As the year rolls over, we naturally ponder the future. Reading through popular IT news sources, we are presented with a future where organizations inevitably allow staff to use their own mobiles at work, a practice referred to as Bring Your Own Device (BYOD). It is easy to see why so many people are talking about it with potential benefits such as these:
I was discussing this topic with a group of friends at a recent Christmas party. To my surprise, one of them who has been working in the Swedish IT industry for years had never heard of BYOD. This got me to thinking: How widespread is BYOD adoption in Sweden, Scandinavia, and Europe? From the one Noel party, it seemed to be lagging, but that's a single data point. After looking around for others, I thought I'd share my findings.
In light of Gartner predictions that BYOD adoption will climb in 2013, Lisa Bjerre asked a handful of Swedish IT execs whether they agreed. Some were skeptical, but the directors of IT for the municipalities of Burlöv, Götene, Lidköping, Essunga, and Skara predicted that BYOD will introduce creative new ways of delighting customers and will greatly impact Swedish organizations in the coming years. Burlövs municipality's IT director, Hans Magnusson, said he especially expected an uptake in Swedish schools as is happening elsewhere in the world. Adoption doesn't seem limited to the public sector though. Patrik Malmquist, Enterprise Mobility Manager at Sigma, says that mobility, including BYOD, is the most frequently requested issue that their customers come to them with. When McAfee asked 153 Swedish CIOs and IT managers about their views on BYOD, 60% said it was strategically important to their business, and over half thought it was something their companies should be investing in.
What about the rest of Scandinavia? Smartphones Telecom, a Norwegian Mobile Device Management (MDM) provider owned by Telenor, says that BYOD is not as common in Norway as in other places like the US, but the growing popularity of tablets means that more employee-owned slates will find their way into Norwegian workplaces. According to Steria's recent survey of 299 IT managers from large organizations in Denmark, Sweden and Norway, BYOD is not top of mind for IT bosses in the region. As Thomas Okke Frahm, former Executive Partner at Gartner in Denmark, warns, however, Danish directors of IT who oppose BYOD do so in vain. This is because workers will simply and insecurely use their own devices beyond the view of IT. Shadow IT is commonplace among BYOD opponents in Sweden, says Andreas Krohn, API Specialist at Dopter, a partner of ours.
As Berlin-based reporter, Charlotte Erdmann, writes, Europe is catching on to BYOD:
Research and consulting firm Frost & Sullivan has established that 75 percent of Europe's CXOs are already using tablet computers. And IDG Connect reports that 60 percent of European IT professionals now use their own iPads for work...Dell ascertained...that whenever private hardware isn't banned in a firm, four out of five employees use their own devices at work.Erdmann also mentioned a study of IT directors conducted by Absolute Software which found that 52% of companies from France, Germany, and the UK allow staff to use their own devices to access the corporate network. A study by Intel puts the level of adoption of German companies at 1 in 5.
With more data points than the one from my Christmas party, it's clear to me now that many Swedish, Scandinavian, and European organizations are allowing or considering to allow the use of employee-owned devices in the workplace. It's also clear after doing this research that not many people are offering solutions to the problem. We've written a paper with concrete advice, and will discuss this at a BYOD conference in Stockholm on the 21st of February with Ping Identity, UnboundID, StjärnaFyrkant, Telia, Nokia, Sony, and others. More on that and our whitepaper soon. In the meantime, comment here, on Twitter or on Google+ if you have thoughts or views on BYOD adoption in Europe that you'd like to share.
The other day I wrote about a way to use OAuth w/ mobile apps that was not susceptible to phishing and does not use the password anti-pattern. I just had to code it up and make sure it worked. What better time then 4 AM when the house is quite? Ah, jet leg ;-)
Using Lars Vogel's tutorial on C2DM, PingFederate's new OAuth server, and a little Python Web app running on CherryPy, I found that it does actually work! Here's the high-level points to be aware of if you want to implement this:
When creating a native mobile app, it is often necessary to call RESTful Web services securely using OAuth. To do this, the native app needs an Access Token (AT). There are various ways for the app to get such a token, each presenting certain pros and cons. Around the Web, you will find two primary suggestions on how to do this:
The problem with the first is that multiple applications can register for the same scheme, opening up the native app to phishing. The latter is a problem because the native app can see everything that goes by including the Resource Owner's (RO's) credentials. This is OK if you trust the app not to do that, but that isn't always the case and is reminiscent of the password anti-pattern that OAuth was designed to fix. For more details on these attacks, see this whitepaper (PDF).
At IIW this week, Personal's CTO, Tarik Kurspahic, organized a session to talk about how best to get OAuth tokens into native apps. In it, he, Scotty Logan of Stanford University, myself, and the other participants came up with the following alternative to the popular suggestions above which does not allow the installed app to see the RO's credentials and is not susceptible to phishing.Here's a diagram showing what we came up w/.