The BYOD Struggle: From Writing Custom Apps to Defining Security

Companies are grappling with the question of whether and how to let employees use their own smartphones and tablets at work even as a huge push is being made to set up internal "app stores" of approved and custom-built corporate mobile apps.

"We identified our needs, and we're planning on custom mobile apps," says Lincoln Cannon, director of sales and marketing technology at Utah-based Merit Medical Systems, a maker of medical equipment. The company has few reservations about allowing employees to use Apple iPads, including their own, to present information to business customers and allow access to cloud-based services, such as Google Docs, where product-related documents and videos are placed. While a few apps from the Apple App Store have worked out, the business has determined that to really gain the functionality it wants on the iPad to synchronize with its salesforce systems, it needs to design some apps on its own.

BIG QUESTION: Can employee-owned devices save companies money?

Merit Mobile is the first in-house customized app the technology team came up with for Apple iOS 4.0, for the salesforce group. "They open the app and it checks whether new content is available," Cannon said. It's typically used to download new content overnight so the latest information in the form of brochures, videos and more is ready for them in the morning.

This is just the first of what's expected to be more apps tailored for mobile use, says Cannon. Having to get an Apple software developer's license and certificate for designing apps was "a little time-consuming" and "painful," he notes. But in the future, if the coding is done in HTML5, there won't be the need for the Apple certificate, he adds.

Merit Medical is hardly alone in its decision to build custom apps. According to the Symantec 2012 State of Mobility Survey of 6,275 technology managers in the private and public sectors in 43 countries, 71% "are now looking at implementing a corporate 'store' for mobile applications." The report notes that 11% have already set up an internal app store for line-of-business applications.

For others in the healthcare industry, the pressure to figure out a suitable mobile strategy seems to be far more difficult to sort out. At Kaiser Permanente, with medical groups and health plans and more than 150,000 employees, IT security has held to a traditional discipline of tight controls that eschews the idea of employee-owned mobile devices.

"The security group has set definite standards," says Mark Kadrich, senior security architect at Kaiser Permanente, who says his role is to help define strategy in cooperation with a separate security group responsible for ongoing operational needs. If outsiders, such as contractors, needed to connect to the Kaiser network, they have to use the Cisco Connect VPN client for Wi-Fi, for example.

But the great debate in recent months between bring your own device (BYOD) and corporate-owned mobile devices has now taken center stage.

"The clinicians were pushing to get iPhones and iPads, and the security group was pushing back," Kadrich says. Executive staff decided to tackle the BYOD question by setting up a Mobile Center of Excellence staffed by Kaiser employees to identity standards for what might be accepted use of Apple iPads and Google Android devices, including employee-owned ones. Several hundred iPad and Android tablets are now undergoing pilot tests as software and security needs are explored.

Kadrich acknowledges having strong reservations about the idea of BYOD, based on both cost and security. Mobile-device management (MDM) software is often viewed as a way to have some control over these devices for inventory and remote-wipe purposes, but Kadrich remains skeptical. "I'm not convinced MDM is cost-effective or appropriate," he says.

Subscribe to the Security Watch Newsletter

Comments