As you know from my previous blog, Cisco IT has just crossed the 50,000 mobile device deployed milestone – a mix of iPhones, Android and Blackberry devices. We are thrilled with our progress and believe there are two factors that have driven our success:
- Using our IT Mobility support services community in Cisco Quad (our internal collaboration platform) to allow employees to use their personal devices at work. Our Mobility Community is a more robust, user-friendly, self-support platform – it is the second most popular community in Quad. This has resulted in a year-over-year increase of 59% of devices deployed, and a 33% increase in employee usage while reducing costs by 24%!
- Deploying mobility within the context of a “trusted device.” As we all know, we in IT don’t worry so much about the endpoint device, but rather about issues like network operations, compliance operations, network engineering, applications and, of course, security.
So let’s talk about security. With the growing popularity of bringing mobile devices (smart phones and tablets) to work – a trend now attractive to both companies and employees – one of the biggest challenges for IT departments is how to ensure these devices are secured.
Cisco – like any other enterprise – has had to grapple with how to enable BYOD yet still keep intellectual property and other content and communication private and secure. The key concern is that IT departments have very little knowledge about these personal devices. For example, we don’t know what software is used, what (if any) security the user has on the device, such as whether there is a pass code set or encryption enabled. So, naturally, there is a concern about allowing these devices to connect to a company network. It would be very easy for a lost or stolen device to fall into the wrong hands. Additionally, while mobile devices do not pose a great threat from viruses or malware today, this is also a risk and one that will only escalate over time.
To enable BYOD, Cisco has established a flexible model to support mobile devices. The more network access we enable, the more security we apply to the device.
For mobile access to email, calendar and contact we require the following set of security controls. The user is required to use a device PIN pass code – and if the device hasn’t been touched for 10 minutes, the user will have to log in again. We also have a remote wipe capability – if the device has been lost or stolen, we can delete all of the data on the device, removing all confidential information. Finally, if an incorrect PIN is entered more than 10 times, the device will wipe itself. This combination of settings ensures that data on the device is kept private. These policies apply to all devices accessing email – smart phones, our Cisco Cius and other tablets.
For employees who want to connect to the Cisco network, use our Integrated Workforce Experience powered by Cisco Quad (Cisco’s collaboration solution), or connect to the Intranet, we require additional security. Employees must register their device and provision Cisco AnyConnect using our Mobile Device Management solution. This process is fully automated and allows us to consider it a “trusted device” – where we know who the user is, what applications are used, whether the pass code is set and if encryption is enabled, and whether the device has been compromised. Today, this is available with iPhones and iPads, and we are currently working to make it available on all Android devices.
Finally, a note about communication: it’s important to educate our employees on why we require security settings. Once they understand the risks they are more willing to accept settings that may be seen as interfering with their device. Security must be a balance; if security settings are too restrictive then users will not adopt the service.
Security and mobility can be a tough policy to own – telling your very large workforce that you aren’t going to allow them to use and access the company network without security can be a tough message. But it is critical nonetheless.