Rethinking the BYOA barricades

IT managers need to start looking outside the corporate network to protect the perimeter. Reliance on traditional network defences – or even policies that focus exclusively on employees – just aren't enough anymore.

To tackle the security challenges of both BYOD and BYOA, today’s IT managers need to look outside the corporate network – because that’s where their data will increasingly reside. The popularity of the “as-a-service” delivery models which dominate the BYOA landscape has meant more and more organisational data is being stored on the servers of SaaS providers or external clouds.

In other words, the BYO revolution has already breached the organisation’s barriers: IT managers can no longer rely solely on traditional network defences – or even policies that focus exclusively on employees – to keep their data safe.

So how can IT professionals address these broad new areas of risk thrown up by BYOA? They shouldn’t give up on network management within their own domain; in fact, they should focus on bolstering access control with systems that track where, and how, users connect to sensitive data.

But they must also look to new strategies such as collaborating with “as-a-service” providers, deploying corporate app stores, and embracing entirely new working models. There may never be a true technological solution to any BYO movement – which is why the effective IT manager needs to take on new skills and roles as a “mediator” between employees, third-party providers, and the business.

Out in the Cloud

First up, it’s worth stressing that BYOA offers organisations and IT policymakers numerous opportunities if it’s managed effectively. A BYOA-centric strategy will, as I’ve argued before, mitigate many of the challenges posed by BYOD: it’s far easier to monitor and regulate apps, based on how they interface with the corporate network and its assets, than it is the devices which house them.

And the benefits are particularly compelling for industries where mobility is essential, which have in fact been constrained by the desktops and laptops of yesteryear’s computing hardware. Any industry with a large sales force presence – including many parts of the IT industry itself, particularly resellers and MSPs – can garner obvious benefits from more flexible access to applications. Others like healthcare, finance, and even the emergency services sector can gain 24/7 access to the highly technical applications which they require as part of their daily duties.

The biggest hurdle to grasping these opportunities is the security of the organisation’s sensitive data. This data, thanks to the prevalence of SaaS applications amongst those which employees (and more and more businesses themselves) typically opt for, increasingly resides outside the corporate network’s perimeter. IT managers have virtually no visibility of how and by whom this data is being accessed, or even where it’s physically stored.

Nor do they have a straightforward technical means by which to secure this data. In fact, the use of corporate data within third-party hosted apps renders the traditional corporate network boundary absolutely useless.

Build Your Own Solution

So should IT managers throw their hands up on the BYOA front? Quite the opposite: they should first concentrate on robust access control strategies within their corporate networks (we’ll get to the dilemma of external data a little later). A set of complementary monitoring tools is essential in this regard: while an endpoint-focused tool like SolarWinds’ User Device Tracker can identify devices connecting to data sources – and blacklist devices or users who IT believes don’t require access – it takes deeper analysis of log and event files to decipher exactly what employees are doing with this information.

But IT managers also need to realise that while they can identify connectivity within their own domain, they have no way to see what employees do with corporate data moved outside the boundaries of their corporate network.

This demands a new range of strategies (and skills) to ensure that BYOA is applied most effectively by the business. IT managers should raise the issue of data access with their SaaS providers, particularly those which are frequently turned to for enterprise functionality within the organisation.

Third-party providers, for their part, must consider how they might allow client organisations to monitor and control data being accessed by their apps. While these are tricky issues to negotiate, the spread of concerns about BYOA access to data will make collaboration essential between “as-a-service” developers and the industries where their apps are used.

For IT managers considering corporate app stores as a solution to BYOA’s access issues, they’ll need to decide what policies and practices to build into those environments. Building an app store from scratch may offer the greatest degree of control, but an outsourced solution (or one which “piggybacks” off existing public app-store infrastructure) may be more viable from a cost perspective.  There are software vendors who build “App Store Software” for sale, effectively allowing an organisation to host their own store “on-premise” or in a hosted (read: cloud-based) scenario.

Industries which require more technical applications, such as healthcare or engineering, may be better suited to corporate app stores since employees will already using a relatively small pool of apps for their purposes.

IT’s Soft Skills

Any potential solution to BYOA requires IT managers to go beyond the purely technical and negotiate between employees, third-party providers, and business requirements. The most effective IT professionals will end up resembling internal liaisons or “mediators” more than anything else, using their existing skills to find common ground between apps which employees use and those which meet business needs. And while they’ll have to gain some new technical and managerial abilities, it’s worth remembering that IT professionals have faced questions of BYO before, from Blackberry access to mail servers right through to when employees would download freeware to their desktops.

By establishing closer ties to heads of business, as well as third-party SaaS and IaaS providers, IT managers will be well-placed to overcome the data access issues of BYOA – allowing them to apply it as a powerful enabler of business productivity and mobility in the process.

Lawrence Garvin is the ‘Head Geek’ and technical product marketing manager at SolarWinds.