Bring Your Own Device Is About The Data Not Device7 min read
Bring Your Own Device, BYOD, is the future whether companies want to accept this or not. Smart devices are now commonplace within an organization and an individual’s use of those devices for personal reasons is becoming a daily staple in their lives. The merging of personal and business technology use is not ‘when’ but ‘how’ is a company going to manage this as it evolves and slowly becomes a security problem. If BYOD continues to be pushed off by companies, employees are going to use personal devices for work related tasks eventually if they aren’t already.
However, a BYOD approach, at least from my experiences and conversations with others, has always focused on the devices themselves. Creating a story of cost savings on the hardware by selling the idea that by having employees use their own hardware will somehow be cheaper for the company. So far, everyone that spun that story has found out that this is not the case and usually it ends up to be exact opposite and ends up costing the company more money to support a BYOD program. The primary ‘gotcha’ is around support of those devices is with the in-house mobile technologies such as a Mobile Device Management (MDM) system, encryption solutions like RSA, and having your in house teams support a wide range of hardware and OS versions rather than controlling exactly what you support. Then you throw in the mountain of legal agreements around getting the person to allow the business to see parts of the device’s data and allow them to completely wipe the phone if they want to. Time, money, more time, stipend for the user’s bills, and legal work are the hidden increase in costs around a BYOD program that far exceed the cost of buying a new cellphone through a corporate contract.
Everyone starts out with email and Office document creation with BYOD. That’s not enough, what about your business applications? The data stores where the critical data that your business relies upon reside, the methods on accessing that data and most importantly how that data stays where it needs to be and not where it shouldn’t be. By creating applications with data in mind then you can create an application hub of data access that resides within your walls instead of a spreadsheet sitting on an iPad with 250,000 credit card numbers unencrypted. Build applications that serve the data for a business function, process in the back end, then your BYOD takes the user out of the processing equation and build your applications to do it for them. Eventually a business won’t care how a user accesses the application because the data will not leave. If you have an employee leave the company or a device is lost, kill the access by the user or device, data protected. Worrying about someone using a mobile device to create a spreadsheet for a business purpose is a hot topic but I have not heard one pro-BYOD supporter ever talk about looking to remotely wipe an employee’s home PC. There are many other resources people can work on outside the reach of the business, why is mobile such a firestorm of worry now?
Side thought – From an IT Security stand point there’s one employee resource that I have never seen get asked for, told to be destroyed, or ever seen any provision for use on in any company I have worked for or with. This resource that is ignored probably has the most damaging, proprietary information about a company in it. What is it? The notebook. The one resource that has phone numbers, secrets, damaging problems documented, tasks, contacts, sales projections, future goals, personal thoughts and tons more information that management really doesn’t want in the public eye. However no one ever asks for it or has any policy around their use.
Is there any reason anyone, anywhere needs to work on 250,000 credit card numbers, social security numbers, account numbers in a spreadsheet outside of an office on an iPad on an airplane? You are not going to fix ignorance, naivety, mistakes, and all malicious intents when it comes to data use. I still chuckle when security breaches happen from a CIO leaving his laptop in a cab. You can mitigate, prevent, and reduce the risks to the business by worrying more about the data and how it’s accessed and used than the device being used. Why did that CIO have all that critical data on his laptop to begin with? In
This is not a hard exercise either, everyone has been thinking this way for the past 15 years, web applications are exactly that, data serving access points. Who worries about the computer a user uses to access a webpage? (Aside from technical requirements like Flash, Java, etc…) When an application is built for the Internet for your business the work into protecting the back end and only showing the data that needs to be shown is being done. BYOD mentality is really no different. Leveraging a cloud infrastructure, display only what you need, mask critical attributes, encrypt, encrypt, encrypt, why would you allow a file to be saved on the device that can be read? Create a viewing application for the data don’t put raw spreadsheets in SkyDrive with critical data. Take inputs from a user for a mortgage applications don’t have them fill it out on the device and send it in later leaving a copy on the device. If the data has to be transmitted later, then store it in a an encrypted cache not in a file that can be read through iTunes.
They are smartphones but strategize to make them more like dumb terminals to access your data. Of course this will not be something that will happen overnight but that’s why you have 1, 3 and 5 year roadmaps and leadership teams to execute on those visions and directions, proactive not reactive. If you are reacting to BYOD then you are too late. Not all your applications or business functions will be able to be migrated into a mobile access BYOD model and that’s OK. There is never a one all solution to solve all your problems. If you try to find one, then you fail. You will hit that magical 10% of progress and stall out, wrapped in your own web of indecision rather than getting to 80% and having the rest maintain a ‘legacy’ model. At the end of the day BYOD is about mobile devices, who owns them is irrelevant when it comes to the data access, a device can be lost equally regardless of owner.
I am not a fan of the BYOD movement in most businesses from both an IT security standpoint and personal use standpoint. From the IT security and business standpoint it’s impossible to impose any kind of usage policy around a person’s device such as what applications they can install, the use of the devices (porn, downloads, having an illegal torrented ebook or movie on the device, jailbreak the OS), having contacts side by side that may conflict with business interests. The list goes on and on. As an IT security expert I get headaches when the IT security risks are over-simplified by those pushing for BYOD. Not to mention OS security holes, especially the Android space, and forcing a person to update their phone. What if the person doesn’t know how to? Who will support the upgrade process your business IT support team or do you send the owner to the vendor to help? If you have applications being built for mobile devices, iOS or Android, how can your development team effectively program a mobile platform when you could have 20, 30, or 50 different mobile OS versions out there? Are you going to tell the person to go buy a new phone to use a business app or say you can only use this type of device? Soon you will have a usage policy that is so close to a corporate owned device policy that you might as well provide the device if your policies are so strict to the use anyway.
Then you have user adoption. From a personal point of view I am in the boat that the company that I work for will provide me with all the tools to perform the job I was hired to do and I will not opt-in to a BYOD program. My personal devices are mine and no one outside of me will touch them in anyway or dictate how I use them. I did participate in a BYOD beta program once but immediately dropped out of it when I found out what the company could see on my phone. It wasn’t just the corporate email account but all my contacts, my apps, photos, device info and they could wipe the whole phone at their whim without warning. No thanks.
Protecting the flow of the data and controlling what can access that data is the key. BYOD is a brochure buzzword that is sold as a concept without all the ingredients. I have seen too many management teams try to push that through and quickly realize the reality of what BYOD really means. Unless your security infrastructure and mobile management processes are solid, BYOD will only create havoc and cost you more in the long run without a data strategy to go along side of it.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter