Be honest: Who is in control of your workplace IT? You or the user?
The severity of these risks varies with the business and the laws governing the jurisdictions in which they operate. Most clandestine IT deployments are - at their heart - an effort by employees to bypass company policies and procedures they feel are too restrictive. In some cases (I'd argue in most cases) it is simply a desire on the workers' part to feel that they have a sense of control. This can too easily get mixed up with a feeling that IT policies exist only so that some management types can justify their existence.
For others, it is the belief - accurate or not - that the ability to use their preferred service, software or device will make their job easier. As soon as this happens, corporate information moves beyond corporate control. The lost employee iPhone could contain millions of credit card numbers; the lost Surface tablet, an entire province's medical records.
Vulnerability to malware or even physical access attacks are greatly increased with a personal device over corporately controlled units. The effectiveness of centralized antivirus and mandated unlock passwords evaporate if users start walking around with unmanaged endpoints.
Beyond the obvious headline-grabbing security and privacy risks lurk far more mundane threats. Document retention legislation could result in serious fines if critical business communication begins occurring outside of corporate retention mechanisms. Regulations such as Sarbanes-Oxley and certifications including PCI compliance require certain levels of corporate security be applied to various bits of corporate information.
Industrial espionage is a lot harder to prove if information access occurs outside audited systems. Gaffes and mistakes can present an unprofessional corporate image. Is your salesman communicating with clients from his personal Gmail account? Is such communication purposeful, or did he mean to select the corporate account in his mail client but forgot?
Four ways to grab the reins
There are three basic approaches to dealing with the consumerisation of IT. The first (and often the instinctual) response is the Fortress IT approach: introducing or reinforcing policies forbidding the use of non-approved devices, software, or services. This is typically followed by a vicious crackdown, "education" of users and firings. The odd legal action against an employee for emphasis is periodically employed.
Digital natives don't seem to take particularly kindly to this approach. Unless there is an exceptionally good reason to be working at your company, Fortress IT will result in nothing except the assurance that you will not attract tomorrow's best and brightest.
The second approach, diametrically opposed to the first, is embracing the chaos. Far more popular among small businesses than large, this approach relies on training and trust in employees to treat corporate data with respect. It is typically enacted with fixed allowances for devices and paired with complete freedom for the employee to choose what they wish to use. If the user wants a better device than the corporate allowance, they must stump up the extra. Issues of who owns the device if the employee leaves before three years are common.
While companies using this approach are generally less carpe diem regarding software and services, they have far more open policies than other approaches. The focus of companies embracing the chaos is giving employees the tools they need to do their job. This comes with an implicit acknowledgement that the subject matter experts - the employees - are in a better position to determine what those tools are than management or IT.
Embracing the chaos requires understanding and clearly communicating the risks data loss pose to the company. Above all it requires honesty and trust by both the employer and the employee.
The third approach to coping with the consumerisation of IT is "Deploy Desired Devices" (DDD). The DDD approach relies on accepting that in any instance where we are dealing with employees who are not completely interchangeable, the "least cost" approach to IT has been a failure.
Instead of deploying rickety $400 Acer specials whose performance hasn't changed since the line was introduced six years ago, the DDD approach would require deploying hardware, software and services that people actually want to use. Instead of forcing a Blackberry or a Windows Phone on an employee, options are expanded to include desirable devices such as Android phones or iPads.
The DDD approach requires that companies talk to their staff, find out what people want to use, and why. It requires moving from supporting the smallest possible range of devices, software, and services to embracing "the new" even if that includes Apple in the enterprise.
There is also an implicit fourth approach: pretend that the consumerisation of IT isn't happening. Doing nothing is its own approach. It is even potentially valid if clandestine IT has not yet started it's inevitable infiltration. In the long run the "doing nothing" approach will ultimately fail.
Each approach will bear a cost. Clamping down on your staff will result in either high turnover or in having to provide alternative incentives for staff retention (pension plans, etc). Embracing the chaos requires true jack-of-all-trades systems administrators with a wide range of experience. And those are expensive.
DDD can be accomplished with existing support staff, but requires a corporate attitude of not skimping on the digital tools of the trade. Doing nothing is a gamble that will lead inevitably to data loss and possibly expensive legal concerns.
Still, it's not as bad as all that
Controlling a heterogeneous environment or doing testing on new software or services has traditionally been difficult and expensive. Vendors are aware of this. As demand for new technology has increased so too has the ease of meeting those demands.
Mobile device management software has come a long way. Popular enterprise endpoint management software now regularly supports Apple and even Linux. Virtualization allows the creation and destruction of test environments with ease. RDS, VDI, and ThinApp-style technologies allow the delivery of corporate applications or entire managed environments to unmanaged devices. Cloud aware inventory software is increasingly capable of tracking and monitoring clandestine IT.
The tools and resources necessary to support a broader range of devices, software, and services are becoming commonplace, even if the manageability of some devices lags behind.
Excepting in exceptional circumstances, "it's too hard" is no longer a valid excuse for failing to set policy regarding the consumerisation of IT. We have the technologies required to deal with this issue. What remains is choosing whether or not to acknowledge the reality of it, and what approach your business will take. ®
Re: @Trevor Pott "Learn to live with it, or leave." Is that kind of posting the way you normally..
@Arctic Fox: That wasn't a hostile post telling you off, sirrah. Explanation of the policy itself was not intended as an attack; I apologise if it was interpreted as such. It was merely a blunt explanation of Microsoft's policy.
