by Paul M. Dooley

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 6 months ago)

141 views

by Paul M.
Dooley

Optimal Connections, LLC

www.optimalconnections.com

Feb 17,
2013

Where we are today with the
trend toward BYOD



Bring



Means the employee is bring the
device (you are not the supplier)


Your


Its personal


the employee is looking to
use their own devices in the workplace


Own


The employee owns it,

not the organization


Device



Normally smart phones,

but can also include laptops,

tablets, and other mobile devices

It’s a Win
Win
!


It’s an
attractive

program to employees


Since it may relieve them from carrying around
two devices


a company phone, and a personal
phone.


From an organizational perspective,


It enables the enterprise to take advantage of the
latest technology improvements,
without large
scale hardware/software updates.


It also helps
reduce costs
by


Moving the cost burden of these devices to the
employee, while positively affecting
employee
satisfaction and productivity.

The Trend is Continuing!


According to Garner,
90 percent
of

enterprises (with 500 or more employees)

have already deployed
mobile devices
. And many
of those enterprises are allowing personal mobile
devices to connect to the enterprise network.


A new global survey of IT decision makers reports
that
70 percent
of companies
believe BYOD will or
already has improved

their work processes


59 percent believe they would find themselves at a
competitive
disadvantage

without BYOD.

Key Challenges:
Information

Security


Information Security



Security threats are the
most obvious challenge.


Left unmanaged, a BYOD program can result in a
serious security
breech
.


For example, most employee owned mobile devices
are
not equipped

with PC
-
level security software.
Many times they are not stored in a secure location,
and may be used to navigate questionable web
destinations.


Case of the
lost phone
: confidential

data stored on the phone could

potentially be retrieved by
untrusted


parties.

Key Challenges:
Tracking

and
Controlling

Access


One of the biggest challenges: the effective
tracking and control
of access to corporate
and private networks.


Unlike ‘guest access’, which minimally requires
an open, non
-
secure network connection,


BYOD requires a secure

wireless protocol for
user connectivity (due to accessibility of secure
company information).


Studies show that a ‘
User
-
centric
’ approach (link
device use to identity management) is far more
successful that a ‘Device
-
centric’ approach

Key Challenges: On
-
going

Service and Support


T
rouble
-
shooting and support
represents a big
challenge in an environment where

users are bringing a multitude of

different technologies.


For example, if an employee is using

an
Android

tablet, and all the rest of the employees and
IT are using
iPads
,
who does the user go to for support
when they run into a glitch running an enterprise
application?


Compatibility

of employee owned hardware with the
organization’s software and applications should not be
overlooked when designing and developing a BYOD
program.

What’s the
Approach
?



Fortunately we have an
ITSM framework
for
planning, designing, and deploying a successful
BYOD initiative
!


Service Strategy


develops the strategy for BYOD


Service Design


designs ALL aspects of the
program for successful integration into the live
environment


Service Transition


tests and

validates prior to rollout


Service Operation


provides

on
-
going production support


CSI


monitors the BYOD program

for continual improvement opportunities

Service Strategy
: Participating
Processes

Strategy for IT Services


sets the
overall goals and alignment

Service Portfolio Management


builds and
approves business case

Financial Management


recommends a
financial

model

Demand Management


identifies user
profiles, projected demand

Business Relationship Management


will
engage the business for input and
feedback

Set the
Vision
, Goals and
Objectives for BYOD


Set
-
up
a Core Team

to Drive
Strategy, Design
,
Transition
and Rollout



Appoint
a small, dedicated
cross
-
functional team
to
take charge in evaluating the current state, as well as
developing a vision and goals for the program that will
align

with organizational goals.


Include
members from IT, information security.
compliance and the business units who can
work
together to formulate a viable BYOD strategy
that
aligns with business goals.

Do a Baseline Assessment:
Where
are We Now?


Understand
where you are now
with BYOD


Through user
-
friendly workshops, gather intelligence from
various business units, C
-
level execs, sales, HR, and other
departments, and determine
….


