started our process with the mobile device for smartphones. And we tried to be flexible in IT as to whether or not we were going to be an Android, iPhone, whatever, we tried to work on that ourselves. So our process initially was just to define, what is it that the needs are, is it going to be a tablet, is it going to be a smartphone. And let’s see if we can figure out how we can get that information that they’re needing to the endpoint. We also had a legal firm that we work with to define specific policies so that we can distribute those out to our employees. We worked with a small group of a team that we defined what the policies were going to be and then worked with our legal department to just document it, essentially.

Jeff:  So what we did was slightly different. In fact this was driven from an executive level. So we had kicked off a plan, and we have done this with a couple of customers now, which is really around securityhardened compliance. And what that meant was that you looked at your infrastructure and secure, harden each of the applications, know what is important to you. And that’s where the compliance piece comes in. I think that the Deputy General Counsel was involved at that point. But it was about providing a foundation first, and understanding what was important within the infrastructure and then whatever device the enduser would like to have that data on we were able to essentially give that out as a window to the data that they were allowed to see. So our plan was slightly different. Instead of being just driven by consumers, it was very well sponsored from an executive perspective. And so the executives and the management could be assured that the data that was actually going out to the end user was exactly what they had expected.

Bill:  In our instance mobility was driven by the executives themselves, not unlike Jeff’s example. We, as IT, we had to kind of be reactive. We typically had been a pretty closed environment, we issued you a Blackberry, you had your laptop and this was what we decided as a standard. Well then as more products came out and the user became more comfortable with using Apple devices or Androids and they came to us, the Clevel executives, or upper management, came to us and said “Hey, I know someone at suchandso company that is using this in their work. Can we do the same thing here? So we had to be reactive. So we took a look into what we needed to do for an infrastructure purpose, built our own process. And as we implemented it we had to refine that process after dealing with legal and HR and certainly where our boundaries were in regards to controlling the device. Who owns the device? Who owns the data that is on that device? So there have been struggles that we had to go through. And we continuously had to evolve our process and our approach to our mobility. Now we have about 1,200; 1,200 enduser devices are actually connected to our network. Typically in North America, we do have 100% coverage in North America right now.

Very well. I would move now to the second step, which is about having a set of flexible standards: don’t say no, but don’t either say yes to everything for everyone. So how did you move from one single standard for mobile to multiple flexible standards?

Eric:  The flexible standards for us kind of depended on the device, when you did ask the users what they wanted to use. We were going to support in our IT team the Android devices specifically. And then we didn’t start off with the Apples, but we did get to that. So our flexibility has just been kind of … start with this, let’s go to the next. And then we are onto the tablets.

Jeff:  So I think one of the things that we found important was within the organizations in which we were working, each of the users groups had specific profiles. And part of the secure hardened compliant project we did, is that we didn’t only define what data was important, we defined the people and the interaction of that data. A lot of the time what we’ve also found was the CEO, Csuite management, and I’m going to say this, it’s going to sound rather flippant, but they don’t care. They don’t care about 75 percent of the data that is actually in their organization or coming out of their organization. There is that percentage where they want to know and make sure that data leakage is not coming out of the environment. And where it’s coming outside of the safe network, or on a mobile device, they want to be very clear about where, when and how that’s being done. So that’s kind of what we did as a third part of the project. And we profiled from a data and user interaction perspective.

Bill:  Our flexibility has been driven by our ability to support a number of choices. Now we’re a multiple standard shop, before we were a pretty standard Blackberry shop, we had pretty good proficiency in Blackberry. And then having to move on to the other platforms, the IOS and Android, we had to make sure that our staff had the ability to support it. One of the models we chose for going forward was to have three levels of service we supported, a gold, silver and bronze, so to speak. Gold we had endtoend support. We had to make sure we could support their data transfer and their devices themselves from endtoend, dealing with the vendors, dealing with the carriers. Silver was kind of what we considered a best effort to support. We would use our best effort to support and maintain the environment for those products. Bronze was more of subsupport. We would provide the information necessary to obtain and to connect to our network and obtain the data that you were looking for. But we didn’t really have the ability to go in depth. Now these three classifications, we didn’t make them hard as far as the memberships in each category. Each one could move up as we got more comfortable. Originally Android, it went from a bronze to a silver and IOS went from a silver to a gold depending on how proficient and how comfortable we felt in supporting each of the platforms.

This is all very interesting. So is it a right, from an end-user perspective, to belong to one of these groups? Is it a privilege, or it’s a right, to belong to one of these three different levels?

Bill:  It helps them choose which device they want. If they feel comfortable selfsupporting, maybe, OK, we could get a bronze device. If they are someone who felt they want to remain sure that IT was there to cover them, and be the safety net, they would choose one of the gold level devices that we had determined. It helped us to enable our customers to make an educated decision on what device they use and want to bring into our environment. We have three standards: gold, silver and bronze… and we have different SLAs, service level agreements, internally so that users know what’s left to their responsibility and what’s ours. It’s published what they can expect as far as the support level, depending on each classification. Right now, today, gold is only Blackberry. We’re still building our knowledge base and our expertise in the other platforms. Apple’s is silver and right now, Android is bronze. Typically because of the fracture of the operating system we don’t feel comfortable with making them a silver just yet until we can be proficient across the entire spectrum.

Coming next: Click here to read Part Two of the customer panel.

About Cesare Garlati
Chief Security Strategist prpl Foundation Cloud Security Alliance Fellow

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: