Android’s secret surge in business

Android devices are already the most-used mobile devices in the enterprise, accounting for 40 percent of the market, claims cloud security firm ZScaler, based on surveying the traffic through its cloud service. When I saw that data, I simply didn’t believe it. Apple’s iOS-based iPhone is the top mobile device in businesses these days, having surpassed the former leader, Research in Motion’s BlackBerry, this year. At least that’s what every other survey I’ve seen shows.

But after talking with the folks at ZScaler — whose periodic security surveys are respected — I now suspect the Android invasion I recently said was coming in 2012 may have already happened or at least be well under way.

[ Learn about consumerization of IT in person March 4-6, 2012, at IDG’s CITE conference in San Francisco. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s 29-page “Mobile and BYOD Deep Dive” PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

The ZScaler data shows that Android usage surged from 17 percent in the second quarter of 2011 to 40 percent in the third quarter, whereas iOS usage plummeted from 42 percent to 22 percent. BlackBerry usage dropped from 40 percent to 37 percent in the same period. In this survey, “usage” means Web, email, and other Internet transactions that traverse from company networks through ZScaler’s cloud-based security filters, which handle 4 billion transactions each day, mainly for U.S. and European businesses. These numbers may not match sales of smartphones, which is the metric used by most surveys, and it doesn’t count traffic handled via 3G networks — just corporate Wi-Fi.

The issue is not whether Android or iOS is on top, but the fact that usage of Android devices on corporate networks has become so large. Most CIOs I speak with say they support and manage iOS and BlackBerry devices — and Windows Mobile if they’re in government — but see little Android usage thus far. That fact comforts them, given the many security holes in the various versions of Android.

Unfortunately for such CIOs, ZScaler’s survey indicates that the Android usage is there, unbeknownst to IT. “The mobile traffic that Zscaler sees is coming from all places, so unmanaged devices are included from employees bringing their own devices to work, connecting them, and using company resources. Android users are accessing email and the Internet from their devices. That’s the reality,” says Jay Chaudhry, ZScaler’s CEO. 

What lends credence to this conclusion is something that Larry Dunn, vice president of global IT outsourcing at Unisys, told me recently: Although mobile device management (MDM) tools are fairly mature, most companies don’t yet use them. Despite all the hand-wringing about the alleged security risks of allowing non-BlackBerry devices into the enterprise, most businesses haven’t even taken the obvious step to protect themselves.

Low MDM adoption is a sad comment when you realize that Microsoft Exchange’s built-in Exchange ActiveSync protocol offers good first-line-of-defense protection right out of the box to any device that tries to access corporate email. Exchange is used by about two-thirds of all businesses. The current version of IBM’s Lotus Notes also supports it, as does corporate Gmail and, through an add-on, Novell GroupWise.

All IT has to do is turn it on to block devices that don’t support the basics such as having passwords, encrypting on-device data, and the like. That will cover at least heavy users. Of course, as Herrema points out, users can still access the Outlook Web Access (OWA) website login page to get around the EAS policies unless IT sets up Exchange for explicit mobile Web browser detection in OWA.

Also, EAS policies won’t help protect against users who don’t access corporate email but do sign onto local wireless LANs. But there too it’s not difficult to implement basic protection such as PEAP that corporate networking gear typically supports; such protocols help filter out the least secure devices with little effort.

John Herrema isn’t surprised to hear about the high rate of hidden Android usage. He’s senior vice president for corporate strategy at MDM provider Good Technology, and notes that many IT organizations lack a comprehensive approach to device management. Even if they use MDM tools, they’re not thinking about other network routes such as wireless LAN or OWA access. Users find real value in mobile devices, so they use them. “If you don’t define your BYOD policy,” he says, “your users will do it for you.”

My head is still reeling from the contradictions: There’s so much fear and doubt about mobile devices putting businesses at risk, yet most businesses don’t bother with the inexpensive basics. ZScaler’s Chaudhry says most companies are still figuring out their policies, but it seems unconscionable to me not to cover the simple basics during that longer-term planning period, especially given the ease of deployment. I don’t believe in overmanagement of mobile devices, but a blind free-for-all is also wrong. Perhaps it’s not the BYOD users who are the problem that businesses need to worry about, but slow-moving security and IT managers.

The reality is that modern mobile devices — meaning iOS and Android — already are normal equipment in business today. Whether you know it or not.

This article, “Android’s secret surge in business,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.