Saturday, April 18, 2009

ATR: Bring Your Own Computer

One of the scariest trends in corporate America these days is the movement towards "bring your own computer". The Day Job has been looking at this for a while, I just had some correspondence with an attorney for a large manufacturing concern, and one of my RIM colleagues with a Fortune 100 company mentioned it in an email.

"Uh, Pat", you ask, "thousands of people are being laid off every week and you think that THIS is scary?" Yes grasshopper, this is also scary.

The trend that I'm observing is that IT departments are under tremendous pressure to cut costs. Computing infrastructures have grown so large that "KTLO" (keeping the lights on) costs -- effectively the costs to just make sure nothing dies in the computing environment -- continue to grow even when the organization is shrinking. Couple in with that the high costs of supporting the desktop and laptop computing infrastructure (with the planned obsolescence of hardware and software), and IT departments are having a heckuva time finding ways to make meaningful cost cuts in order to free up money for investment in new technologies that will add value to the business.

So if you read ARMA's journal, Information Management, you know that one of those cost savings trends is "cloud computing" -- the movement to hosted applications and data storage. And if you read my article, you know my position there. The other alleged savings opportunity is the movement to requiring employees to purchase and support their own computing hardware and software. I call this "Bring Your Own Computer" or BYOC.

The premise is that a company can write a check to an employee, have the employee purchase the box that they want to use, and it is win-win for everyone. That check is less than it would cost to purchase and support the hardware. The company doesn't have to have a fleet of spares. And the IT department doesn't need a platoon of desktop support guys and gals. The employee can buy a Mac or an Alienware or whatever cool computer they want. Everyone's happy.

Uh huh. Everyone but me. Why? False economy is at the top of the list. I work in the midst of a herd of uber-nerds (something way beyond the "Nerd Herd"). These guys can make a computer sing. For the most part, they get the company laptop and then rebuild it to their specifications, adding software, tweaking features, etc. So these guys know how to make a computer work and what to do when something goes wrong. We're a pretty cheap group to support because most computing nerds either know how to diagnose and fix computer problems or they don't want the local desktop services person to have to understand what they have done to the standard corporate computing build. The problem with that is that a computer problem can suck up hours of productivity for these guys. A rebuild for many of them means days of futzing with the computer, even when they have taken steps to have disk images staged, backups, and all of their software. Some things just take time. So what might be a day of lost productivity for someone who blows up a computer and has to wait for the desktop guys to reimage to the corporate standard, can be several days for someone doing it themselves, even when they know what they are doing.

Now, add in the factor that most employees have not mastered the art of diagnosing and fixing their computer's maladies. I know people that are absolute application wizards -- they can make an Excel spreadsheet that would bring a CPA to tears of joy. But try to explain to them that they have to turn off the corporate proxy setting when they go to Starbucks with their laptop and they stand there blinking dumbly at you, not comprehending a word of what has been said.

I could write a humorous dialogue here about what happens today when your work computer blows up, but I think we all know how that goes... in most cases, you either have a new or repaired computer within a few days, but your IT department brings in a spare for you so you can minimally function for however long it takes to get you back to normal. Some of your time gets lost, but generally it is nothing more than an annoyance.

So flash forward to BYOC... the company has told you to buy a good quality computer that meets certain specifications. They have also told you to buy the super duper 24 by 7, anywhere on the planet support package for your computer. So you do that. The computer blows up. You call. They promise a tech "the next business day", Guy comes out. Doesn't have a part. Too late in the day to FedEx the part, so he'll be back two days later. In the meantime, you have to figure out how you're going to work. You have a PDA, but that just serves to allow you to triage things. Your other home computer belongs to the kids or the spouse. You pry the kids off of the computer and find out that when you try to connect to the corporate VPN, you get bounced out because that computer is full of spyware and viruses. Or doesn't have the correct setup. Or whatever. And it's a desktop, so you can't schlep it to the office anyway. You've played by all the rules and you have no way to work. Now what?

So there are two points of view here... For corporate bean counters, BYOC is seen as akin to the tradesman or mechanic who purchases his or her own tools and brings them to work. The analogy is that in this day and age, a computer is the cubicle dweller's set of tools and the employee should take responsibility for purchasing and maintaining those tools in order to function in the modern world. So with that analogy, I expect to see the big Snap-on Tools trucks parked outside of the office any day now, with a full offering of computer hardware and tech services.

The other point of view is that the analogy doesn't work. If I am a carpenter and my hammer breaks, I usually have a backup hammer or can borrow a hammer from another guy for a little while. Worst case, I can run down to Home Depot and pick one up at lunchtime. While a good hammer does cost a few dollars, it won't break the bank. Additionally, I don't have to do much to make the hammer work. I don't have to customize the grip or install a laser sight or register the serial number. I just pick it up and bang away. And most hammers don't require technical support. So while a carpenter or a mechanic may have thousands of dollars of tools to purchase and maintain, the failure of any one tool generally does not amount to much more than a small inconvenience -- and one that can be solved, in most cases, by a trip to the store. A computer failure amounts to the simultaneous failure of the entire toolbox -- my hammer broke, so now I can't use the cordless drill. And the problem with the computer is, you often don't know if the hammer or the drill is the cause of the failure.

Now in talking to people who advocate BYOC about this issue, they are usually able to get their heads around it and explain that they have contingencies and no one will get fired because their BYOC computer vendor failed to perform. (By the way, those contingencies add cost back in to the program.)

