Getting to grips with Office 365 Message Encryption

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

As part of my work this week with Exchange transport rules, I needed to recreate another facility that my customer has grown used to in Office 365 – the ability to selectively encrypt emails using keywords.

This one turned out to be relatively straightforward – Office 365 Message Encryption has been around for a while now (it replaced Exchange Hosted Encryption) and I was able to use a transport rule to detect a phrase in the subject or body (“encrypt me please”) and apply Office 365 Message Encryption accordingly. I could equally have done this based on other criteria (for example, I suggest that any message marked as confidential and sent externally would be a good candidate).

So, the rule is fairly simple:

New-TransportRule -Name 'Encrypt email on request' -Comments ' ' -Mode Enforce -SubjectOrBodyContainsWords 'encrypt me please' -ApplyOME $true

Office 365 Message Encryption needs Azure RMS

The challenge for me was that I wasn’t creating it in PowerShell – I was using the Exchange Admin Center and the appropriate options weren’t visible. That’s because Office 365 Message Encryption needs Azure Rights Management Services (RMS) to be enabled, and it’s necessary to use the More Options link to expose the option to Modify the Message Security… from which it’s possible to Apply Office 365 Message Encryption.

Unfortunately that still didn’t work and the resulting error message was:

You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.

It seems it’s not just a case of enabling RMS in the service settings. I also needed to run the following commands in PowerShell:

Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc”

(that’s the European command – there are alternative locations for other regions listed in the post I used to help me)

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
Test-IRMConfiguration -RMSOnline

(check everything passes)

Set-IRMConfiguration -InternalLicensingEnabled $true

With RMS/Information Rights Management (IRM) properly enabled I could create the rule as intended.

Customising the experience

Testing my rule was easy enough, but it’s also possible to customise the portal that recipients go to in order to read the encrypted message.

This is all done in PowerShell, with some simple commands:

Get-OMEConfiguration provides the current Office 365 Message Encryption configuration and to set the configuration to meet my requirements, I used:

Set-OMEConfiguration -Identity "OME Configuration" -Image (Get-Content "markwilsonitlogo.png" -Encoding byte) -PortalText "markwilson.it Secure Email Portal" -EmailText "Encrypted message from markwilson.it"

The tricky bit was working out how to provide the logo file as just the filename creates a PowerShell error and the Get-Content cmdlet has to be used to encode the file.

Further reading

Office 365 Message Encryption (and decryption) – steps – understanding, purchase options, configuration, branding and use.

Public key infrastructure explained

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last week, I was attending a presentation skills course where we had to give an impromptu presentation (well, we had an hour to prepare) on a topic of our choice.  One of my colleagues, Richard Butler, gave his talk on public key infrastructure (PKI) and Richard was the first person who has explained PKI to me in a way that made me go “ah! got it!” because he used a great analogy.

So, I’m going to attempt to repeat it here (with Richard’s permission)… and hopefully I’ll get it right!

Richard’s first point was that PKI is thought of as a security tool, some technology, or something that’s needed to make the network secure. Actually, he suggests, there’s more to it than that…

The first example Richard gives is one of a server certificate (used to ensure that a service can be trusted and that confidentiality is maintained), illustrated by way of border control.

An airline passenger approaches a border (e.g. an immigration desk at the airport):

  1. The border is where the passenger expects it to be.
  2. A border guard wears a uniform, with an insignia (badge).
  3. The passenger recognises the insignia and trusts it as genuine.
  4. The passenger interacts with the border guard to negotiate entry to the country.

A server certificate is similar because it’s presented to prove that the server is who they say they are and is trusted by users accessing its services. The certificate is issued by a certificate authority, just as the border guard’s badge is issued by a government agency.

In Richard’s second example, a certificate is used to provide confidence that you are who you say you are, a process known as integrity or repudiation.

  1. As a citizen of a country, I request a passport from my government.
  2. The government validates my request.
  3. If my request is valid, a passport is issued.
  4. When visiting a foreign country, I present my passport at the border.
  5. The government of the foreign country trusts the government that issued the password to have carried out the necessary background checks that confirm I am who I say I am.
  6. I’m authorised to enter the country.

