Obama administration aims for bottom-up approach to creating global standards for protection of IT and critical infrastructure.
When the Equal Employment Opportunity Commission cut its IT budget last fall, CIO Kimberly Hancher was forced to trim the agency’s BlackBerry budget by half. Her options: Take everyone’s BlackBerry away halfway through the year; allow half the staff to keep their devices, but confiscate the other half; or let employees bring their own devices to use at work.
Hancher chose to start a bring-your-own-device (BYOD) program and, she says, the staff couldn’t be happier.
“The word in the hallways is that the BYOD community is very happy,” she says. “Mostly people say they like not having to carry two devices. Others say they are slowly getting used to using their iPhones for e-mail, but so far so good.”
BYOD has become one of the top IT trends today, driven by an increasing number of employees who want to use their personal smartphones and tablets to access their work e-mail, applications and data. The advantages are undeniable: For employees, BYOD can improve productivity and increase job satisfaction by allowing them to use the devices they prefer and are most comfortable with. For agencies, it can reduce IT costs.
Some federal agencies have embraced the concept and have either deployed BYOD or are piloting it, but many organizations remain reluctant to take the step because of security, policy, technical or legal concerns.
To support adoption, the government’s Digital Services Advisory Group and the Federal CIO Council released a BYOD toolkit in August that provides initial guidelines. It identifies key issues that agencies must consider and provides examples of policies and best practices that they can use to implement their own program.
The toolkit also cautions that BYOD won’t work for every agency, and that it must support an agency’s mission requirements and the needs of its staff.
BYOD can save money because it shifts the cost of mobile devices to employees. And if the agency doesn’t provide employees a stipend for voice and data services,it also eliminates a recurring monthly bill.
But for most IT organizations, it’s at best a break-even proposition and could end up costing more because of the software and support costs associated with it, says David Willis, vice president and distinguished analyst for Gartner Research.
IT departments not only have to manage and secure their employees’devices, but they also must provide secure access to agency applications and data, he says.
Early adopters are choosing different ways to implement BYOD. Some, like the EEOC, are using mobile device management (MDM) software to centrally configure, monitor and secure devices and remotely erase data if the devices are lost or stolen. Some are deploying virtual desktop infrastructure (VDI) to provide mobile device users with secure access to network resources, while others are installing a mobile app that segregates government data from personal apps and data.
Each approach is valid, but no one size fits all when it comes to implementing BYOD, says Robert Hughes, CIO of the Treasury Department’s Alcohol and Tobacco Tax and Trade Bureau, which implemented VDI. “Everyone has a different mission. Everyone does things differently and has different starting points,” he says.
Percentage of local, state and federal agencies that allow employees to use their personal smartphones for work
SOURCE: Gartner (September 2012)
While the EEOC is early in its implementation, it’s proving that BYOD can cut IT costs.
In late 2011, Hancher took a two-pronged approach to reducing the agency’s $800,000-a-year BlackBerry budget by half. First, she launched an initial BYOD pilot with 40 users who gave up their government-issued BlackBerrys and started using their own smartphones and tablets instead. At the same time, she audited the agency’s smartphone program, analyzing usage and billing to find ways to lower costs.
Through the audit, she discovered that 75 percent of the agency’s 550 BlackBerry users never used the device to make a phone call. They used the smartphones only for e-mail. She also found a couple dozen devices that were never used and unearthed some billing errors. The service provider had continued to charge the EEOC even though it had canceled service for those users.
Within three months of the audit, the agency had identified $240,000 in cost reductions by eliminating the unused BlackBerrys, consolidating individual phone plans into a shared-minutes plan and getting credit for the billing errors.
BYOD took careful planning to implement. During the first few months, the IT department worked with senior leadership, union representatives and legal counsel to develop security and privacy policies as well as rules of behavior.
To take part in the BYOD program, for example, employees had to agree to keep their devices updated with the latest security patches and not to let family members use their devices, Hancher says. In turn, the agency agreed to respect users’ privacy and to request access to devices only to implement security controls or to respond to discovery requests from legal proceedings.
During the initial pilot, the IT staff standardized on a cloud-based MDM software provider that allows the agency to securely synchronize mobile devices to the agency’s Novell GroupWise e-mail. The MDM software also allows the IT staff to enforce security policies, such as password protection. If devices are lost or stolen, the EEOC can remotely erase all the data or selectively erase only the government data, Hancher says.
With policies and MDM software in place, the EEOC expanded the pilot in June, allowing every employee with a government-owned BlackBerry to take part.So far, 23 percent are taking advantage of the program.
Initial results are promising, Hancher says. Instead of having to spend $80 a month on a voice and data plan for each government-provided BlackBerry, the EEOC spends only about $120 a year on MDM software per user, she says.
