DOWNLOAD "Making BYOD Work for Your Organization" - Cognizant

Executive SummaryThe influx of personal smartphones, tablets and laptops thatconnect with and use corporate resources is challengingcompanies to walk a fine line between channeling thebenefits of employees purchasing and using their ownmobile devices and making these devices secure and costeffectiveenough for the enterprise.Known as BYOD, or bring your own device, this consumer-ledmovement is transforming enterprise workspaces by extendingthe notion that 21 st century employees need to work fromanywhere, at anytime and on their devices of choice, bothwithin and outside of the traditional corporate structure.BYOD is not only disrupting the traditional way technology isprovisioned, paid for and used, but it also promises the dualbenefits of simultaneously driving down IT costs while improvingemployee productivity and satisfaction.The BYOD trend holds immense potential to transformbusiness, enable agility and encourage innovative ways ofinteracting with customers and business partners. The keyis to approach BYOD holistically, responding to employeeexpectations while fulfilling business requirements forsecurity, compliance and risk mitigation.Transitioning to a BYOD model should be phased in overtime. Organizations need to mitigate security risks, suchas inappropriate usage or loss of corporate data andthe ensuing financial and legal implications. Establishingeffective governance mechanisms to ensure data privacyand security can be challenging when embracing a BYODphilosophy. In addition, advances in consumer technologyand device heterogeneity are creating complexities thatcan undoubtedly turn into nightmares for IT if not handledproperly.June 2012 MAKING BYOD WORK FOR YOUR ORGANIZATION 2

Organizations should deconstruct traditional workspaces,using virtualization to decouple dependencies among hardware,OS, applications and user states found in traditionaldesktop configurations. This gives them greater flexibility tostream the right set of user profile, data and applications ondemand,at the right performance level and in a secure mannerto any device, based on employee roles and IT requirements.For the foreseeable future, companies should take alimited BYOD approach (the middle path), with finite lists ofsupported devices that are easier and less costly to manage.A limited-BYOD infrastructure that is platform and OSagnosticwill help minimize security breaches and theorganizational resources needed to support and manageemployee-owned devices. Deploying the right combinationof mobile device management (MDM), mobile applicationmanagement (MAM) and mobile application developmentplatform (MADP) solutions can help organizations secure andquickly update business apps on employee devices and performcompliance reporting, all while providing employees the flexibilitythey demand, resulting in improved productivity and highersatisfaction.Unlike previous waves of technology change, BYOD promisesto pervade all parts of the business. Proactive organizationsthat embrace this trend and mold it in suitable ways tobenefit the business will gain the critical lead to out-perform thecompetition.3 FUTURE OF WORK June 2012

Transforming the workplace. The combination of managed personal devicesand cloud computing with desktop and application virtualization can helporganizations enable secure access to key corporate resources anytime andanywhere for their employees. The confluence of cloud, virtualization andmobility is transforming the way employees work today, allowing them to becreative and innovative in ways previously unobtainable.BYOD Implementation ChallengesWithout a doubt, the proliferation of myriad smart mobile devices createscomplexities that are overwhelming many organizations. With limited controlover and vast choice of mobility devices, today’s organizations face considerablechallenges in protecting data, ensuring security, providing support, meetingcompliance regulations and lowering IT costs to manage a BYOD environment.Protecting data. Compared with most corporate hardware resources, employeeowneddevices are more prone to theft and loss because of their size, perceivedvalue and portability. For organizations, tracking lost personal devices andwiping sensitive corporate data stored on them is a major challenge.Security. The heterogeneity in the device landscape makes it challenging todevelop and implement appropriate security measures. In addition, theiradvanced features — such as high-resolution cameras, recording functions andlarge storage capacity — can circumvent many traditional IT security measures.The possibility of employees inadvertently exposing their devices to maliciousattacks while using them outside work is a serious risk. For organizationsoperating in regulated environments bound by compliance mandates, ensuringsecurity for corporate resources while allowing BYOD can be a tightrope walk.Support. Providing support for the numerous devices used by employees —while offering the potential for significant reductions in overall support costs — isa major implementation challenge. IT departments may be overwhelmed if theylack the appropriate resources to implement the changes necessary to supportBYOD.BYOD DriversBase: 700 IT professionals in seven countries, including Australia,Canada, Germany, India, Netherlands, U.S. and UK.Source: Citrix Global BYO IndexFigure 3Improved employee satisfactionIncreased worker productivityGreater mobility for workersMore flexible work environments for employeesReduced IT costsAttracting/retaining high-quality staffBetter quality of devices used by workersBetter care and/or longevity of devicesReduced device management requirements for ITFaster onboarding of employees and third partiesImproved business continuityOther0% 10% 20% 30% 40% 50% 60%Percent of respondentsJune 2012 MAKING BYOD WORK FOR YOUR ORGANIZATION 6

