Security Experts:

Enterprise Mobility: COPE vs. BYOD

Corporate-owned device fleets have been the norm since mobile was introduced into the enterprise. Today, a number of organizations continue this tradition, only now it has morphed into COPE. Corporate-Owned, Personally Enabled policies promise the same user experience, privacy and autonomy of a personal device on a corporate-owned device. This idea likely sodunds promising to most organizations, but how does COPE really stack up against BYOD (Bring Your Own Device).

Techopedia defines COPE as the complete opposite of bring your own device (BYOD). If BYOD is user-driven, and thereby preferred by users, why would anyone adopt a corporate-owned policy. There are a few reasons.

Ovum found that nearly 70 percent of employees use their tablets or phones to access corporate data, with 15.4 percent of them doing so without IT’s knowledge and nearly 21 percent in spite of established policy. This ‘access to the data’ piece is a major reason why an organization would pursue a COPE strategy.

BYOD vs. COPE Mobile SolutionsThe onslaught of devices in the enterprise raises serious concerns about the security of corporate data. The common response to this concern has been to increase restrictions and lock down employee-owned mobile devices. This is not necessarily the wrong response. CIOs and CISOs are responsible for the protection of the most valuable organizational assets – the data. What other choice do they have? This is where COPE comes in as an option.

Because it allows organizations to retain full control of the device, COPE is often an attractive model for organizations concerned about keeping mobile data secure. Full control of the device means that IT retains the ability to simply wipe the device if it is lost or stolen – an effective way to keep corporate data out of the wrong hands.

COPE however, presents its own set of issues. The feeling of control that COPE offers is an illusion. Even if organizations provide users with the newest and best devices, if they don’t give users the freedom to choose and use their own, the users will simply bring their own. The result: Shadow IT.

This is not happening in theory, it’s taking place in organizations everywhere. A recent survey by LogMeIn and Edge Strategies found that users have an average of 21 apps on their devices. This is seven times what IT estimated!

I’ve spoken with more than one CISO who had banned corporate data on mobile devices only to discover that users had been transferring files to their mobile devices using Dropbox and YouSendIt, circumventing security controls and completely disregarding corporate control. In fact, the majority of users engage in this behavior and not all are doing so deliberately. Studies show that many users aren’t aware of their employers BYOD or mobile security policies, let alone that they are breaking them.

There are a couple of reasons to adopt a BYOD approach. The first is reduced overhead. The time and money spent to manage corporate-owned devices is substantial. The second is simply that BYOD resonates with today’s blended work-life activities. By allowing employees to use the tools they love we enable them to work from anywhere and, ultimately, increase their productivity and response times. Managed properly, BYOD becomes an asset for organizations. This is probably why Ovum predicted just a year ago that BYOD was “here to stay.”

For the last several years, IT has been split between fighting the onslaught of BYOD and realizing they must prepare for the inevitable. COPE is a stopgap between the old days of full corporate control and the days of user-driven mobile policies. The truth is that in either case there is no way to keep corporate data secure without knowing what corporate data is at risk, and we can’t know this without gaining visibility into its usage.

With app usage information in hand we can fine-tune policies, and secure applications. By securing user applications, we enable their productivity and suddenly BYOD becomes an asset, not a liability. 

view counter
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties. Adam is a CISSP, CISA, NSA IAM, MCSE and holds an MBA from Florida State University.