Operations

4/3/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

The Good & Bad Of BYOD

BYOD has very little to do with technology and everything to do with security, organizational politics, and human psychology.

Shadow IT has been big news lately. Hillary Clinton is still trying to recover from the public beating she endured over her use of a private email server instead of the government’s while Secretary of State. Even more dramatic, but not as well-reported, is the story of a US ambassador to Kenya who ran his office, including his own internet connection with a personal Gmail account, out of an embassy bathroom in Nairobi rather than use the government’s IT resources.

The public was shocked and the media apoplectic, but not many technologists registered much surprise over these tales. This is business as usual for most of us because it seems that if IT departments aren’t waging epic battles with the business over rogue cloud deployments, they’re fighting with users demanding more freedom of choice in how they use technology for their jobs. Consumerization has raised the bar with an expectation for a better variety of applications, newer devices and an increasing level of flexibility and privacy. If IT departments can’t or won’t deliver, then users go elsewhere, with or without the permission of security teams.

Where BYOD goes wrong
As most organizations discover, BYOD has very little to do with technology and everything to do with security, organizational politics and human psychology. It’s all about enterprise control vs. user autonomy. Often users feel like pawns, disrespected by their leadership and especially by IT departments, who typically assign a “one size fits all” corporate craptop loaded down with so much bloatware, it seems like a throwback to 1998. This situation is especially frustrating when the user has specific needs driven by a job role or personally owns better technology, but can’t get anyone within IT to meet him or her halfway.

BYOD is no longer optional
This is where the communication breakdown starts. IT wants standards for ease of management and securing of the organization’s assets, mainly data. Users don’t want to think about the “how” of technology, they just want something familiar or comfortable that helps them get their work done. Moreover, if neurophilosopher Andy Clark’s concept of extended mind is accurate, they’re potentially identifying with a personal mobile device as an extension of their cognitive toolset. If both parties continue to be intractable, the result is a full-blown policy war, with information security as the victim.

BYOD doesn’t start as a technology problem
Here’s the main source of confusion. Most organizations already have some form of BYOD, probably unsanctioned by IT. Information security teams need to understand that even if there is no official policy, there’s an implicit one. In the absence of NAC or 802.1X enforcement, then it’s pretty likely that users are plugging unapproved devices into the network. Just check the visitor wireless network, because that’s usually a haven for employees’ rogue devices.

[Learn more about creating a mobile-friendly enterprise from Michele and other security experts during workshops and panel discussions at Interop Las Vegas.]

This all seems pretty innocuous at first, allowing employees to use their own cell phones and tablets to check their work email and calendars. Less time and effort for IT staff in managing pesky mobile devices and users are much happier with the latest and greatest technology. If you throw in the carrot of a device subsidy, you can get a higher adoption rate, with the ultimate business goal of eliminating the purchase of mobile devices for staff altogether. Just ignore that doom and gloom from the information security team about the vulnerability of mobile devices and confidential data leakage. All you need to do is install some security controls and everyone is happy, right?

Good BYOD is found in policies and procedures
Does your organization have data classification with handling standards? Is there user classification with some kind of identity management? Without these standards, you can’t have good access control or data protection, much less effective BYOD controls. Do you have an acceptable use policy with an end-user agreement? Implementing security controls without underlying policies and standards is an exercise in futility. An inconvenience, a mere hurdle to be got around by a user community and subject to the whims of an operations team or yearly budget cuts.

Formalizing BYOD needs buy-in from the organization
Any attempt to formalize policies, standards and procedures for BYOD should be undertaken with the understanding that it will only be successful if it’s an organizational initiative. Human resources could have concerns regarding about how accessing or responding to work email will impact the status of non-exempt employees. Legal will worry about the protection of confidential material and how to address the subpoena of a personal device. Audit and compliance teams will need assurance that regulations are being followed and enforced.

Ignore BYOD at your peril
If Gartner is to be believed, 38 percent of companies will stop providing devices by 2016. Accurate or not, BYOD is perceived as a cost saving measure and IT is facing increasing demands to provide value to the business. Security teams should stop arguing with reality, understanding that their worth lies in facilitation of the business, not obstruction. While embracing BYOD can certainly increase risks, denying the trend of consumerization is even more dangerous for an organization. The network perimeter has morphed into something more nebulous and security architecture must align with this evolution or be left behind.

