Personal phones and business use

The increasing consumerization of IT is a popular meme these days. Consumers have access to and employ more cutting-edge software and hardware than is typically provided by the companies they work for, and thus they are more likely to employ their personal hardware and software for business uses (rather than the previous pattern, where people were more likely to also use their business hardware and software for personal activities.

By and large companies are receptive to this trend. Many of them, such as Citrix, are actively exploring having employees bring their own computers (ByoC) as a source of cost savings. Giving employees a computing stipend and having them choose and maintain their own computer is cheaper, these companies believe, than buying and maintaining it for them.

This trend is particularly strong for smart phones (and tablets), because companies typically provide smart phones for only a small subset of their employees. The increasing popularity of smart phones in the consumer space means that more and more company employees have highly-capable computing devices in their pockets that they might use for business with minimal cash outlays from their employees. More employee productivity at minimal cost.

However, there’s a small problem. Companies like their systems and infrastructure to be secure, so they’d rather not have unprotected (and occasionally lost) smart phones wandering around storing company data and serving as access points through the firewall. So what do companies do if they want to protect themselves while also leveraging their employees’ mobile devices?

Currently companies don’t have a lot of choices. They can put security around individual applications or web services, but that doesn’t help much if the device itself is compromised. They can lock out the devices completely, but then their missing out on potentially low cost productivity gains. Or they can leverage what security mechanisms are provided by the devices, which means requiring a device password.

While the latter might seem like a good idea in theory (shouldn’t users want to protect their own personal information on their devices?), it’s problematic in practice. Companies tend to want longer and stronger passwords (8+ characters, alphanumeric) than users (4-digit pin). It takes most users 5-10 seconds to type in an 8-character password, and if you’re only using your phone for 50-60 seconds that’s a significant % of your interaction time (unlike with laptops, where the time required to authenticate is amortized across more sustained use). As a result, we’ve seen that the vast majority of users (~85%) either avoid corporate device passwords, or try them out for a short period and then give up on them.

The problem isn’t just the time required to authenticate, it’s that most smart phone uses are non-business uses. A person only has to say “hold on, I have to log into my phone before I can take your picture” so many times before they give up on the password (and thus business information access).

The way toward a solution seems straightforward: allow sandboxing of groups of applications and their information at an operating-system level. Then let businesses leverage that capability to create a business sandbox with strong security on users’ personal phones. People are generally more than willing to put in a password to access business functionality: it’s the death of 1,000 cuts of authenticating to check the weather or see where the train is that kills them.

Unfortunately, none of the mobile OS providers really seem to be pushing that hard on this space. That’s understandable for Apple: they’ve always been a consumer-focused company. But I have to confess that I had higher hopes for Google; after all, they at least have an enterprise division that’s in theory focused on offering services to companies. But to date Apple has actually gone further than Google in providing at least some enterprise support in their mobile OS.

Until Google raises its mobile game for enterprises (or until Apple gets there, which isn’t entirely impossible – they are further ahead at this current point in time), there are at least some signs that other 3rd parties may be starting to fill the gap. Enterproid‘s Divide platform is the most intriguing I’ve heard about: they allow you to create separate work and personal profiles for your phone and then switch between them based on your needs and context. I haven’t had a chance to try it, though, so I have no idea how well it really works in practice (and well it actually secures the business profile). But it seems like at least a step in the right direction, which is more than I’ve seen so far from the OS providers.

Until we see more progress in the space, I suspect the use of personal phones for business will remain more of the exception than the rule.