Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

The Good & Bad Of BYOD

BYOD has very little to do with technology and everything to do with security, organizational politics, and human psychology.

Shadow IT has been big news lately. Hillary Clinton is still trying to recover from the public beating she endured over her use of a private email server instead of the government’s while Secretary of State. Even more dramatic, but not as well-reported, is the story of a US ambassador to Kenya who ran his office, including his own internet connection with a personal Gmail account, out of an embassy bathroom in Nairobi rather than use the government’s IT resources.

The public was shocked and the media apoplectic, but not many technologists registered much surprise over these tales. This is business as usual for most of us because it seems that if IT departments aren’t waging epic battles with the business over rogue cloud deployments, they’re fighting with users demanding more freedom of choice in how they use technology for their jobs. Consumerization has raised the bar with an expectation for a better variety of applications, newer devices and an increasing level of flexibility and privacy. If IT departments can’t or won’t deliver, then users go elsewhere, with or without the permission of security teams.

Where BYOD goes wrong
As most organizations discover, BYOD has very little to do with technology and everything to do with security, organizational politics and human psychology. It’s all about enterprise control vs. user autonomy. Often users feel like pawns, disrespected by their leadership and especially by IT departments, who typically assign a “one size fits all” corporate craptop loaded down with so much bloatware, it seems like a throwback to 1998. This situation is especially frustrating when the user has specific needs driven by a job role or personally owns better technology, but can’t get anyone within IT to meet him or her halfway.

BYOD is no longer optional
This is where the communication breakdown starts. IT wants standards for ease of management and securing of the organization’s assets, mainly data. Users don’t want to think about the “how” of technology, they just want something familiar or comfortable that helps them get their work done. Moreover, if neurophilosopher Andy Clark’s concept of extended mind is accurate, they’re potentially identifying with a personal mobile device as an extension of their cognitive toolset. If both parties continue to be intractable, the result is a full-blown policy war, with information security as the victim.

BYOD doesn’t start as a technology problem
Here’s the main source of confusion. Most organizations already have some form of BYOD, probably unsanctioned by IT. Information security teams need to understand that even if there is no official policy, there’s an implicit one. In the absence of NAC or 802.1X enforcement, then it’s pretty likely that users are plugging unapproved devices into the network. Just check the visitor wireless network, because that’s usually a haven for employees’ rogue devices.

[Learn more about creating a mobile-friendly enterprise from Michele and other security experts during workshops and panel discussions at Interop Las Vegas.]

This all seems pretty innocuous at first, allowing employees to use their own cell phones and tablets to check their work email and calendars. Less time and effort for IT staff in managing pesky mobile devices and users are much happier with the latest and greatest technology. If you throw in the carrot of a device subsidy, you can get a higher adoption rate, with the ultimate business goal of eliminating the purchase of mobile devices for staff altogether. Just ignore that doom and gloom from the information security team about the vulnerability of mobile devices and confidential data leakage. All you need to do is install some security controls and everyone is happy, right?

Good BYOD is found in policies and procedures
Does your organization have data classification with handling standards? Is there user classification with some kind of identity management? Without these standards, you can’t have good access control or data protection, much less effective BYOD controls. Do you have an acceptable use policy with an end-user agreement? Implementing security controls without underlying policies and standards is an exercise in futility. An inconvenience, a mere hurdle to be got around by a user community and subject to the whims of an operations team or yearly budget cuts.

Formalizing BYOD needs buy-in from the organization
Any attempt to formalize policies, standards and procedures for BYOD should be undertaken with the understanding that it will only be successful if it’s an organizational initiative. Human resources could have concerns regarding about how accessing or responding to work email will impact the status of non-exempt employees. Legal will worry about the protection of confidential material and how to address the subpoena of a personal device. Audit and compliance teams will need assurance that regulations are being followed and enforced.

Ignore BYOD at your peril
If Gartner is to be believed, 38 percent of companies will stop providing devices by 2016. Accurate or not, BYOD is perceived as a cost saving measure and IT is facing increasing demands to provide value to the business. Security teams should stop arguing with reality, understanding that their worth lies in facilitation of the business, not obstruction. While embracing BYOD can certainly increase risks, denying the trend of consumerization is even more dangerous for an organization. The network perimeter has morphed into something more nebulous and security architecture must align with this evolution or be left behind.