Overall, through BYOD and the cost savings from the audit, Hancher has nearly met her budget goals, cutting BlackBerry spending by 40 percent this fiscal year. As the BYOD program gains traction, she’s confident she will attract more BYOD users and reach her budget goals next year.
“Because it took a while to launch the full pilot this year, I’m not going to make my 50 percent, but next year we will make it,” she says.
To reduce startup costs with BYOD, it helps if an agency has necessary IT infrastructure already installed, says Gartner’s Willis. For example, a VDI deployment can cost roughly $600 per user. But if an agency already offers virtual desktops to employees, using VDI to implement BYOD is relatively inexpensive, he says.
The Alcohol and Tobacco Tax and Trade Bureau implemented BYOD by doing just that.
Two years ago, the agency’s desktop and notebook computers were reaching the end of life. But instead of spending $2 million to replace every computer, the agency spent $800,000 to create virtual desktops accessed by thin clients, a savings of $1.2 million, Hughes says.
When the agency’s 500 employees log in through a web browser, the server delivers to their desktops a virtual computer with full operating system, applications and each user’s personal settings, via Citrix XenDesktop VDI software. It looks like a regular Windows PC, but all the processing power is in the data center. The agency equips users with old federal surplus desktop and notebook computers converted to thin clients.
While installing VDI two years ago, the IT staff discovered that an app, Citrix Receiver, allowed users to access the virtual desktop on any smartphone, tablet or computer.
Word spread quickly among employees. They told IT staffers that they wanted to access their virtual desktops through their smartphones and tablets, and the IT staff let them. Hughes had no security concerns because all the data resides on the server and never sits on the mobile devices. “Not having data touch the devices simplifies the policy, legal and security implications and opens up our ability to have a great BYOD program,” he says.
While BYOD is voluntary, about 80 to 90 percent of the staff use their home computers while they telework. Another 10 to 20 percent log in from their smartphones and tablets.
“BYOD was a natural side benefit of implementing VDI,” Hughes says. “My users love it. They tell me they don’t want government property that they are accountable for. They say they bought an iPad and want to use it, so why not let them use the device?”
Percentage of North American businesses that say they are seeing cost savings through BYOD
SOURCE: Gartner (September 2012)
Another way to implement BYOD is through a “containerized” mobile app for communications, which securely separates government data from personal apps and data.
The Treasury Department’s Bureau of Engraving and Printing used the technology to launch its BYOD initiative in late August. The main driver was employee demand. “Several employees came in and asked if they could use their own device so they don’t have to carry two devices,” says CIO Peter Johnson.
The 2,000-employee agency provides government-issued BlackBerrys to 300 users. So far, several dozen employees have turned in their work BlackBerrys to use their personal devices. Because iPhones are more secure than Android smartphones, he limits the program to iPhones.
To manage and secure the devices, Johnson has installed an app from a mobile security software provider that allows users to securely access their work e-mail, contacts and calendar.The data is encrypted and containerized.
Johnson, who does not reimburse users for their voice and data service, expects a return on investment in three months for each user. “The economics are positive,” he says.
While early adopters are already reaping the benefits of BYOD, NASA’s Goddard Space Flight Center,like many agencies, is looking for the right technology and policies to make it happen, says CIO Adrian Gardner. Right now, VDI is his choice.
“VDI is the way to go,” he says. “We don’t have to be as concerned about the device anymore. We can focus on the data, and with VDI, the data is protected.”
Goddard’s IT and Communications Directorate ran a VDI pilot this summer. Next, it will run a proof-of-concept, allowing NASA employees at the flight center and visiting scientists to connect to NASA data using VDI and their personal computers. Within a year, he wants to make BYOD available as a service.
The combination of VDI and BYOD will also let Goddard more quickly set up foreign nationals and students to work for NASA in co-op programs.
NASA Goddard currently collaborates with hundreds of international scientists from organizations such as the European Space Agency and the Japan Aerospace Exploration Agency. But it takes months to approve them and grant them access to NASA’sdatacenter.Theflightcenterisalso required to issue them a NASA computer to access the space agency’s IT systems.
“But VDI, combined with a BYOD policy, will reduce the cycle time for IT access from months to days,” Gardner says. That’s because VDI is more secure. IT staff can tailor virtual desktops that provide foreign nationals and students only the specific resources they need, prohibiting access to other NASA data. They can also use their own computers, which will further speed up the process. “It’s better security because we can tailor their desktop library and audit their behavior,” he says.
Before launching a BYOD program, Gardner says the IT directorate needs to work through policy issues,such as the right to confiscate a device for legal proceedings and how much of a monthly stipend the organization should pay employees.
While it’s unclear whether the flight center will actually save any money from its BYOD program, Gardner believes there is a return on investment from improved services.
“This is about access and meeting the needs of our customers,” he says. “We will save users days and months from the standpoint of gaining access to our network,” he says.