In this case:

  • The issuing government’s passport authority can be thought of as a certificate authority (CA) or issuing authority (IA) – it’s trusted by other countries to authorise passports.
  • The passport can be thought of as a validated “client” certificate – it is trusted, because the passport authority is trusted (i.e. there is a chain of trust).
  • The government in the foreign country can also be thought of as a certificate authority – it is trusted and authorises the immigration control.
  • As described in the first example, the border guard’s insignia can be thought of as a “server” certificate – it is trusted as the foreign country is trusted to issue certificates.
  • Humans apply logic to the approach and automatically make the appropriate assumptions and associations.

In a public key infrastructure, there’s a hierarchy of certificate authorities:

  • The offline root CA signs requests for sub-ordinate servers and holds the private key for the certificate root.
  • A networked, subordinate CA signs requests for clients, and holds its own private key.
  • A certificate distribution point stores the public keys for the root CA and the subordinate CA (used to validate requests). It also holds information about certificate revocation (to use the passport analogy, this might be where a citizen has been denied the right to travel, for example due to a pending prosecution).

Using this PKI infrastructure a number of interactions take place:

  1. A device creates a signing request and sends it to a certificate authority.
  2. The CA receives the signing request, validates the request, and issues a certificate signed with its private key.
  3. The original device receives the signed certificate and stores it for future use as a client/server certificate.
  4. When a connection to a service is attempted, the connecting device receives a copy of the certificate and validates the name and signing CA using their public key. This validates the certificate chain and the certificate is proved to be valid.

At the outset of this description, Richard explained that there is more to PKI than just a security tool, or some technology services.  There’s actually a hierarchy of deployment considerations:

  • Private key protection. Private keys are critical to the ability to sign certificates and therefore crucial to the integrity of the chain of trust.
    • A chain is only as strong as its weakest link.
  • Management procedures:
    • Validation of requests (stopping fraudulent certificates from being issued).
    • Management of certificates (issuing, revocation, etc.)
  • Deployment procedures:
    • Deploying and managing the PKI infrastructure itself.
  • Technology choices:
    • Whose PKI infrastructure will be used?

Drawn as a hierarchy (similar to Maslow’s hierarchy of needs), technology choices are at the top and are actually the least significant consideration.  Whilst having a secure technical solution is important, having the procedures to manage it are more so.

Richard wrapped up his presentation surmising that:

  • PKI is 10% technology and 90% process.
  • Deployment is 10% of the solution and management is 90%.
  • PKI needs management from day one.

If you do still want to know more about the technology (including seeing some diagrams that might have helped to illustrate this post if I’d had the time), there’s a Microsoft blog post series on designing and implementing PKI, written by the Active Directory Directory Services team.  Other PKI solutions exist, but as many organisations have an Active Directory, looking at the Microsoft implementation is as good a place as any to start to understand the various technologies that are involved.

Short takes: Lync/Skype and browsers; Bitlocker without TPM; OS X Finder preferences; and MyFitnessPal streaks

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few more short mini-posts from the items that have been cluttering my browser tabs this week…

Lync/Skype for Business meetings start in the Web App

A few days ago, a colleague highlighted to me that, whenever she joined a Lync meeting from our company, it opened in Lync Web App, rather than using the full client. Yesterday I noticed the same – I tried to join a call hosted by Microsoft and the Skype for Business Web App launched, rather that the Lync client installed on my PC. It turns out that this behaviour is driven by the default browser: mine is Chrome and my colleague was also using something that’s not IE. Quite why I’d not seen this before, I don’t know (unless it’s related to a recent update) but for internal Lync meetings I do tend to use the Join Online button in the meeting reminder – that doesn’t seem to appear for external meetings. Of course, you can also control which client is used by editing the URL

Using Bitlocker on drives without TPM

When my wife asked me to encrypt the hard drive on her PC, I was pleased to be able to say “no need to buy anything, we can use Bitlocker – it’s built into Windows”. Unfortunately, when I tried to enable it, I found that her PC doesn’t have a trusted platform module (TPM) chip. I was pretty sure I’d worked around that in the past, with a netbook that I used to run Windows 7 on and, sure enough, found a How To Geek article on How To Use BitLocker on Drives without TPM. It’s been a while since I had to dive into the Local Computer Policy but a simple tweak to the “Require additional authentication at startup” item under Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives was all it took to let Windows encrypt the drive.

Finding my files in Finder

One of the challenges I have with the Mac I bought a few months ago, is that modern versions of OS X seem to want to hide things from me. I’m a “browse the hard drive to find my files” kind of guy, and it took a tweak to the Finder preferences to show my Hard Disk and bring back the shortcut to Pictures.

MyFitnessPal streak ends – counter reset

Last weekend some connectivity issues, combined with staying away with friends meant I missed the cut-off for logging my food/exercise with MyFitnessPal and my “streak” was reset (i.e. the login counter). Knowing that I’ve been logging activity for a certain number of days is a surprisingly motivational piece of information but it turns out you can get it reset using the counter reset tool (which even predicted how many days the value should be – 81 in my case).

Confusion over accounts used to access Microsoft’s online services

This content is 11 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I recently bought a new computer, for family use (the Lenovo Flex 15 that I was whinging about the other week finally turned up). As it’s a new PC, it runs Windows 8 (since upgraded to 8.1) and I log in with my “Microsoft account”. All good so far.

I set up local accounts for the kids, with parental controls (if you don’t use Windows Family Safety, then I recommend you do! No need for meddling government firewalls at ISP level – all of the major operating systems have parental controls built in – we just need to be taught to use them…), then I decided that my wife also needed a “Microsoft account” so she could be registered as a parent to view the reports and over-ride settings as required.

Because my wife has an Office 365 mailbox, I thought she had a “Microsoft account” and I tried to use her Office 365 credentials. Nope… authentication error. It was only some time later (after quite a bit of frustration) that I realised that the “Organization account” used to access a Microsoft service like Office 365 is not the same as a “Microsoft account”. Mine had only worked because I have two accounts with the same username and password (naughty…) but they are actually two entirely separate identities. As far as I can make out, “organization accounts” use the Windows Azure Active Directory service whilst “Microsoft accounts” have their heritage in Microsoft Passport/Windows Live ID.

Tweeting my frustrations I heard back from a number of online contacts – including journalists and MVPs – and it seems to be widely accepted that Microsoft’s online authentication is a mess.

As Jamie Thomson (@JamieT) commented to Alex Simons (@Alex_A_Simons – the Programme Director for Windows Azure Active Directory), if only every “organization account” could have a corresponding “Microsoft account” auto-provisioned, life would be a lot, lot simpler.

Short takes: cyber security; stock images; PowerPoint presenter view; smart TVs, iPads and YouTube

This content is 12 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Lots of ideas for blog posts this week but limited time to commit pen to paper, or fingers to keyboard for that matter. Here are the highlights of what might have been…

Cyber security

Last year, I assisted one of the lecturers at University College London (UCL) with some “expert” opinion on the bring your own device phenomenon, for a module as part of the MSc course in Human Computer Interaction. It seemed to go reasonably well and I was invited back to speak on this year’s topic – cyber security.  I can’t claim to be an expert, but I could present some supplier-side views on the UK Government’s “10 steps to cyber security” advice which seems very sensible but is also based on aspirational and tactical solutions which could be costly to implement in full, so need to be considered with an understanding of the relative risks and an eye to the future.

For anyone who’s interested, my presentation is available for viewing/download on SlideShare, although it’s very visual – full narrative is available in the notes.

 

Searching for good images

I’m a fan of full-page images on slides and limited text. I find it keeps the audience engaged and listening to the presenter, rather than reading pages of bullet points.  The down side is that it can be very time consuming to find the right images, especially without access to an account at a good stock library.

As my presentation to UCL was as in individual, not representing my employer, I was able to use images licensed for non-commercial use under Creative Commons and Compfight is a great tool for searching Flickr for these.  I’ve attributed all of the photographers used in the deck above, and if you don’t have access to iStockPhoto, Fotolia, etc. then this can be a good way to find images.

PowerPoint Presenter View

I’ve blogged before about PowerPoint’s presenter view and I’m amazed that more people don’t use it (although, the people who don’t are generally fans of dull corporate decks with lots of bullet points – yawn!). Somehow though, my PC had reverted to not using it, and I needed to Google to find where the option is in the PowerPoint 2007/2010 ribbon!  In the end, it was this Cybernet New post that showed me the important option: on the Slide Show tab, in the Monitors section.

YouTube smart TV and mobile apps

I wanted to re-watch a presentation that I’d missed last year and that I knew was on YouTube. Given that it was nearly an hour long, I thought the comfort of my living room would be a good place to do this, using the YouTube app on my smart TV. It was. At least until I lost the stream part way through and the Samsung YouTube app refused to play ball with the fast forward control. Another annoyance was that the “Watch Later” functionality in YouTube isn’t recognised by the a-little-bit-dumb app on the “smart” TV, so I needed to add the video to another playlist first.

Eventually, I finished up watching the second half of the video on my iPad. Here, again, it’s useful to know that the built-in iOS YouTube app is feature light and that there is a newer version available from Google in Apple’s AppStore.

More retail banking security theatre

This content is 12 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Yesterday, I bought a new suit. Nothing remarkable there but I paid on my Lloyds TSB Duo Avios credit card. A card that I will shortly be cutting into little pieces because it’s useless to me if the bank declines transactions on an apparently random basis…

You see, I also wanted an extra pair of trousers and they were out of stock. The very helpful guy at John Lewis went through the online order process, I supplied my credit card details and all was good. Then we went to the till and paid for the suit jacket and first pair of trousers.

The £250 transaction for the suit went through OK but a short while later I was called by John Lewis to say that the £80 order for the trousers placed a few minutes earlier had been declined.  That seemed strange – especially as it was placed before the larger transaction (I’d expect the large one to be declined if there was some sort of anti-fraud flag triggered by a small purchase and then a large one) so we tried again. No joy. Declined by the bank. So I supplied some different card details and all was OK.

I was annoyed. I use multiple credit cards for good reasons but at least I had been able to use a different card even if that does mean that my personal and business transactions are mixed up. Fast forward to this morning and I was incensed.

Sunday morning, 10am: enjoying a rare lie-in whilst the kids are away; the phone rings – it might be my in-laws and it might be important, so I answer.

“This is an automated anti-fraud call from Lloyds TSB…” (or similar). I’m angry now, but I comply with the whole process as I think I might be charged twice for my trousers.  This process involved:

  • Confirming that I was (imagine robotic voice) “Mr Mark Wilson”. 1. Yes, that’s me.
  • Confirming my year of birth. Not exactly a secret, especially not to anyone who might answer my home phone.
  • Confirming my day and month of birth. Again, public information, and known to all in my household.
  • Listening to some details of some possibly fraudulent transactions: two declined for £80 and one approved for £250; both flagged as Internet purchases at John Lewis, a “grocery or supermarket” retailer. Not much help there as John Lewis is a department store (Waitrose is their supermarket brand) and clearly store transactions are incorrectly flagged as Internet purchases – which means the information is unreliable at best and confusing if it had been a different retailer with whom I was less familiar.
  • Confirming I had made those transactions. Tempting to say no but that would be fraudulent. I said 1 for yes, anyone in the house who answered my phone could have answered anything…
  • Supplying my mobile phone number for future anti-fraud calls (I probably didn’t supply it in the first place because I was concerned they would use it for marketing…). Well, at least my mobile is more immediate, and more secure than the home phone (only I use it).

Pure security theatre.

I can understand the banks wanting to reduce fraud – it costs them millions. But my account has a significantly larger credit limit than transactions I attempted in John Lewis yesterday and they could go a lot higher before declining transactions and inconveniencing me as a customer. I can see some patterns that might have flagged the anti-fraud systems but not the sense in declining the first and third transactions yet accepting the second (larger) one. It’s possible that John Lewis stored my card details and applied them after a short delay but, even so, I’d think it’s pretty common for people to make in-store transactions and place orders through the retailer’s online channel at or around the same time (in scenarios like the one I described).

I’ll make the most of the interest-free period until my next bill, pay in full (as always) and then I’ll be closing my account with Lloyds TSB. “Security” that stops me using my cards when I want to, and disturbs my privacy at home (with an automated call using publicly-available information!) is “security” I can do without…

McAfee, Internet Explorer and a lack of quality control at Toshiba

This content is 12 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last week, I wrote about helping my father-in-law to ensure that the insurance company wasn’t fleecing him whilst replacing his stolen laptop.  His new machine (a Toshiba Satellite C855-12G) arrived this week (although it appears to be a discontinued model, which is presumably the reason it was discounted…) and I’ve spent part of the evening on family IT support duty getting it set up for him.

Unfortunately, I also found that the webcam is faulty (at least, neither Toshiba’s webcam application, Windows Device Manager nor Skype can see it, despite having downloaded the latest drivers from the Toshiba website), suggesting that Toshiba’s quality control is pretty shoddy (this doesn’t appear to be an isolated incident – see link 1, link 2, link 3). Back in the day, Toshiba was a respected notebook PC brand but I guess I should have insisted on Lenovo, Samsung or Dell…

Anyway, the real purpose of this post was to record some of the issues (and resolutions) that I found whilst removing the “crapware” from this new PC. To be fair, I’ve seen worse and the main thing to remove (apart from a non-English version of Windows Live Essentials) was McAfee Internet Security.  It never ceases to amaze me how many people will shell out cash for this type of application when there are perfectly good free alternatives, so I replaced it with Microsoft Security Essentials.

Unfortunately the McAfee uninstaller wouldn’t run, displaying an Internet Explorer-esque “Navigation was cancelled” screen (but without any chrome).  As Skype was also having problems adding contacts, I started to suspect something was blocking web traffic and that hunch turned out to be valid. Disabling Internet Exploder 9’s Content Advisor did the trick. How anybody can use it is beyond me (I had to enter a password four times  just to switch from Windows Update to Microsoft Update) but, once Content Advisor was disabled, both Skype and the McAfee uninstaller worked as they should.

 

 

Network access control does its job – but is a dirty network such a bad thing?

This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier this week, I was dumped from my email and intranet access (mid database update) as my employer’s VPN and endpoint protection conspired against me. It was several hours before I was finally back on the corporate network, meanwhile I could happily access services on the Internet (my personal cloud) and even corporate email using my mobile phone.

Of course, even IT service companies struggle with their infrastructure from time to time (and I should stress that this is a personal blog, that my comments are my own and not endorsed by my employer) but it raises a real issue – for years companies have defended our perimeters and built up defence-in-depth strategies with rings of security. Perhaps that approach is less valid as end users (consumers) are increasingly mobile and what we really need to do is look at the controls on our data and applications – perhaps a “dirty” network is not such a bad thing if the core services (datacentres, etc.) are adequately secured?

I’m not writing this to “out” my employer’s IT – generally it meets my needs and it’s important to note that I could still go into an office, or pick up email on my phone – but I’d be interested to hear the views of those who work in other organisations – especially as I intend to write a white paper on the subject…

In effect, with a “dirty” corporate network, the perimeter moves from the edge of the organisation to its core and office networks are no more secure than the Wi-Fi access provided to guests today – at the same time as many services move to the cloud. Indeed, why not go the whole way and switch from dedicated WAN links to using the public Internet (with adequate controls to encrypt payloads and to ensure continuity or service of course)? And surely there’s no need for a VPN when the applications are all provided as web services?

I’m not suggesting it’s a quick fix – but maybe something for many IT departments to consider in adapting to meet the demands of the “four forces of IT industry transformation”: cloud; mobility; big data/analytics and social business?

[Update: Neil Cockerham (@ncockerhreminded me of the term “de-perimiterisation” – and Ross Dawson (@rossdawson)’s post on tearing down the walls: the future of enterprise tech is exactly what I’m talking about…]

Is Apple really encouraging me to click a link that could go anywhere?

This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier today I was installing an app on my iPad and the iTunes store wanted some “additional security details”.  I set up some questions and answers, feeling reasonably confident that, as I was using the App Store app, the details were actually being taken by Apple.  In addition it requested an optional email address for account recovery but it wouldn’t let me use my normal email address because that’s also used for my Apple ID (so why does that make it invalid for account recovery?)

I supplied a different email address and the App Store accepted the “additional security details” and let me complete my purchase…

Then, I got this email:

From: Apple [appleid@id.apple.com]
Sent: 27 April 2012 14:08
To: Mark Wilson
Subject: Please verify that we have the right address for you

Thank you.

You’ve taken the added security step and provided a rescue email address. Now all you need to do is verify that it belongs to you.

The rescue email address that you gave us is [email address removed] . Just click the link below to verify, sign in using your Apple ID and password, then follow the prompts.

Verify Now >

The rescue email address is dedicated to your security and allows Apple to get in touch if any account questions come up, such as the need to reset your password or change your security questions. As promised, Apple will never send any announcements or marketing messages to this address.

When using Apple products and services, you’ll still sign in with your primary email address as your Apple ID.

It’s about protecting your identity. 
Just so you know, Apple sends out an email whenever someone adds or changes a rescue email address associated with an existing Apple ID. If you received this email in error, don’t worry. It’s likely someone just mistyped their own email address when creating a new Apple ID.

If you have questions or need help, visit the Apple ID Support site.

Thanks again,

Apple Support

(The actual email was prettier than this, for example it contained graphics with Apple logos, and an Apple footer, but the words are reproduced here almost verbatim – in addition to removing my email address, I’ve also edited the verification link to make it invalid, but otherwise that’s the way it was presented).

This email annoys me for two reasons.

  1. I hate security theatre. Real security should involve something I have and something I know. All of Apple’s questions are just about something I know. In effect, it’s just multiple passwords…
  2. Apple have sent me an email asking me to confirm an email address but with no personally identifying information (no “Dear Mark”; no “Dear Mr Wilson”, nothing that confirms my relationship with them), asking me to click a link that could go anywhere. If this were from PayPal we’d be saying “noooo – don’t do it, it’s a phishing attack!”.

I was very careful about checking out the link in the email and it does appear to have been genuine, but Apple has an enormous market of largely unsuspecting and trusting consumers, not all of whom could be described as “IT literate”. By not encouraging any from of “safe computing” Apple is setting a very bad example – and is re-enforcing practices that consumers should be avoiding.  Microsoft has some good advice on their site for symptoms of phishing and several of the symptoms are present in the email I received from Apple.

Earlier today I dismissed an article that quoted Eugene Kaspersky as saying Apple was 10 years behind Microsoft in terms of security [awareness] – too many vested interests at play, I thought. On the other hand, if this afternoon’s email really does represent Apple’s corporate culture towards security, they do have some serious catching up to do…

Bring your own… or use what you are told?

This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few days ago, I read an article about the risks presented by IT consumerisation. It rang alarm bells with me because, whilst the premise is sound (there are risks, some serious ones, and they need to be mitigated), the focus seemed to be on controlling data leakage by restricting access to social media and locking down device functionality (restricting USB ports, etc.). Whilst that was once an accepted model, I have to question if UWYT (use what you are told) is really the approach we should be taking in this day and age?

One of the key topics within the overal consumerisation theme is concerned with “bring your own” (BYO) device models. I recently wrote a white paper on this topic (a condensed “insight and opinion” view is also available) but, in summary, BYO offers IT departments an opportunity to provide consumer-like services to their customers – i.e. business end users.

In a recent dialogue on Twitter, one of my contacts was suggesting that Fortune 500 companies won’t go for BYO.  But the tide does seem to be turning and there are significant enterprises who are seriously considering it. I’ve been involved in several discussions over recent weeks and I’ve even seen articles in mainstream press about BYO adoption (for example, Qantas has publicly announced plans to allow up to 35,000 employees to connect their own devices to the corporate network). Interestingly, both those links are to Australian publications – maybe we’re just a little more conservative over here?

Of course, there are hurdles to cross (particularly around manageability and security) and it’s not about undoing the work put into managing “standard operating environments” but about recognising how to build flexibility into our infrastructure and open up access to what business end users really need – information!

We need to think about device ownership too and, in particular, about whose data resides where. Indeed, one of the best articles I’ve read on the topic was Art Witmann’s suggestion that a BYO strategy should start with data-centric security, including this memorable quote:

“Understandable or not, if ‘your device is now our device’ is the approach your team is taking, you need to rethink things”

Virtualisation can help with the transition, as can digital rights management. Ultimately we need to re-draw our boundaries and we may find ourselves in a place where the office network is considered “dirty” (just as the coffee shop Wi-Fi is today) and we access services (secured at the application or, better still, at the data layer) rather than concerning ourselves with device or technology-dependant offerings.

Putting myself in a customer’s shoes for a moment, I expect that I’d be asking if Fujitsu is following a BYO model and the answer is both “yes”, and “no”. As a device manufacturer it presents some image problems if our people are using other vendors’ equipment so, here in the UK and Ireland, our PCs are still provided by a central IT function. Having said that, there are some choices with a catalogue to select from (based on defined eligibility criteria [- a choose your own device scheme]). We also operate a BYO scheme for mobile devices, based on [Fujitsu’s] Managed Mobile service.

So we can see that BYO is not an all-or-nothing solution. And, whilst I’ve only scraped the surface here, it does need to be supported with appropriate changes to policies (not just IT policies either – there are legal, financial and human resources issues to address too).

To me it seems that ignoring consumerisation is a perilous path – it’s happening and if senior IT leaders are unable to support it, they may well find themselves bypassed. Of course, not every employee is a “knowledge worker” and there will be groups for whom access to social media (or even access to the Internet) or the ability to use their own device is not appropriate. For many others though, the advantages of “IT as a service” may be significant and far-reaching.

[This post originally appeared on the Fujitsu UK and Ireland CTO Blog.]