The Bring Your Own Device (BYOD) approach to mobile device provisioning — including employee-managed identity management — has not only taken root, but has become the norm for tens of thousands of businesses and has become the preferred method for enabling mobility for some of these businesses. In fact, Osterman Research found in a major 2013 study of the BYOD market that most of the iOS- and Android-based smartphones in use in North American businesses are personally owned, not provided by employers.
BYOD and employee-managed identity management — which also includes BYOA (Bring Your Own Applications) for tools like Dropbox, Skype and hundreds of other applications that started off as consumer offerings, but have since become widely used for business purposes — has evolved through three stages:
Beginning in about 2007 with the introduction of the iPhone, a handful of senior executives and others asked IT to support their personal devices. IT obliged, but often with reluctance because of security and content-management concerns.
As BYOD gained traction in the 2008-2012 time period, IT departments often opposed the use of personal devices, again quite often because of security concerns.
Because BYOD is today the norm in so many businesses, IT has realized that it cannot continue fighting this seemingly inevitable trend, and so has accepted, albeit reluctantly, the widespread use of personally owned mobile devices on their networks.
Will the next phase of BYOD/BYOA be BYOI (Bring Your Own Identity)? Some believe it will be, including Art Coviello, the Executive Chairman of RSA, who wrote:
“The next evolution of [the BYOD] trend will be the consumerization of ID or identity as employees increasingly push for a simpler, more integrated system of identification for all of the ways they use their devices. Identity will be less entrusted to third parties and increasingly be something closely held and managed by individuals — as closely as they hold their own devices.”
Mr. Coviello has a point, one that has been corroborated by our own research. For example, an Osterman Research survey conducted in 2013 found that 82% of users identify their current access methods as either painful, or at least in need of improvement. This survey also found that the typical user accesses a median of 10 different systems or applications during a normal workday, and that the more applications that users must employ to do their work, the less satisfied they are with the access methods available to them. Further corroborating the pain that authentication has become, our research found that one third of users must have their corporate login credentials reset more than four times per year because they forget their username or password.
So, Mr. Coviello is right in one important respect — users will be increasingly motivated to push for better ways to authenticate themselves to the corporate systems they must access on a daily basis.
That said, BYOI may not follow the same pattern as BYOD or BYOA. Here are two reasons why:
- The vast majority of users employ their personal device(s) to access corporate systems. For example, BYOD research conducted by Osterman found that the primary mobile device in use is employed by 97% of users to check email; 55% use it to take notes; 43% use it to review and edit documents; and 36% use it to share content with partners, prospects and customers.
- This means that personally owned devices are used by employees regularly to check, download, upload and share important content on corporate systems. What this also means is that their employers are at risk if a cybercriminal can access this content by installing malware on a mobile device, guessing a password that is relatively simple, finding a lost device, or gaining access to a user’s login credentials that are used on multiple systems (our research has found that 82% of users do this).
- Consequently, most security-aware IT managers may not accept the status quo of simply letting users dictate their own login credentials and access methods. Instead, to protect corporate systems and content, IT must take a much more active role and implement more robust identity and access management systems that are tailored to the sensitivity of the information and systems being accessed, the access rights of users, etc. The recent exfiltration of 40 million Target customers’ confidential information will be one of the headline events that will motivate companies to action in this regard.
- Another important reason for organizations to take back more control over identity and access management is the large proportion of corporate content that exists in repositories like Dropbox, on mobile devices themselves, or in user-generated archives like .PST file. When organizations face an event like an eDiscovery order or regulatory audit, they must have access to all of their relevant content, and they must access this content in a relatively short amount of time. If users have established their own credentials and stored this content in repositories to which IT, legal or others do not have access, this puts the entire organization at risk of not being able to access critical content in a timely fashion. Moreover, it prevents the organization from enforcing its content retention rules — content can easily be created and then saved or deleted in violation of corporate policies.
In summary, the BYOD model of Reluctance, Opposition and then Acceptance simply won’t apply to BYOI to nearly the same extent. Instead, the model will be Reluctance, Opposition and then Action, where that “action” will be IT retaking control over access to corporate systems and data repositories from personally owned devices. It will take the form of deploying risk-based authentication, two-factor authentication and other, more sophisticated modes of authentication as part of an IT-managed identity access and management solution.