BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.
Recently I had the opportunity to do a speech at #idn12 on #BYOD on the “mobile me” conference track. This post is basically a recap of my speech for those who were not there.
#BYOD is an hot trend lately and everybody in the IT seems to get it on their mouth, there’s no day on social networks, on meeting with customer, on analysts reports that the word #BYOD doesn’t came out and everytime it is associated with some “extra thought” like, “oh crap” or “we’re trying to think how to manage that…”.
#BYOD is such unstoppable phenomenon? And if so, are we really sure there’s not a way to manage it without need of bring some new,techie,complex architectural solution to “get rid of #BYOD security issues”?
Let’s take a step back and let me tell you about “a cow” or better about a social dilemma called “the tragedy of commons”:
In economics, the tragedy of the commons is the depletion of a shared resource by individuals, acting independently and rationally according to each one’s self-interest, despite their understanding that depleting the common resource is contrary to their long-term best interests.
wikipedia – the tragedy of commons
In 1968 ecologist Garret Hardin explored the dilemma in an article with an example involving medieval land tenure in Europe, of herders sharing a common parcel of land, on which they are each entitled to let their cows graze. In Hardin’s example, it is in each herder’s interest to put the next (and succeeding) cows he acquires onto the land, even if the quality of the common is damaged for all as a result, through overgrazing. The herder receives all of the benefits from an additional cow, while the damage to the common is shared by the entire group. If all herders make this individually rational economic decision, the common will be depleted or even destroyed, to the detriment of all.
wikipedia – the tragedy of commons
“The cow” is the device and the result is what will happen if we allow the consumer/user to use “the cow” regardless of other user use of the “shared resources” (aka company enviroment).
The use of the “cow” is not intended to be deliberately disruptive towards company resources but will end up as so because of the “rational economic decision” taken by every single individual. I bring on more devices because I feel I can be more productive regardless of what will happen (security breaches, data loss, etc…)
The cheese makers
Question: is it always like this? does the “the tragedy of commons” set unchangeable line that saysy “the moment you’ll let #BYOD will be the moment your company will start to fall down”?
Obviously not, in the real world we got already the answer and it’s quite simple: policies. If you set up a good policy you’ll control and manage your “cows”. So why many groups in different fields of the economic ground failed and still failing when it comes to set up terms, regulation and policies?
If you’ve got three cows, you can pasture those three cows in the commons if you carried them over from last winter. But you can’t bring new cows in just for the summer.
1200 a.d. swiss cheese makers regulation – Netting 1976 , p 139
Simple and effective isnt’it? Since at that time feeding a cow for the whole winter was definitely an expansive job you were rewarded with a “free entrance” to the commons in summer. In other words:
if you demonstrate me that you are able to take care of our corporate data, in terms of reflecting in your day-by-day behavior our security policy we will allow you to bring your personal device and the next one, etc…
I enable you because you respect the “common resources” and show me that you take care of what I allow you to access.
But the question continue to laying there, why other groups failed? what did they do that didn’t work?
We need to come back to the researches that explored “the tragedy of commons”:
In Canada in the mid-1970s, the Atlantic Herring Fishermen’s Marketing Cooperative was given authority for the Bay of Fundy herring fishery (Peacock and MacFarlane 1986, 215-30). The Department of Fisheries and Oceans allocated exclusive quota to the cooperative. The cooperative, in turn, assigned individual quotas among its members. The cooperative was also responsible for policing vessel quotas, distributing surplus quota among the fleet, and collecting statistical information for the government. The government allowed cooperative members to make “over the side” sales to foreign vessels. This extra opportunity for sales helped boost prices, providing an additional incentive for fishers to join the cooperative.
In its first three years, the cooperative “so enhanced the earnings of fishermen, the quality of fish caught, and the ability to manage the fishery that many people began to see the Bay of Fundy herring fishery as a panacea and as a model for other fisheries,” writes Rettig (1986, 18).
Unfortunately, cooperation among the members soon disappeared because of disputes between small and large-scale fishers. A group of fourteen fishers split away from the cooperative. The final blow came when the government withdrew the authority of its members to make over-the-side sales to foreign vessels. Members were left with little incentive to stay in the cooperative, and the cooperative unraveled.
Excess fishing capacity from the start (Peacock and MacFarlane 1986) and problems with the make-up of the cooperative itself combined to doom the system.
What happen when you set up a too much strict policy or an “hard to understand” kind of policy? Simple as the fisherman exmaple results, your users/customer will start to find a way to continue to get into your corporate networks, exposing your data to security breaches using “not allowed” new apps they find somewhere on the internet.
It’s in the human nature to fight escape from an excessive limted perimeter, if you setup boundaries without explain them people will try to get over them just “to see what’s there is”.
So back to the “tragedy of (non) commons” we know now “the cow” (aka #BYOD) and we know how to manage it through “the cheese makers policy” said as the final answer:
The quality “cheese” (use of company resources) is made through an honest and open cooperation between “the cow” (#BYOD) and “the cheese makers” (company IT) that means, protect you common resources, allow the right number of cows to posturize over the commons and always explain clearly why you cannot allow an extra one on that.