Michele Chubirka, also known as Mrs. Y, is a recovering Unix engineer with a focus on network security. She likes long walks in hubsites, traveling to security conferences, and spending extended hours in the Bat Cave. She believes every problem can be solved with a "for" ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/6/2015 | 1:12:35 PM
The future for BYOD,
There are lots of issues BYOD continues to raise, but there is no turning back on the fact that mobility has forever changed data security. Could't agree with the author more!: Ignore BYOD at your peril!
User Rank: Ninja
4/6/2015 | 11:45:29 AM
Re: Risk vs Reward
I have to agree.  I have yet to see a convincing risk-v-benefit report about BYOD that is based upon facts.

Recently, I was provided a BYOD analogy by a business manager who used to be a pilot.
He posed the analogy as a question: "Would you have any concerns if you knew your airline pilot was using his personal computer to manage the aircraft avionics controls instead of the computer that was built into the aircraft?"

Before I could respond, he stated "H*** yes, you should have a concern!  If you ever saw what some pilots I know have downloaded to their personal computers, you would not want to fly with them even if they didn't use their personal computer for flying."

I am still digesting that one...  but there is a hint of the real issue. 

A matter of trust.

Organizations still have a challenge maintaining trust of the very systems they provide to their users, for many reasons.  BYOD almost demands an organization throw trust out the window.  This is especially true for regulatory and sensitive data handling where one bad apple can ruin the entire barrel. 

I believe there is a future for BYOD, but I am not completely convinced we are at a broad maturity level in data security to provide the necessary trust an organization MUST have for a BYOD system to handle its sensitive data. 

Moreover, it isn't just the devices...  BYOD or not, users commonly demonstrate an apparent lack of concern about data security practices and procedures.  For me, this is the bigger problem.
User Rank: Strategist
4/6/2015 | 9:17:48 AM
Risk vs Reward
"While embracing BYOD can certainly increase risks" - is there any research that can tell us the rewards the organizations are getting while taking on the risk of BYOD?
User Rank: Apprentice
4/5/2015 | 10:06:12 AM
Good Article...
Thanks for the article. I generally agree with it but I have a few comments...

I think we should cut Hillary some slack here because things have changed since she became Secretary of State in 2009. First, 6 years in technology (smartphones, tablets,...) is a lifetime. Secondly, anyone who talks about how insecure her private mail server must have been is ignoring how dreadful the security of computers and systems is in the Department of State. Google "State Department email security" and follow that trail — it makes a private email server seem almost intelligent. (I am being half serious here, but it is true.)

BYOD has trended for a number of years. During that time add-on security packages have arisen with the goal of providing the enterprise greater control over their mobile devices. Those solutions are generally derided by the users. During that time, the vendors of these devices have continued to sediment various security capabilities into their off-the-shelf phones and tablets. Today's smartphone comes with advanced features to remote wipe, locate and otherwise avoid compromise of a lost cell phone that has sensitive email and contact lists on it... Its a big improvement over what we had 3 years ago, and improvements should be expected to continue. 

The basic issue — even before we talk about BYOD — is that the idea of a real and effictive network perimeter in enterprises is really quite dead. It took a mortal wound the first time we opened up a port of our firewalls. We have taken what used to be internal services like email and intranet sites and expressed these directly to the Internet. The world is different because we needed to work from anywhere and at any time. The boundaries of the enterprise are dead, and the idea that you could only access enterprise owned data with an enterprise owned device is probably close to dead as you report. Cost savings are only part of that story.

So, what's missing? Actual data protection. We seem to protect sensitive files where they reside (at rest) and when we ship them around (in motion, usually using TLS). What we don;t do is individually protect sensitive files using a combination of encryption and business rules (or access controls, or DRM, etc.)

This is important because it provides each sensitive file with individul controls (versus whole disk encrytion) which makes wholesale theft (ala Bradley Manning or Edward Snowden) impossible. 

But it is still a young industry and data governance is only starting to get the attention sensitive and valuable data deserves.

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.