Virtualization. Providing access to corporate data and enterprise applicationsfrom a centralized location gives IT greater control over safeguarding enterpriseresources regardless of the devices in use. In this way, virtualization accommodatesthe diverse devices used at work and eliminates the IT and business costsof customizing apps and creating access mechanisms.“Containerization.” This approach separates corporate data into secure“container” structures on devices and allows organizations full control overthem. By using either a self-contained, secured application and data constructor a completely separate mobile OS via a hypervisor, organizations can isolateor contain corporate data on personal devices.With the hypervisor, multiple instances of an operating system can be run on asingle device, essentially creating virtual devices. This way, organizations cancompletely isolate the OS and partition the portion used for corporate applicationsand data from the one used for personal purposes. With the self-containedconstruct, applications and data are run in a separate memory space on thedevice. Access to this information is secured via additional authentications andcan be selectively removed in the case of device loss or employee retirement.These containerization methods allow IT departments to manage and monitorthe corporate applications and data effectively and securely without impingingon the personal data on employees’ devices.Encryption. This provides a strong layer of security for devices, applicationsand data. It also makes it difficult for anyone to view and obtain data from lostdevices without the encryption key.BYOD in phases. Embracing a limited BYOD model is key to handlingthe complexity that personal devices introduce. Carefully evaluating therequirements of employees based on their roles and limiting device supportwill help IT departments gain some control over management and securitychallenges. Allowing only secure and compliant personal devices for work canhelp organizations alleviate their concerns over security, support issues andcosts so they can create an infrastructure to accommodate them.Creating a Holistic BYOD Strategy and PolicyDeciding on a BYOD implementation path can be challenging for many organizations.The BYOD journey should begin with the understanding that the strategyneeds to be all-inclusive and balance the risks and rewards for employees andemployers.StrategyEssential to the formulation of a BYOD strategy is understanding employeeroles and how they relate to the use of mobile devices at work. Organizations shouldgroup users into broad categories that consider the kind of work they do on a dailybasis and the necessary IT requirements to support them. Ideally, BYOD should berolled out only to qualifying employees. The strategy should factor in the nature of thebusiness and industry in which an organization operates to identify how it can staycompliant, especially on data security/privacy and usage mandates. It should alsospecify the kind of device configurations, preferred vendors and brands thatsupport the organization’s business needs.An important consideration is balancing enablement with control. This willrequire organizations to decide on the proper application of MDM, MAMand MADP solutions and whether these should be managed in-house orcontracted out to vendors. The transition to BYOD should start only after anorganization assesses the net benefits it expects to realize from the initiative.June 2012 MAKING BYOD WORK FOR YOUR ORGANIZATION 8

Another key element is the cost BYOD entails in setting up new infrastructureand ensuring support for diverse technologies in a non-standard environment.Organizations should also determine the liability they are willing to assume (seeFigure 5), as well as the tax and legal implications of allowing BYOD, especiallywhen reimbursing employee expenses.To support BYOD, organizations also need to prepare enterprise applications towork with the allowed set of personal devices, which entails customizing, developingand updating applications to work with personal devices. Support is another criticalaspect, as employees need anytime, anywhere access to either live agents orself-help tools. A mix of sourcing, automation and strong technical customersupport is essential to a robust BYOD support model. A successful strategy willensure that IT and the business units agree on how to approach the BYOD program.Companies should consider a middle path between the two extremes of thecomplete freedom that employees desire and the full control thatorganizations seek over personal device work usage. A flexible and scalablestrategy will better accommodate the growing demand for BYOD, given the rapidlyevolving device technology landscape.PolicyImplementing the BYOD strategy is only possible with a comprehensive policy.To develop an effective policy, organizations need to define and understand factorssuch as:Which devices and operating systems to support.Security requirements based on employee role and designation.The level of risk they are willing to tolerate.Employee privacy concerns.Employee demand for freedom in how they work and use technology hasserious ramifications for IT environments. This demand is altering ITdepartments’ traditional structure and scope of control. Understanding this alteredEmployee vs. Company Liability• Better control over devices canbe applied (blocking ofmarketplace applications, etc.)• Better security• Comparatively easier forenforcing policy andcompliance• Need for application licensemanagementCorporateLiable,CappedExpenseIndividualLiable,No/CappedExpenseCorporateLiable,CompleteExpenses PaidIndividualLiable,CompleteExpenses Paid• Reduced IT overhead• Reduced device procurementcost (Cap-Ex)• Better choice of device• Challenges in deployingcorporate applications due tonon-standardization of OS• Better control over expenditure• Reduced device running cost (direct Op-Ex cost)Corporate liable devices are recommended for environments with higher data security risks (e.g., financial services);individual liable devices are recommended for environments with lower data risks (e.g., education).Source: CognizantFigure 59 FUTURE OF WORK June 2012

environment will give organizations a better idea of what to consider while draftingBYOD policies (see Figure 6).BYOD Policy FrameworkA comprehensive BYOD policy is an essential component of a successful BYODprogram. An effective policy should include the following:Devices» Scalability of devices: Flexible guidelines need to determine which devicesare evaluated on an ongoing basis, particularly as new devices, platforms andoperating systems emerge and employee expectations evolve.» Device criteria: Comprehensive evaluation criteria need to specify whichdevices are allowed and how employees will be notified that their devicessatisfy that criteria.» Supported configurations and platforms: Customized user agreementsshould account for the varied combinations of devices, the platforms theyrun and the regulatory requirements specific to the region(s)/industry(s) inwhich the organization operates.» Device certification: A methodology is needed to evaluate and certify adevice. The policy should provide a list of compliant and preferred vendorsfor sourcing devices and licensing for core applications required.» Device support: A clear statement needs to detail how employee-owneddevices will be configured, which applications will be supported and thetype of support that will be provided. If the company wants to encourage a“self-support” culture, it should provide self-help/support tools to users.» Security: The organization needs to define its stance on how corporatedata will be retrieved and wiped in case of device loss or theft, as well as therights it reserves for dealing with corporate data and applications. It shouldoutline restrictions on usage of device features such as cameras, storage andrecording functions and should stipulate the use of anti-virus and malwaresoftware and the frequency of updates.Defining BYOD PoliciesPolicy Element Traditional IT Policy BYOD PolicyDevices, deviceconfigurations andoperating systemsMobile applicationsand dataStandardized.Full command and control over dataand apps.Complex and heterogeneous.Limited control over corporate partitions, data and apps.Device tracking andmonitoringFull IT control over evaluating howdevices are used, with no expresspermission required from users.Clarification of how devices are tracked and monitored, as well aswhich portion of the devices and data will fall under the policy’spurview.Cost reimbursementNo provision for reimbursement ofcompany-owned device costs.Definition of who pays for what, based on an understandingbetween employees and employer.Figure 6June 2012 MAKING BYOD WORK FOR YOUR ORGANIZATION 10

Users» Eligibility: Eligibility requirements need to be created, as well as the criteriaused to establish eligibility. Role-based restrictions regarding access tocertain applications and data should also be clearly stated. Organizationsshould describe the procedure for obtaining approval for using personaldevices.» Acceptable usage: Employees should be required to understand theirresponsibilities with regard to acceptable use and minimum deviceconnectivity requirements. The policy should encourage employees toprioritize business-related use when they are at work.» Compliance and governance: Communicate non-compliance to users andoutline the remedial actions they can take to be compliant. Organizationsshould get executive buy-in for the BYOD policy and involve all relateddepartments, such as HR, finance, legal and operations, apart from IT.» Ownership and liability: Guidelines must be clarified on who owns the deviceand the data. These should define liabilities related to loss of corporate datastored on personal devices, as well as the liability the organization is willing toaccept for affecting personal data due to the management of corporate dataand apps.» Reimbursement considerations: The organization needs to define its stanceon reimbursement. The extent of reimbursement (full, partial), the limits(allowed expenses, maximum amount), the frequency (one-time, monthly,yearly) and eligibility (based on role) will help guide the organization whenformulating its stance.» Policy violations: The company needs to prescribe actions in the event ofviolations of policy guidelines.Implementing BYOD PolicyA clear policy on the types of devices allowed as part of a BYOD program helpsorganizations attain a certain level of standardization and allocate the necessaryDefining User Profiles and Their NeedsKnowledgeWorkersExamples Typical Work Pattern IT RequirementsScientists, designers,statisticians• Rich user experience, with multiplecomputer applications and toolsrunning locallyOffice Workers Admins, HR, finance • Routine workflows, with multiplecomputer applications and toolsrunning locallyExecutive &Mobile WorkersTask WorkersContractWorkersSource: CognizantFigure 7Function heads,sales repsCall center reps, retailagents, factory workersExternal contractors,third-party collaborators• Similar to knowledge/office workers• Offline computing• Anytime, anywhere access• Simplified and streamlineduser experience• No requirements to savedata locally• Local and remote access• Data security and compliance• Flexibility to access multiple desktop computers• Application-specific security and regulatorycompliance efforts• Data security and compliance• PC integrity• Application-specific security and regulatorycompliance efforts• Data security and compliance• PC integrity• Application-specific security and regulatorycompliance efforts• Offline access to files and data• Data security and compliance• PC integrity• Highly controlled environment• Low-cost hardware solution that maintainshigh user productivity• Data privacy and confidentiality• Low-cost hardware solution that maintainshigh user productivity11 FUTURE OF WORK June 2012

