IBM Destination Z - Group home

BYOD Joins the Mainframe Party

By Destination Z posted Mon December 23, 2019 03:37 PM


The consumerization of IT is upon us. Accordingly, using employee-supplied/managed devices for work is increasingly tolerated, facilitated—or even mandated—rather than forbidden or ignored. That's partly because work is no longer 9-to-5 or even Monday-through-Friday, and employers must accommodate staff working remotely.

Even more pressing, arcane ad hoc technologies such as remote 3270s, once used by tech-savvy IT professionals (and protected mostly by obscurity), are being replaced by an ever-changing consumer devices zoology in the hands of often less-sophisticated users more subject to errors and problems.

Other trends driving bring your own device (BYOD) are telecommuting, hoteling, where employees check into offices as-needed vs. having them permanently assigned, and distributed workforces.

BYOD implementation details vary so widely that the only agreed-upon element is that it’s pronounced B-Y-O-D. As in other enterprise areas (security, telework, etc.), success involves two very different areas: technology and personnel/policy.

BYOD is an irresistible trend. Secure areas or change-resistant organizations might struggle against it, but it sneaks in with people working around restrictions, just as PCs did decades earlier.

So it's worth exploring to learn what it can provide—not necessarily to economize but to make it secure, integrate it into mainstream IT and avoid costly technology dead ends. In fact, former federal CIO Vivek Kundra advocated the government paying a monthly stipend to support worker connectivity/productivity.

To begin, consider potential efficiencies, pain points, productivity, and ways to make jobs easier and more pleasant.

Mainframe Meets BYOD
Most important for enterprise computing is not letting BYOD devices or connectivity threaten the mainframe's inherent security or its associated hardened network.

Keep security in mind as the BYOD tide comes in. Too many times, retrofitted security hasn’t equaled baked-in protection, and it’s often no match for creative black hats. Risks affect mainframe, middleware, mobile and device applications.

Of course, "mobile" devices needn’t be BYOD—they can be company-supplied/owned/managed devices, much more easily controlled.

Technology Issues
Years ago, the digital pager gave way to the ubiquitous BlackBerry as the corporate standard, however, the latter is now rapidly losing ground to diverse devices.

Even BlackBerry could monitor and manage mainframe operation, applications and problems. Now, BYOD often begins with enabling workflow applications for productivity: timecards, expense reports, trouble alerts, etc., but users quickly expect more intense workplace connectivity/interaction.

It's challenging accepting infinitely varied devices—laptop, iPad, smartphone, et al.—to fully support employee preferences. That prevents standardizing or assuming a static set of devices/software and requires general and inclusive technology.

Because it’s cumbersome and needlessly expensive carrying multiple communication devices for company and personal use, consumer-grade devices and connections must be secured. So combining functions into an always-available-and-on less-than-laptop form factor (tablet, smartphone) is attractive for employees and organizations.

However, when central-site resources are accessed—Web services, thin client, virtual machines, virtual/remote desktops or virtual application integration—that data must be secured rather than devices.

An increasingly popular approach is containerization—or sandboxing—which involves restricting network and data access to software running in a tight IT-defined/controlled environment within a device, isolated from user-installed software. This prevents snoopy or leaky apps from accessing and compromising data, or planting malware on the network. And the container allows company-triggered lost-device tracking or wiping enterprise data, without affecting user resources. Ideally, device-independent containerization simplifies support, policy options allow controlling functions such as printing and robust security protects the attractive target.

An alternative to containerization is using an Android bare-metal hypervisor to separate business and personal data.

Existing VPN technology can securely link remote devices to enterprise resources, though some implementations partition or restrict available functions. Mainframe connectivity can be via Secure TN3270 with, for example, z/OS Communications Server or SSH; virtual network computing is a graphical desktop-sharing system for remotely controlling another computer. A range of iPad apps provides 3270 emulation, PC desktop control and more. Major subsystems and applications can impose additional security and authentication.

A full-function mainframe session manager can enhance remote operation and isolate users from network and device problems, by providing switchable access across multiple host screens and maintaining session presence through connection interruptions.

End-user devices increasingly provide two-level authentication—typically combining what a user knows and possesses, or using biometric factors. Best practices mandate using secure USB devices, perhaps company-supplied, with strong always-on encryption. Laptop computers can use full-disk encryption, especially if they're provisioned with standard OS builds including enterprise-grade anti-malware. Of course, all devices should integrate with a centrally managed mainframe-driven end-to-end encryption architecture.

Accessing mainframe data and applications on small screens requires usability analysis and likely re-engineering.

And eventually IPv6’s enhanced network addressability might lead to reduced use of network address translation, potentially making visible devices that should be cloaked.

Staff/Policy Matters
Beware BYOD skunk-works (that is, unknown to IT or management) projects suddenly surfacing to demand recognition and support. In this case, it's NOT better for the skunk to apologize than ask permission. It’s OK to require planning for meeting new back-office server demands, ensuring network security and compatibility, training users in privacy and backup requirements, etc.

Don’t let individuals drive BYOD adoption; develop uniform policies organization-wide, at department level, or by staff function.

It's worth dividing/designating responsibilities, perhaps in this order—policies, security, implementation and support—to ensure uniformity, avoid surprises and facilitate adoption.

Policies might need to reflect compliance with laws and regulation, e.g., HIPAA or the Payment Card Industry Data Security Standard. And corporate auditors might weigh in on making data accessible and applications available.

Letting users—technical and others—know what's being done will increase cooperation. Manage expectations regarding allowed uses, purchase and connectivity plan expenses, data privacy, device security, support, replacements/upgrades, etc.

For example, will private data be accessible to IT, and will IT be able to wipe devices remotely in case of data breach or device loss? Are software updates required? Will activities—data accessed, apps installed, mainframe applications accessed—be monitored to enforce policies?

Breach and theft risks increase along with connectivity. File transfer and collaboration (legitimate or malign) become trivial, requiring analysis of what to allow, and whether certain websites and technologies should be disabled. Consider using enterprise versions of tools such as file-transfer websites, as well as controls such as Google Apps CloudLock. The Apple Configurator utility simplifies provisioning multiple iPads or other iOS devices. Other mobile-device managers provide similar over-the-air distribution of applications, data and configuration settings.

Employees and IT must remember that consumer devices typically don't receive the committed level of support seen by enterprise software, which might increase demands on internal support.

Corporate culture and support matter, but they must evolve to accommodate BYOD. Rigidly regulating supported devices risks stifling productivity and encourages cheating/gaming rules.

BYOD Goes Mainstream
Close to home, IBM recently announced the Foundation for Mobile Computing, a comprehensive platform of software and services that advances IBM’s mobile capabilities and helps clients embrace growing mobile and cloud-computing business opportunities.

While some organizations are secretive about their practices, as BYOD becomes increasingly mainstream, it will be recognized as sensible economics, valid environmental stewardship and simply an industry-standard accommodation of productive technology.

How long will BYOD be a trend worth discussing, before it’s commonplace and unremarkable? The text-only interface began crumbling long ago; now the assumption of large-screen real estate is no longer valid. A more interesting question, of course, is what buzzword will follow—BYOC (bring your own cloud), perhaps, for consumerization of cloud computing. Stay tuned; it might be the topic of a future article.

Gabe Goldberg has developed, worked with and written about technology for decades. He can be contacted at

1 view