So enter the other problems...

I believe that another driving factor in the BYOC movement is the fact that many (if not most) employees in Corporate America do not see their work computer as exclusive property of the employer. After all, it is a "personal" computer, right? So the logic goes, "Well, if they are going to treat their work computer as primarily a personal computer, then let's allow them to bring their personal computer to work and use that as a work computer."

I know plenty of people who do not own their own computer at home. Or, if they do, the kids and the spouse use it most of the time. So iTunes gets installed on the work computer, then TurboTax, then they see if World of Warcraft will work, then... You know the drill. Pretty soon, the work computer is the employee's only real computer. Corporate bean counters hate that. IT departments really hate that. Corporate lawyers REALLY hate that. It becomes a very logical evolution to simply turn that approach on its head. Allow the company to carve out a little space on the employee's computer.

But within this particular issue comes problems of data privacy and e-discovery. In today's world, the theory is that regardless of what you may have put on the company's computer, it remains the company's property and you should not expect privacy (ok, there's a not so small matter of Europe in that regard, but you know what I mean). So when the company is conducting an investigation or has to collect data for litigation, the employee needs to give up their computer. And generally, that isn't a problem. We ignore the personal stuff for the most part, gather what we need, and hand back the computer... unless there is something really bad on the computer. You can insert whatever horrible nastiness you'd like in this scenario. If we find it, we have to do something about it. The employee will not like the outcome and often thinks we've over-stepped, but at the end of the day, the computer belongs to the company and the company has set out policies for use.

So switch things around. Now the computer belongs to the employee. We (the employer) have content on that computer at the employee's consent. Now perhaps the employee signed an agreement of some sort that allows the employer a bit more intrusion. But at the end of the day, the computer belongs to the employee. Now things get interesting. I can't (and won't) go into great detail here, but most information security and computer forensics teams have considerable capability to be very quietly intrusive into computing resources. If a company has intellectual property or trade secrets to protect, it has to take defensive measures to protect that information. When something happens, we have to very thoroughly look at what has been going on inside that computer to determine if a subject of interest is a bad actor or innocent. When the company owns the environment and the resources, we have a lot of capability. But that capability stops at the employee's physical and virtual property line unless the employee allows us to do our thing. What I have learned, since becoming more involved in information security, is that you often need to not tip your hand in an investigation. So if you have to ask an employee for permission to poke around in their computer, you're going to have problems conducting a thorough examination.

So that's the risk for internal investigations. The other issue is e-discovery. Very similar problems. If the company's data is mixed with the employee's personal data on the employee's personal computer, how do we do discovery? And how do we determine which is which? Furthermore, how do we ensure that the employee doesn't retain our information after separation?

So what solutions are in play? Generally, most organizations will look at virtual machine technology. What this means is that you install software that creates, effectively, a computer within a computer. You launch the software, maximize the window, and you are looking at a new desktop. The company creates this environment (or "image") with all of your familiar desktop tools from work. The work data and the applications live inside this "machine", while your personal stuff exists locally on your computer. The virtual machine occupies an encrypted segment of the hard drive and data generally cannot pass from the virtual machine into the personal machine. In addition, the technology will often create a backup image on a corporate server, so data loss is minimized. If the employee is terminated, the company can disable access to the virtual machine. (Most of that is the theoretical thinking on how to deploy the technology. Sometimes compromises have to be made.)

There are still plenty of issues with virtual machine technology, but it seems to be a promising solution that will solve most concerns. A key advantage is that since the virtual machine is backed up to a corporate server, the employee who has a computer breakdown can connect to that image and work from just about any other computer. Their applications and data and environment are all saved. With the employee's "work" environment nicely encapsulated, the e-discovery issues can mostly go away. The internal investigation issues may remain, to some extent.

For all of this to work, however, some additional controls still need to be in place, in my opinion. The company has to have a proper document management system. And that means a central repository where business documents and objects are stored. That system has to include records retention and legal hold capability. That system also has to track access and downloads. The company has to make a clear declaration that the virtual machine environment belongs to the company and the employee is not allowed to do any personal business within the company environment -- and that means email as well.

Now that runs contrary to the "Web 2.0" movement. People are blurring their work and personal lives every day. That's true, but it makes for very messy situations. On the one hand, people want greater privacy; on the other, they seem to want to put everything that they are doing in front of the world... so go figure. Nonetheless, I think that the evolution of the manner in which information is collected for litigation will ultimately require that companies draw very clear lines between what is the company's information and what is the employee's. We have to do that. And we particularly have to do that if the employee is going to be bringing their personal property to work in order to perform their jobs.

2 comments:

PeterK said...

Patrick as usual you hit the nail on the head. When I first saw this blog posting I thought "no way , no how" would any company think of this. Corporate espionage is the hidden problem in our economy. You know that and I know it. I see stories every day where either corporate spies or employees are walking out the door with very important corporate information.

This BYOC is truly one of the worst corporate ideas i've ever heard of.

Patrick Cunningham, CISM, CDPSE, FAI said...

And if you CIO told you that this idea will save the company several hundred million dollars a year, how would you respond? Keep in mind the *real* dollars on the bottom line versus the *potential* losses of IP and litigation-related expenses. The CIO has his or her budget concerns to deal with -- the Legal folks are elsewhere.

I'm not disagreeing with you, but the reality is the budget constraints imposed on IT right now. Penny-wise and pound foolish? Clearly.

Powered By Blogger