infrastructure to support the devices. Customized policies mapped to the roles ofusers and their dependence on the devices will be an effective way of limiting risk.Segregating users into broad categories such as mobile workers, office knowledgeworkers and task workers will help organizations better understand their needs andprovision the appropriate IT requirements accordingly. The policy should considerthe role, the kind of work performed and the mobility needed to determine thecapabilities required of a personal device. For example, a senior executive is morelikely to use a tablet to review and approve work, while a designer or an engineerwill prefer a desktop or a laptop. Organizations can derive insights from the BYODimplementations of early movers and absorb the best practices into their policies.Transitioning to BYODBYOD is transforming traditional end-user workspaces by unshackling thedependencies of employees tied to a physical location, a rigidly configured device,OS, applications and user states and allowing them to work from anywhere, accessingapplications and content using myriad device configurations. Organizationslooking to profit from a BYOD setup should ensure that employees have the rightvirtual workspace from any device and a productive work and collaboration platform,while ensuring effective security for corporate information and ease ofaccess.To do so, organizations should deconstruct traditional workspaces and decouplethe dependencies among hardware, OS, applications and user states found intraditional desktop configurations. By isolating and centralizing operating systems,applications and user data and state, users can access data and apps from anydevice, from anywhere, and organizations can manage and monitor apps andcorporate assets efficiently. Once they have categorized employees into broad poolsbased on their work and IT requirements, organizations can stream the right set ofuser profile, data and applications on-demand, at the right performance levels andon any device, securely (see Figure 7, previous page). Taking a pilot approach toBYOD, organizations can establish the reference architecture for an “any device,anywhere access” model.Transitioning to the BYOD ModelInvestmentROI Analysis• Baseline current TCO• Identify one-timeinvestments• Assess ongoing costwith new model• Go/no-goNew SetupImplementation• Build enablinginfrastructure forsolution identified• Finalize sourcingoptions• Define newsupport modelEmployeeOnboarding Process• Define trigger foronboarding• Define policies• Create implementationchecklist• Create communicationplansCreating a compliance audit framework to ensure successSource: CognizantFigure 8June 2012 MAKING BYOD WORK FOR YOUR ORGANIZATION 12

Organizations currently have only two choices when it comes to BYOD – adopt itnow or later. A transition to the BYOD model should occur in a phased manner(see Figure 8, previous page).First, organizations should analyze their return on the investment of enablingand supporting BYOD. They need to consider the costs of setting up the requiredinfrastructure, one-time investments in MDM, MAM and MADP solutions,supporting the program and reimbursements for device purchases. Looking atreturns over the long term and the possible value-additions from such a programwill be a better yardstick to measure the ROI.Second, they should examine the current infrastructure that is designed tosupport corporate-issued devices and bolster it with the additional capabilitiesrequired to support BYOD programs. Organizations should be proactiveand recommend to employees the ideal devices and platforms that can quicklydeliver the desired benefits. Organizations should ideally recommend preferredvendors and discounted pricing contracts for devices and apps to help minimizecosts.Lastly, a critical step is that the employee onboarding process should be smoothand simple.The Future of BYODBYOD introduces a multitude of challenges; however, organizations should treat thisas an opportunity that can yield significant benefits, both tangible and intangible.The key is to approach BYOD in a holistic fashion to address employee expectations,while ensuring business requirements are met related to security, compliance andrisk minimization. The need for agility and speed will more rapidly transform therole of IT from a support function to a strategic, business-enabling function.Successful organizations will take a proactive approach to embracing andmolding BYOD for competitive advantage and the agility to outmaneuver thecompetition. Creating obstacles to BYOD will be futile as empowered employeesare provisioning their own technology anyway. Younger employees and thosewith a millennial mindset find it hard to draw the line between their personal andprofessional lives and seek the flexibility and ease-of-use that their personal devicesprovide. Implemented with the right strategy, BYOD can:Empower employees to improve their productivity through their choice ofdevices and collaboration styles.Ensure security of corporate data while complying with corporate mandates oncompliance, risk management and privacy.Deliver cost savings with minimal IT support for employee-owned devices.Simplify IT by running any app, anywhere, on any device.13 FUTURE OF WORK June 2012

