The Chasm Between BYOD And Security

One of my big takeaways here at RSA 2012 in San Francisco is the dichotomy--nay, the chasm--between the dual business imperatives of security and mobile device support, especially in a bring your own device (BYOD) setup. This problem is core to the consumerization of IT and it's not a good situation out there, folks.

Most of the press going into the show indicated a focus on "big data" and privacy issues and there was a lot of that. But I think that by far the biggest problem on people's minds was that of data breaches.

You don't hear big news stories often anymore about massive breaches of, for example, credit card data. But breaches do happen. In fact, it's likely that we only find out about a minority of them. The really successful ones go undetected. And there are weaknesses enough in corporate networks without adding mobility to the mix.

On one of the panels I saw Michael Dahn of PricewaterhouseCoopers put it this way: The right way, the only real way to protect your data is to begin at the beginning: Identify your data, protect it, and protect all access to it. Unfortunately, very few companies have a clear idea of where all their data is.

Now throw in users with their own devices on mobile networks demanding access to that data you're supposed to be protecting, both because it's your job and because there are laws that require you to protect it. For you to have any real confidence in the data under such circumstances you'll have to have control of the device, the software running on it, and the power to wipe it if necessary.

There are companies that demand this sort of control in a BYOD environment and it's probably still not enough. BYOD itself is an outcome of the fact that convenience will almost always trump security. We pay a lot of lip service to security, but in the end we don't want ourselves inconvenienced by it.

There are solutions out there that hold out some hope for IT to meet their obligations without their users hating them too much. Good Technology, for example, has a mobile app environment that is isolated and secured. Good got a bad reputation for apps that were unpleasant to use, but the latest versions look great to me.

But for now, it appears that our systems are disturbingly open to attack and our data subject to breach. BYOD makes this worse by taking it all outside the control of IT. If I were rolling out mobility at a company I'd want to do it as slowly and carefully as possible.