Michele Chubirka, also known as Mrs. Y, is a recovering Unix engineer with a focus on network security. She likes long walks in hubsites, traveling to security conferences, and spending extended hours in the Bat Cave. She believes every problem can be solved with a "for" ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/6/2015 | 1:12:35 PM
The future for BYOD,
There are lots of issues BYOD continues to raise, but there is no turning back on the fact that mobility has forever changed data security. Could't agree with the author more!: Ignore BYOD at your peril!
aws0513
50%
50%
aws0513,
User Rank: Ninja
4/6/2015 | 11:45:29 AM
Re: Risk vs Reward
I have to agree.  I have yet to see a convincing risk-v-benefit report about BYOD that is based upon facts.

Recently, I was provided a BYOD analogy by a business manager who used to be a pilot.
He posed the analogy as a question: "Would you have any concerns if you knew your airline pilot was using his personal computer to manage the aircraft avionics controls instead of the computer that was built into the aircraft?"

Before I could respond, he stated "H*** yes, you should have a concern!  If you ever saw what some pilots I know have downloaded to their personal computers, you would not want to fly with them even if they didn't use their personal computer for flying."

I am still digesting that one...  but there is a hint of the real issue. 

A matter of trust.

Organizations still have a challenge maintaining trust of the very systems they provide to their users, for many reasons.  BYOD almost demands an organization throw trust out the window.  This is especially true for regulatory and sensitive data handling where one bad apple can ruin the entire barrel. 

I believe there is a future for BYOD, but I am not completely convinced we are at a broad maturity level in data security to provide the necessary trust an organization MUST have for a BYOD system to handle its sensitive data. 

Moreover, it isn't just the devices...  BYOD or not, users commonly demonstrate an apparent lack of concern about data security practices and procedures.  For me, this is the bigger problem.
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
4/6/2015 | 9:17:48 AM
Risk vs Reward
"While embracing BYOD can certainly increase risks" - is there any research that can tell us the rewards the organizations are getting while taking on the risk of BYOD?
vicweast
100%
0%
vicweast,
User Rank: Apprentice
4/5/2015 | 10:06:12 AM
Good Article...
Thanks for the article. I generally agree with it but I have a few comments...

I think we should cut Hillary some slack here because things have changed since she became Secretary of State in 2009. First, 6 years in technology (smartphones, tablets,...) is a lifetime. Secondly, anyone who talks about how insecure her private mail server must have been is ignoring how dreadful the security of computers and systems is in the Department of State. Google "State Department email security" and follow that trail — it makes a private email server seem almost intelligent. (I am being half serious here, but it is true.)

BYOD has trended for a number of years. During that time add-on security packages have arisen with the goal of providing the enterprise greater control over their mobile devices. Those solutions are generally derided by the users. During that time, the vendors of these devices have continued to sediment various security capabilities into their off-the-shelf phones and tablets. Today's smartphone comes with advanced features to remote wipe, locate and otherwise avoid compromise of a lost cell phone that has sensitive email and contact lists on it... Its a big improvement over what we had 3 years ago, and improvements should be expected to continue. 

The basic issue — even before we talk about BYOD — is that the idea of a real and effictive network perimeter in enterprises is really quite dead. It took a mortal wound the first time we opened up a port of our firewalls. We have taken what used to be internal services like email and intranet sites and expressed these directly to the Internet. The world is different because we needed to work from anywhere and at any time. The boundaries of the enterprise are dead, and the idea that you could only access enterprise owned data with an enterprise owned device is probably close to dead as you report. Cost savings are only part of that story.

So, what's missing? Actual data protection. We seem to protect sensitive files where they reside (at rest) and when we ship them around (in motion, usually using TLS). What we don;t do is individually protect sensitive files using a combination of encryption and business rules (or access controls, or DRM, etc.)

This is important because it provides each sensitive file with individul controls (versus whole disk encrytion) which makes wholesale theft (ala Bradley Manning or Edward Snowden) impossible. 

But it is still a young industry and data governance is only starting to get the attention sensitive and valuable data deserves.

 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.