"Learn to live with it, or leave." I chose "leave." Others are choosing "live with it."
I personally do believe you are being naive if you think for a second that "customer reaction" is going to mean a bent damn to Microsoft, but I'm not really going to hold that against you.
Some IT departments might deploy things like classic shell. Most won't, for the reasons I listed. The larger the org, the greater the likelihood they won't deploy it. Some will sit on Windows 7. The smaller the org, the more likely this is…up to a given point. There's a weird inflection point below which companies don't have IT guys. At this point, they will eat whatever is put in front of them; they have no choice, Windows 8 is what Best Buy sells.
Some of us are giving up on the MS ecosystem altogether. Joining the neckbeards on Linux, or the hipsters on Apple. For the overwhelming majority of end users, IT departments and so forth, however, Microsoft is all that exists, all that will exist and you will eat what is put in front of you and like it.
You have the same two choices I do, or anyone else does: "learn to live with it, or leave." I gather you don't like the binary option as presented. Gods know I don't, either. That said, in the real world, I do not honestly believe there is another alternative. Nothing you or I or even every single reader of The Register combined could do would make a big enough impact to even cause a Redmondian product developer to yawn.
They can lose every single one of us – and the companies we support – and not care. The only thing that matters to Redmont are CxOs. People who make the purchasing descisions for companies with thousands of seats and/or governments. They don't want to be supplying you Windows for your desktop, or your crappy little SME. You are a net drain on their bottom line, not a profit center.
The only people that matter at all to Redmond are the folks willing to stump up subscriptions – SA, preferably, but O365 and InTune will do – in huge volume. This is what Microsoft has bet the farm on, and it is the driving force of every single decision they have made for years.
That's why we're expendable. The kind of consumers who like Metrololo are the kinds of people who will buy Windows Xbox Live Gold Edition Subscriptions if Microsoft tosses a few episodes of The Guild in each month and allows them to stream the latest Halo over the interbutts.
Businesses with more money than sense will sign SA agreements because they are so deeply embedded in the Microsoft ecosystem that – like user of IBM mainframes – they aren't going anywhere for the foreseeable future.
So…the rest of us? Enthusiasts and power users and SMEs with capable techies and the ability to be discerning? We're the 80% of customers that bring in 20% of Microsoft's revenue. We're the long tail that Microsoft will gladly cut off if it can only increase the revenue from the other 20% by a few points. The costs of supporting us are astronomical, and we are never happy.
So Microsoft have stopped giving fucks. There are simply no fucks given whatsoever. Not by them, not by Apple, not by Canonical, nobody. Nobody gives any fucks about us at all. We have the technical competence to do use any vendor to accomplish our aims, and are just fickle enough to keep trying to play the various vendors against eachother. One by one they have all said the exact same thing:
Learn to live with it, or leave.
I can't – and won't – give you advice about which to choose. I will, however, tell you straight up that there are no other choices on the table. That you, or I, or any of the rest of us have a forum to have our voices heard is a fallacy. One that – quite frankly – most vendors don't even give lip service to any more.
It sucks, but what are you going to do about it? I know what I am going to do: I am going to ruthlessly abuse the contacts I've made as a writer for The Register to introduce the CEOs of various startups to one another. I am going to try to organise a conference of startup CEOs and build a fifth column within the tech industry. Instead of a handful of behemoths surrounded by a collection of intercompeting (and thus irrelevant) ankle biters, I am going to try my damnedest to organise the ankle biters into a serious threat.
I am going to expend every single iota of political capital I have ever obtained to get a few dozen startup CEOs in the same room and see if they can't hammer out the framework for something larger. I will most likely fail. Probably spectacularly and in a fashion that ensures I will never work in this industry again.
But I'm still going to try, because I can't learn to live with Microsoft's vision of the future, and Apple abandoned folk like me long ago. Google hasn't gotten its shit together and the open source world is a mess. I have no choice but to choose "leave," but in order to leave I first have to make a place to go.
If you've a better idea than that – or some concrete rationale you can use to demonstrate why you think regular joes have a snowball's chance in a neutron star of having our collective voices heard by the Microsofts or Apples of this world – I am all ears.
Because choosing "leave" is a truly exhausting amount of work.
You're forgetting the software
Applying end point security to a wider range of devices is the only approach other than total lockdown that I've seen tried. Like democracy, we do it because the alternatives are usually worse. I'm not sure where this fits in the 4 options above. You're not deploying desired devices, you're trying to secure devices deployed at you.
All this ignores the second major cause of BYOD: software. The only difference between enterprise software, in particular interface design, and bestiality, is that bestiality is at least half consensual. How long would Amazon have lasted if it looked and worked like the bastard chimeric spawn of Siebel and Oracle?
You don't sit looking at your device all day (fanbois excepted). You look at the %$&#% software. That's where the gulf between what we're used to at home and what we're forced to do at work yawns widest. Fix that, and maybe your users won't mind using <gasp> Acer.
A lot of the comments above strike me as the IT equivalent of King Canute - we don't like it so you can't have it. Well, if (and that is not yet certain) it makes economic sense for the business, then it's likely to happen, whether or not IT want it. There will be plenty of external consultancy firms telling the directors that they can do it, even if your "backwards IT guys" can't.
IT should be about finding how we can successfully, securely and efficiently embrace new ideas and technologies, not protect they way we do things now.
The tide comes in on it's own schedule, not ours.