Which personal devices, applications and cloud services are
in use today


How they are
used?


How tech
-
savvy are the
users?


How

do employees use these tools to enhance their
productivity?


This will gather valuable intelligence, and get buy
-
in from
key stakeholders

SPM: Build the
Business Case


Use
Service Portfolio Management

to analyze the
business case in terms of potential costs, benefits and
ROI to the organization.


Who is the target audience for BYOD


all customers
and users? Only certain customer populations?


What are the goals and objectives ?


What are the financial, as well as non
-
financial impacts?


What are the risks
involved?


What’s the overall timeline and plan
?


Financial Management


develops a cost model and
charging strategy


BRM



engages the business units for their input

Service Design
: Designing Your
BYOD Program for Success


Service Design is where your team starts turning your strategy
into a program
. This takes careful planning in terms of laying out the
detailed polices, specifying the supporting processes, and the
supporting resources (financial, people, tools) to be required.




Policies



establish the guidelines for the BYOD program, setting
expectations by outlining rules and requirements, and identifying how
these rules will be enforced




Processes


will need to be established to meet expectations and
ensure the goals an objectives for the program are met.




Resources

-

are the enabling factors that support the processes


money, people, tools and technology.

Service

Design: Design
all Aspects

of the BYOD Program


Your core team will continue from Strategy to the Design Stage
, where
they will take up the work of designing the BYOD program.


This is where additional research needs to be done, and crucial decision need
to be made concerning



what types of devices would be allowed,


what roles and responsibilities need to be defined,


how does an employee enter and exit the program, and so forth.




Service Catalog Management

will take on the supporting responsibility of
updating the service catalog to include the customer facing “BYOD Service”,
and how this is supported



The service catalog
becomes the single point of reference to accurately set
expectations for the customer as well as the IT serviced provider.

Participating SD Processes

Design Coordination


A core team drives design through
transition and rollout

Service Catalog Management


updates the
service catalog

Service Level Management


will establish the
service levels

Availability Management


must plan adequate
availability

Capacity Management


must ensure sufficient
capacity

Information Security Management


evaluates risks,
est. security policies

Key Elements to Consider in Your
BYOD Program Design



The Design Team will pay particular attention to
People,
Process, and Technology

during the Design Stage, to ensure a
complete BYOD solution will be available:




Types of Users and Departments Allowed in the Program?




A strong policy will make it clear which departments and roles
may be empowered with BYOD, in accordance with you goals.



Questions to be answered include:




For each department, and type of user,
which devices
are
permitted?


What
level of access
is permitted?

BYOD Service Design



Specify the Types of Allowed Devices




Which sorts of laptops/notebooks, tablets and mobile phones


Make it clear which devices you will support (in addition to what
ever corporate issued devices you continue to deploy)


and
those you won’t




Decide on the Financial Model




Since the device will be employee owned, yet enabled for dual
use, the employee may expect some
offset to their costs


either of the device, or the service plan.


Decide if it makes sense to
reimburse

a percentage of the cost
the employee, or issues a
stipend

to office set cost of the service
plan.

BYOD Service Design

Determine the
Support Model




When something goes wrong
, employees will need to know the
boundaries around support of BYOD devices.


Formulate a set of
support policies
to answer these sorts of questions:


What type and level of Help Desk support is available for initial set
-
up,
and on
-
going support? Electronic only? Phone as well?



Service Levels
in terms of types of support to be available, target
performance levels, and response and resolution time targets


What kind of support is available for
broken
devices? Does it matter if
the employee broke the device, or if the device was damaged as a result
of something the company did?


Set guidelines around support for enterprise applications, and make it
clear which sorts of applications
employees support


When a personally installed application is
conflicting
with access to
an enterprise application or service that you have stated you will
support


how do you handle that conflict?

Service Design: Design a Stringent set
of
Security Policies


Understand where you are now in terms of vulnerability by doing a
baseline security assessment.

This will help identify how you are
dealing with remote access from mobile devices now, what processes
and technology you have in place, and what the current risks are. It
will also ensure you have identified legal and compliance requirements.




Password Policy

-

If you are going to allow users to access corporate
applications and information services, you will have to set
-
up
strict
password guidelines
, enforcement and maintenance policies.
Passwords will have to be long alphanumeric strings, and changed
routinely


not a 4 digit PIN.



Backup and Update Policy



Define what steps employees should
take to back their own data and corporate data, and what should be
done to keep their devices current.

Service Design:
Lost Device
Policy


Develop policies that state
what happens
when a
BYOD device is
lost.


Since the device is equipped to access secure
company resources,
you must
provide for …


1) remote tracking and access and,


2) a remote “data wipe” for any company
applications and associated information.

Service Design: Integrate with

Acceptable Use Policy


When you allow employees to use their own devices on your
company network,
it may not be so clear
to them
what is
“acceptable use”, vs. what is not



What if they transmit
objectionable material
over
your
network, even though they are using a device they own?
Make it
clear what the guidelines are for “acceptable use”:



Who can connect devices to the network


How they can be connected and authenticated


What data can and cannot be accessed


What applications are permitted (and those that are not)


Types of data that can be stored on BYOD mobile devices

Service Design: Make it Clear Who
“Owns”
What


The employee’s device contains
a mix

of personal data and
applications, as well as business related data and applications



While IT is backing up
business and application data on the
device, this may not the case with personal data


pictures,
music and other apps. That is left to the employee.



In the event the user looses the device,
a remote “wipe”
capability traditionally erases all content on the device


much of
which the employee has paid for, and perhaps not adequately
backed up.



Make it clear that
you assert the right to “wipe” devices brought
on to the network under your BYOD plan
, and provide guidance
on how employees can secure their own content and back it up
so they can easily restore once the lost devices is replaced.

Service Design: Policies

on
Allowed
vs.
Banned
Apps


This policy should apply to
any device
connected to you
network, whether the device is company or employee owned.



The risk is that the employee may download, install and begin
using an application that
presents a security risk

or a legal risk
on devices that have been given access to sensitive company
information.



What if the employee …


Downloads

a mobile app that has a serious “
security
vulnerability
”, and hackers are able to exploit your corporate
network as a result?


Are you going to allow employees to download an app that will
violate music copy
-
right
infringement laws?

Service

Design: Design for
Initial
Activation


There should be some type of
screening process

as a part of initial installation, that ensures that
apps that represent a significant security or legal
threat are
not present.



Ongoing
monitoring and detection
tools should
also be put in place on the devices to ensure that
they are not exploited by security threats

Service Design: Ensure the People
and Processes
will be Ready


Key Functions

to ensure are ready to support BYOD:



The Service Desk


to handle common questions and trouble
-
shoot
incidents related to BYOD users


Technical and Applications Management Teams


providing 2
nd

and 3
rd

line
support to the Service Desk


IT Operations


in charge of monitoring the BYOD environment to assess
any events which should trigger an ‘alert’



Affected
ITSM Processes
to examine and prepare:



Incident Management and Problem Management


to handle BYOD
related issues and resolve them


Event Management


to monitor the network and critical components


Access Management


granting access per the policy, as well as revoking
access


Request Fulfillment


handling BYOD related service requests

Service Design: Design of Other
Vital Processes


Employee Provisioning


The
Onboarding

process



When a new employee begins, IT is notified via HR and the enabling
processes for the device owned by the user can begin.




Employee
Deprovisioning



The Exit process




What happens when the employee
leaves the company
? It’s not simply a
matter of returning the company owned property anymore.



You should have a clear methodology in place for
how you will remove
the access tokens, as well as any proprietary applications and
company information.




If you choose to do a mandatory “wipe” of the device as part of the
employee exit process, ensure that they employee has provided for
adequate backup of personal data and applications

Designing the
Supporting ITSM

Management Systems


Mobil Device Management (MDM)

Systems



available from several vendors


MDM solutions enable you to
take effective control
of your BYOD environment
.


Many can be installed in hours, and can automate
the discovery, inventory, and policy enforcement of
thousands of remote mobile devices:


Some MDM solutions are available as a


SaaS
” pay as you go basis, enabling you

to
get started immediately
with

minimal investment cost


Examples:
Mobil Iron, Air Watch

What to Look For

in a Mobile

Device Mgt System


Facilitates Provisioning &
Deprovisioning


Wizards to help
speed the set
-
up
process


Enable registration of individual or bulk numbers,
including self
-
service registration


User
authentication



against your directory services
system


Templates for customizing to
your Terms of Use


Provide for selective
enrollment restrictions


to
block users based on platform, version, etc.

What to Look For

in a Mobile

Device Mgt System


One that Enables Strong Security


Passcode



require a device
passcode

with
configurable

complexity, length, lock and wipe rules


Encryption


enforce full device and storage card
encryption

to industry standards


Configurable restrictions


the ability to
lock down
user’s ability to use specific device features, apps and
web browsing


Compliance support


be able to
set
-
up rules for non
-
compliance activities

and compromised devices with
automated responses

What to Look For

in a Mobile
Device Mgt System


Configurable


Setting up Profiles


device settings and user credentials
for accessing enterprise apps


Geographical limitations


be able to remove profiles based on
location


Time
-
based


install or remove based on time
-
frame


Enable access
to Accounts


to corporate Email,
Calendar, Contacts, Wi
-
Fi and VPN


Applications


be able to distribute and manage
internal/external apps via an
authorized Apps Catalog


Enable secure content


be able to distribute corporate
docs into some type of secure ‘container’

What to Look For

in a Mobile
Device Mgt System


Monitoring Capability


Dashboard



be able to track and view real
-
time device
information


By location


Be able to
view all enabled devices
on a
GPS map by location or within a specific location


Enable Alerts


be able to
specify rules for ‘events
’, to
trigger alerts to IT administrators


Reporting



be able to configure real
-
time and periodic
reporting for automated distribution

What to Look For

in a Mobile
Device Mgt System


Ability to Effectively Manage


Updates



be able to update configuration settings and
re
-
provision devices automatically with these settings


Enable Commands


be able to send commands on
demand to devices to request info, lock or wipe a device


Bulk Management


be able to perform actions to
groups of devices


Retirement


un
-
enroll devices
from your
environment, removing the corporate data and apps and
wiping the device

What to Look For

in a Mobile
Device Mgt System


Facilitates Support


Messaging


send messages
to end
-
users with trouble
-
shooting instructions


Remote diagnostics


be able to
remote in
and identify
issues


Remove view


be able to
view remote user’s screen
and do screen captures


Remote control


take control
of a device for trouble
-
shooting


Self
-
service


enable users to clear their
passcode
,
locate their device, and more


Other

Supporting ITSM
Management Systems


Endpoint Security Suites



these provide a host of
centralized security solutions that extend to mobile
devices, such as anti
-
virus, anti
-
spyware, intrusion
detection and prevention systems, data loss
prevention, vulnerability scanning and blocking.


Examples: McAfee, Trend Micro, Symantec



Network Access Control (NAC)

these solutions
inspect devices that connect to the network to
ensure they are up
-
to
-
date with the latest required
security patches and applications.

Service Transition
: Going Live with
Your BYOD Program


Once your BYOD Service Design Package
(SDP) is complete
, you core team will shift
into the Service Transition stage to begin
acquiring and deploying the necessary
service assets.


This step include acquiring and developing:


Resources


People, tools, technology, finances


Capabilities

-

The ability of these resources to
execute and deliver the service as designed

Transitioning

Your BYOD Program
into
Live Operation

Transition Planning and Support


the team coordinating all
the activities to establish the BYOD program into
production

SACM


will track BYOD users and associated devices as they
come on and off the program

Change Management


controls changes to the program
components, and enables standard changes

Release & Deployment


engages to plan the release of
BYOD, and deploy the supporting capabilities

Service Validating and Testing


required to ensure the
program works as designed prior to deployment

Knowledge Management


plays a big role in capturing
documented policies, procedures, FAQs, and sharing this
across the organization

Considerations for
Service

Transition
of Your

BYOD Program


Communicating with the people affected

-

a communication and
awareness plan will need to be drawn up, so that expectations are set
properly with users, customers and the service desk as the BYOD
program rolls out.



Putting the right people with the right roles & responsibilities is
also key to success



You may to continue with your core implementation
team for a period
until the program is fully embedded


A “Chief Mobility Officer” is advocated by some organizations to oversee
and guide the rollout


Specialized support roles
may be required in Service Operations




A comprehensive
training program

will need to be developed and
deployed to informed the organization about the impact of mobility,
and supporting BYOD devices

Service Transition
Considerations


Deploying your supporting processes


Tailored and tested ITSM processes will be verified


Other processes such as provisioning and
deprovisioning

will be tested and validated (processes
facilitated by MDM tools)



Deploying your ITSM Management systems

and
solutions for providing the supporting environment


MDM support systems


Enterprise Endpoint Security Suites


Network Access Control solutions

Service Operations
: The Acid Test
for BYOD


is

it
Supportable?

Service Desk


Single Point of Contact &
communication for all users

Incident Management


will handle the resolution of
BYOD incidents

Request Fulfillment


handles provisioning,
deprovisioning, as well as other informational request
for service

Problem Management


will resolve any underlying
problems

Access Management


carried out to grant/ withdraw
access (provisioning and
deprovisioning
)

Event Management


monitoring BYOD
status

Service Operation
Considerations


Once through Pilot and Early Life Support,
BYOD will transition into
live Operation.

This is when the service becomes “live” in the Service
Catalog, the SLAs are live, and your BYOD program is in operation
with the users.




Key Considerations:




Ensure your Service Desk staff has gone through a
knowledge transfer

workshop, to ensure they are up to speed on policies, support tools, and
procedures.



Educate

all stakeholders about the program, along with supporting
policies and procedures


BYOD end
-
users


The Service Desk staff


Desktop Support


Other IT Technical and Application support groups

Service Operation
: Key Considerations


BYOD education
should be part of the employee
on
-
boarding process, and should continue with
periodic refreshers.



Training can be held …


In person, during an initial orientation


Online, through periodic webcasts


Self
-
paced training can also be made available



Using Event Management, leverage your MDM
systems and other tools to continually
monitor the
status

of your BYOD environment

CSI:
Continual Improvement
of
You BYOD Program



A Periodic BYOD Program Assessment should be a Key Element in CSI


Initiate an
on
-
going process
of monitoring the value delivered, and the
returns received, of a BYOD program, in order to keep the program aligned
with IT and business goals, and to seize improvement opportunities


The technology
surrounding the BYOD movement continues to change
rapidly, with types of devices, new capabilities, and new applications


With advancements comes new opportunities, but also
new risks



At BYOD launch, consider a
quarterly assessment
to determine how close
you are to continuing risks, and realizing the benefits you aimed for.
Examine:


Threats and vulnerabilities


Policies and procedures


Supporting tools and systems



Thereafter practice at
least an annual assessment
of the program

Summary


By Taking a
Service Lifecycle approach
, you will have a much
better chance of success!


Develop a
Service Strategy
for BYOD, and align that with
business goals. Setting the overall vision, mission,

goals, and
guidelines is crucial


Proceed to
Service Design
, where you will consider ALL the
aspects


people, processes and technology


to create a total
solution


Test, validate and Pilot your Program in
Service Transition
, so
you can be confident it will work


Having done all that, when you go live in
Service Operation
,
the devices and the program will be manageable and successful


Use a
CSI approach
to continually monitor the program and
make periodic improvements!

Thank You!



Now time for Q&A, Discussion …