Footnotes1“2011 Consumerization of IT Study: Closing the Consumerization Gap,” IDC, 2011,http://www.unisys.com/unisys/ri/report/detail.jsp?id=1120000970016710178.2“Good Technology State of BYOD Report,” Good Technology, December 2011,http://www.good.com/resources/Good_Data_BYOD_2011.pdf.3Health Insurance Portability and Accountability Act.4Payment Card Industry Data Security Standard.5Gramm-Leach-Bliley Act.6“Cisco 2011 Annual Security Report,” Cisco, 2011, http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011.pdf.ReferencesTom Kaneshige, “BYOD: Five Hidden Costs to a Bring-Your-Own-Device Programme,”Computerworld UK, April 2012, http://www.computerworlduk.com/in-depth/mobilewireless/3349518/byod-five-hidden-costs-bring-your-own-device-progamme/.“Bring Your Own Device: Agility Through Consistent Delivery,”PricewaterhouseCoopers, 2012, http://www.pwc.com/en_US/us/increasing-it-effectiveness/assets/byod-1-25-2012.pdf.“Best Practices to Make BYOD Simple and Secure,” Citrix, March 2012,http://docs.media.bitpipe.com/io_10x/io_104481/item_530202/BYOD%20Best%20Practices%20Guide.pdf.“Leaders in Enterprise Mobile Strategies: Tug of War Between Business Valueand Risks,” SandHill Group, November 2011, http://sandhill.com/reports/leaders-inenterprise-mobile-strategies-tug-of-war-between-business-value-and-risks/.Cimarron Buser, “How Workers Can BYOD Without Risking Data, Networks,”Mobile Enterprise, August 25, 2011, http://mobileenterprise.edgl.com/howto%5CHow-Workers-Can-BYOD-Without-Risking-Data,-Networks-75175.“Mobile Virtualization Offers Enterprises a Way to Embrace the Consumerizationof IT, According to New Research from IDC,” IDC, June 7, 2011, http://www.idc.com/getdoc.jsp?containerId=prUS22864311.James Staten and Alex Cullen, “BT 2020: IT’s Future in The Empowered Era,”Forrester Research, January 2011. http://www.forrester.com/BT+2020+ITs+Future+In+The+Empowered+Era/fulltext/-/E-RES58156?docid=58156.June 2012 MAKING BYOD WORK FOR YOUR ORGANIZATION 14

CreditsAuthor and AnalystAala Santhosh Reddy, Senior Research Analyst, Cognizant Research CenterSubject Matter ExpertsJeff Wallace, Assistant Vice President and Cognizant Mobility Practice LeaderTim Rose, Associate Director, Cognizant IT Infrastructure Services Product ManagementAnindo Sengupta, Associate Director, Cognizant IT Infrastructure ServicesDesignHarleen Bhatia, Design Team LeadSuresh Sambandhan, DesignerAbout CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out sourcing services, dedicated tohelping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passionfor client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodiesthe future of work. With over 50 delivery centers worldwide and approximately 140,500 employees as of March 31, 2012, Cognizant is a memberof the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growingcompanies in the world.Visit us online at www.cognizant.com or follow us on Twitter: @Cognizant.

World Headquarters500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277inquiry@cognizant.comIndia Operations Headquarters#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060inquiryindia@cognizant.comAustraliaCognizant Technology SolutionsAustralia Pty LtdLevel 1514 Martin PlaceSydney, NSW, 2000AustraliaPhone: +61 2 9223 3988Fax: +61 2 9233 5315inquiryaustralia@cognizant.comHong Kong62/F, Suite 6201, The Center99 Queen’s RoadCentral, Hong KongPhone: (852) 2273 5393(852) 2273 5395Fax: (852) 3965 3222inquiryhk@cognizant.comSingaporeCognizant Technology SolutionsAsia Pacific Pte Ltd80 Anson Road#27-02/03 Fuji Xerox TowersSingapore, 079907Phone: +65 6324 6672Fax: +65 6324 4383inquirysingapore@cognizant.com© Copyright 2012, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject tochange without notice. All other trademarks mentioned herein are the property of their respective owners.