Platt Perspective on Business and Technology

Navigating the bring your own tech puzzle – 1: building a framework for understanding and managing this emerging trend

Posted in business and convergent technologies, HR and personnel by Timothy Platt on December 1, 2011

I have been posting on issues related to this topic for quite a while now, in effect developing what I would write here by nibbling at the edges of the larger story.

There is a lot to be said for building an information technology that is consistently structured and that has standardized, vetted building block elements, and both for hardware and software. This makes for ease of maintenance, and at all levels. New instances can be set up from a standard model, and customized from there if and where necessary, and according to a plan and policy that is well understood. Tech support can focus on a standardized platform and correct back to that, instead of facing a new and novel none of the above every time they are called in to fix something. At least in principle, and at least by the traditional view of this for cyber security and risk remediation, standardizing to a known hardware and software platform can support having a standardized, better understood defense in depth with network-based firewalls and other systems level components, and with integrated defense added into individual server and other back-end hardware, and into end-user computers and other hardware too. That is the standard model and I write this from personal experience that following this approach makes the help desk a tremendously easier service to manage and it holds real potential for limiting down time for individual end users, when something does break down.

In contrast and even in stark contrast to that, I have written about the positive virtues of systems and technology diversity, to limit the possibility that entire systems might be vulnerable to some single well crafted attack. In this regard I cite two postings I added here a number of months ago: Monoculture and Ecological Diversity as a Paradigm for Modeling Cyber Risk Part 1 and Part 2. My goal in that was not to argue the case for every employee having a unique combination of hardware and software in place and in use when doing work for their employer, but rather to note the value of carefully considered diversity, to limit systems-wide vulnerability to any one cyber-challenge.

So I set up two alternative visions and I acknowledge here that both are at risk of being rendered meaningless when real world users start using real world information systems – and regardless of corporate policy and regardless of how it is presented to employees or enforced.

In the real world, as soon as employees have access to the internet they will start downloading and installing software on their systems. They will bring in flash drives and put their family photos on their work computers as screen savers. Thin client server systems can limit this tremendously for desktop computer interfaces into the overall business information system. But as soon as laptops, tablets and other, even more portable devices are added into that system it becomes vulnerable again to Trojan horse and related attacks. And in the real world real end-users do customize and make the computer resources they use their own, just as they personalize their cubicles or offices. So paradigm one, above, becomes an unattainable goal.

And with reliance on standardized and even globally adhered to connectivity standards and protocols that are designed to limit or even eliminate the impact of end-user hardware and software differences, and with this just starting with the internet per se, implementation of controlled diversity becomes a challenge too. In practice, the most accessible parts of a system for diversity creation and management may be in areas such as the security layers in their protocol stacks, that are explicitly designed to permit controlled diversity. And of course, end-user customization enters in here too, taking the control out of controlled diversity or at least limiting the potential to do so. And with that, paradigm two as noted above becomes a less than fully attainable ideal-systems goal too.

This is all about due diligence and risk levels and it is quite possible for a business or organization to pursue either the traditional standardization, or the controlled diversity approach long term and not get burned as a result. But there are risks involved and data derived from study of other, comparable systems and approaches and their rates of being challenged and successfully, can provide at least a basis for risk assessment statistics and risk determination. The goal there is to find a cost-effective balance that can limit known and knowable vulnerabilities while keeping everything cost-effective while doing so. None of this, of course accounts for the possibility of zero day attacks and the unknown vulnerability – unknowable until it has been found to have been exploited. They just serve to keep the due diligence and risk assessment statistics fluid and uncertain – just as does the steady and ongoing influx of new technology into information systems, with software updates and patches and with new software, and with the ongoing introduction of new hardware as well.

And with this, I lay out a basis for understanding and discussing a rapidly emerging phenomenon by which employees bring their own technology to work and to the workplace. And this is a phenomenon that will not go away – it will simply grow to become the new normal. Our ever-increasing capacity for ubiquitous computing and communications will drive that, along with the increasing availability we all have to inexpensive, highly portable, interconnectable hardware and software and the way that our work/life boundaries are blurring.

We will bring our own hardware and software to work with us because we will bring our work with us out of the office and out of the traditional work setting as we connect into that from what has more traditionally been our life outside of work. And we will want to bring our own technology into the workplace too, and certainly for our tablet computers and smart phones and our other more portable devices that we always have with us.

I am going to follow up on this posting with a continuation piece that will build on this foundation, drilling in detail into the issues inherent to the bring your own tech movement.

You can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time, and as this relates to employee conduct and standards you can also find this and related postings at HR and Personnel.

Tagged with:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: