Beyond BYOD: Who oversees the apps?

The stereotypical image of a federal employee carrying two phones -- usually a BlackBerry cozied up next to an iPhone or Android device -- is familiar for a reason. Many agencies have long been unwilling or unable to allow official work on personal devices, so employees carry both.

As the government continues to embrace mobility, however, the workforce is already starting to demand more. First, the bring-your-own-device, or BYOD, movement supported the notion that workers should be able to use their personal devices for work. Now bring your own application, or BYOA, is making its way into the federal government.

Whether they use a personal or a government-issued device, people are starting to think about how the applications they rely on to be productive in their everyday lives could be applied to their jobs. Simply put, BYOA means allowing employees to decide which mobile applications they use to enhance their work.

Fueling a mobile revolution

Chris Roberts, vice president of the worldwide public sector at Good Technology, said government mobility is evolving. "The focus used to be all about mobile device management; now people really want to execute on the application side of mobility," he said. "From a government point of view, the idea is to save money and create efficiencies, moving beyond just email on mobile devices and eventually being able to execute all functions of your job from a mobile device."

In May 2013, the CIO Council released its report on the Digital Government Strategy's Milestone 5.4, which deals with the adoption of commercial mobile applications by federal agencies. The report's authors noted the lack of a standardized approach to reviewing and approving such applications and recommended the creation of a catalog that would highlight characteristics of mobile applications that have particular relevance to government.

ACT-IAC's Advanced Mobility Working Group found that few agencies have adopted consumer apps for enterprise use. A 2013 study requested by the CIO Council and Digital Services Advisory Group states that "with few exceptions, enterprises have not brought consumer apps 'in-house' and adopted them for use as part of their enterprise application portfolio; nor are these apps [managed] via device management or application environments."

More than a year after those recommendations, there is still plenty of opportunity for progress, said Rick Holgate, CIO of the Bureau of Alcohol, Tobacco, Firearms and Explosives. He and his team are helping ATF employees explore their options.

"We've given them the latitude to do a lot of experimentation on their own to figure out what tools are best for them," said Holgate, who is also co-chairman of the ACT-IAC Advanced Mobility Working Group. "We're getting more toward that model from the private sector, giving users a certain amount of trust and empowering users."

Relinquishing control over applications on government-furnished devices can be difficult for some agencies, but giving employees that decision-making power is inevitable, said Maureen Carter, creative director at Deloitte Digital.

"The more transparency, the better," she said. "Individuals are going to find ways to use these tools anyway. The line can't just be 'no.' There has to be flexibility. We need to look at the tools that are impacting their [employees'] lives and learn and adopt best practices for using those tools."

More apps, more exposure?

Depending on the type of application, BYOA heightens existing mobile security risks. There are multiple approaches to managing those risks, depending on the situation, Holgate said.

"If it's an enterprise device and I'm allowing users to bring applications onto it, you have to think, 'Am I okay with just monitoring the activity on that device or managing which applications get installed on the device?'" Holgate said. "You can look for problematic behavior, but that requires more sophisticated infrastructure on the part of the enterprise."

Security risks can also depend on the type of applications being used. Collaboration and information-sharing sites, such as Dropbox, pose more of a security threat to an agency because of the data they could expose, said Roberts, who added that his company is building software that would reduce the risk to organizations running those types of applications.

Containerization is another approach. It involves building a wall around a certain set of applications on a mobile device.

"Industry is trying to work this balance [of] having apps for personal and government use that can co-exist on one device," Roberts said. The idea is to "separate [them] so you can't move government information into your own suite of applications."

Can't stop a moving train

Experts agree that the desire to use the same applications on work and personal devices is a product of the times.

"From a culture perspective, whether it's veteran government employees or folks right out of college, they're helping drive the change because they're a smart device-based and app-based generation," said Stephen Orr, distinguished systems engineer at Cisco Systems. "They want the same experience with all of their devices."

A BYOA environment would give employees who are traveling the ability to access work email and check in at the airport without having to juggle two phones, said Scott Armstrong, chief strategy officer at mobile solutions provider INADEV.

As with many technology changes in government, culture and leadership are instrumental in making a BYOA program successful, he added.

"It needs a high level of support because you have to do a lot of behavioral, organizational and security changes," Armstrong said. "You have to make sure everyone is comfortable with it, from the youngest to the most experienced worker."

Leadership is especially crucial in the preliminary stages of implementing BYOA, said Tim Young, federal lead at Deloitte Consulting and former deputy administrator for e-government and IT at the Office of Management and Budget.

"By not having the CIO or technology executive establish a safe environment for practitioners to develop prototypes and test applications, they would therefore be creating a less secure environment," Young said. "By channeling them through a secure environment, it fulfills multiple organizational goals and empowers employees with a 'walk, crawl, run' approach."

Although few agencies have adopted apps for enterprisewide use, nearly all have adopted best practices and security measures to allow their employees to install consumer apps for their own use, ACT-IAC's paper states. Furthermore, many agencies are using pilot projects to help them make decisions about the degree to which they should manage commercial applications.

A successful mobile strategy has implications beyond productivity. It's also a good tool for bringing in and retaining talented employees.

"If you're trying to get young people to join the government and giving out iPhones or Android devices, what's the point if they can't do anything with [them]?" Roberts asked.