BYOD beyond the device: Information management is essential

Now that the BYOD phenomenon is old news and reality has begun to settle in, IT and business units can make the important strategic decisions around information management in an era where employees are working on a variety of personal and business-issued devices (smartphones, tablets, and/or PCs) in a variety of locations (at the office, at home, on the road, and/or at client sites).

Even if you don’t support BYOD, the fact of heterogeneous computing means you need an information management strategy that is BYOD-like. Whoever buys the devices, you’re still dealing with knowledge employees who work anywhere, any time, and increasingly on any device.

[ Read InfoWorld’s comparison of mobile security capabilities in iOS, Android, BlackBerry, and Windows Phone. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

These decisions are not new ones, but they’ve typically been deferred as companies navigated the acceptance process that most knowledge workers no longer do their jobs only at a fixed location on a single device.

Also, many companies that made decisions about information management in a heterogeneous environment did so in a piecemeal, stovepiped approach that creates huge management complexities and inconsistent deployments. For example, it’s typical for companies to disable attachments access on mobile devices but not home PCs, to require encryption on mobile devices but not on PCs, or to limit VPN usage to just PCs or provide remote storage options that work only on Windows PCs. No wonder many employees roll their own cloud storage, forward email to personal accounts, and engage in other compliance-avoiding workarounds — IT has given them no choice.

What should you do? It depends on what you’re trying to protect, but there is a single guiding principle you should follow when making those decisions: Use common policies for information access and common tools where possible for managing them.

Password policies, access policies, encryption policies, editing permissions, and the like should be consistent across all devices: PCs, tablets, and smartphones. Your baseline decision should address those policies.

Three aspects to the deployment of the policies need to be worked out:

1. What capabilities must devices support to be allowed access to corporate data, applications, and networks
2. What information should be visible and accessible to each group of employees (based on role and perhaps individual trust level) — it’s easier to protect data at the source than to worry about what happens to it after it has been made available, yet most companies focus on managing data once it is out the door
3. What environments are considered too risky to provide access even for devices and people who meet the first two aspects of trust for a given type of access

Intel is one company that has worked through these three aspects to information accessibility and can provide a good conceptual model.

Tech tools at your disposal

On the technology side, Microsoft’s Exchange and System Center 2012, as well as various third-party tools that use the Exchange ActiveSync (EAS) protocol, can enforce common password policies across all these devices, and encryption policies on mobile devices. System Center can also enforce encryption policies on Windows PCs and, through third-party extensions, on Macs; Symantec offers multiplatform tools similar to System Center. Likewise, mobile device management tools from MobileIron and AirWatch, as well as Apple’s own OS X Server, can enforce encryption policies on Macs and mobile devices, in addition to password policies, attachment policies, and the like. You may not get down to one management tool, but you should be able to hit two or three.

Once you’ve determined your information access policies and figured out the baseline management tools, it’s time to decide how to provision that information. Email attachments are by far the most widely used data dissemination medium in companies today, which is convenient and multiplatform, but can lead to inconsistent documents and possible illicit forwarding. For sensitive data or data that must have a complete audit trail, you may need a different mechanism.

Many companies have used Microsoft SharePoint as the standard technology for managed project spaces, but the platform has poor support for non-Windows devices and is not a viable option for many companies today. Cloud storage services are a logical replacement, but few of the ones advertised as enterprise-class (meaning they typically provide just read-only access to data from mobile devices) work well on mobile devices, due to lack of support by common business apps.

Enter the cloud

If you want or need employees to do actual work on documents, not just monitor their status, you require a different type of technology. Of course, you should want them to work on actual documents — a read-only approach basically means “don’t even try to work when away from the office.” The most viable cloud storage services are the enterprise versions of Box and Dropbox, which are widely supported by mobile apps and on the desktop by Windows, OS X, and Chrome OS, plus provide access management capabilities via policy management similar to what you would have in place in an Active Directory environment anyhow.

Finally, you must decide if you need access management and auditing capabilities baked into your internally developed apps, whether Web or mobile. Several vendors offer SDKs that let you bake in access permissions and auditing tools into homegrown apps, then manage those apps through a policy management tool — some stand-alone, some part of a mobile device management (MDM) tool.

The decision to use such tools has long-term consequences, as it ties those apps to a specific management tool for several years at least and will require a rewrite of the apps if you change tools or if Apple or Microsoft develops a standard API for such access and auditing management along the lines of Microsoft’s Exchange ActiveSync protocol for device management. This approach also requires parallel development of desktop and mobile versions of the apps, and it may entail parallel development even across mobile environments.

The Web app alternative

An alternative approach is to opt for Web apps that keep the data and its auditing and management all on the back end, using the mobile device or PC — this approach works for PCs, not just mobile devices — essentially as a portal. An effectively designed Web app can also be used across devices, reducing the development and maintenance effort compared to developing multiple dedicated apps for various platforms. But the Web app approach requires a reliable Internet connection and adaptive design for different types of devices. Persistent cellular connectivity is often unreliable, and it can be expensive. Also, adaptive design is not easy to accomplish well. Failures in either can interfere with the user experience and the app’s usage.

As you can see, the key strategic decision is to treat information through policies regardless of devices — that’s about access and trust. With the strategic decisions made, IT can move onto the tactical technology decisions. Working this way is perhaps the most important decision of all.

This article, “BYOD beyond the device: Information management is essential,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.