Government // Mobile & Wireless
Commentary
5/15/2012
11:40 AM
Art Wittmann
Art Wittmann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Can IT Be Trusted With Personal Devices?

Mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data.

Most IT teams weren't prepared for the BYOD challenge, and they're not handling it well. This assertion is borne out by our Mobile Security Survey, which shows that security education is still underfunded and underappreciated and that there's an ongoing mismatch between the mobile device management features IT deems to be important and what's in end users' best interests.

To illustrate just how pernicious the wrong BYOD policies can be, here's a hypothetical: A worker decides to buy an iPad so that, among other things, he can record and store pictures and movies of important events. Perhaps he manages to catch his baby's first steps or his daughter's piano recital, or he uses the iPad to store hundreds of family vacation pictures.

Being a good and proactive employee, he brings the iPad into work, to use for sales presentations and such. The IT organization tells him that before he can put any company data on the device, even what's freely available on the company website, it'll need to install some software that will enforce passwords (No. 1 on our list of most critical MDM security functions). The app will also perform remote locking and wiping of the device, offer some malware protection, and deliver security updates (Nos. 2, 3, and 4 on the list).

[ BYOD? Get used to it, says Interop panel. Read more at Mobile OS Proliferation Continues. ]

The software will require password changes every few months, enforce minimum standards for length and complexity, lock the device after a given time, and if too many failed password attempts occur, wipe the device (the top 5 password policies desired by IT pros).

Now, suppose one of the employee's young children plays with the iPad, exceeds the number of failed password attempts, and the device is wiped. No baby's first steps, no piano recital, no pictures from the family vacation. The employee had the best of intentions about iCloud backups but didn't follow through, and needless to say, IT hadn't provided any backup mechanism. The livid employee is left with a blank device and a "Gee, we're sorry about that" from IT.

While technology can play a part in protecting the company while letting employees use their own devices for business purposes, most IT teams are creating an insane set of rules for no apparent reason. That same employee could have emailed the sales presentation, which probably isn't encrypted or password protected, to his Gmail account, uploaded some product shots to Dropbox, and used the device for work without IT's involvement. And there's often incentive for employees to do just that, because IT's policies are onerous at best, and at worst downright counter to the employee's interests. If software can't tell the difference between company data and employee data, it has no place on a personally owned device.

Further, mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data. The data is what the company owns, and it's what the company values. But of course, data management involves user training and classification and some security finesse. For too many IT teams, it's easier to use a blunt instrument.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

There's a bit of good news in our survey: While only 32% of respondents have had a security awareness program in place for two or more years, 18% have recently added one, and an additional 25% say they'll get one in place in the next 12 months. Plenty of cloud-based backup services can add a layer of protection for both company and personal data; we recently did a roundup of 13 providers.

No doubt users represent a security risk, but they're also your first line of defense--if you take the time to clue them in on best practices. Explain how securing corporate data can help protect them as well; if their smartphone is stolen, they may want to nuke it. But for goodness sake, don't put device-wipe time bombs on their systems unless you want to explain why all of their personal data is gone and that there's nothing they can do to get it back.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
BYODpro
50%
50%
BYODpro,
User Rank: Apprentice
5/15/2012 | 7:19:32 PM
re: Can IT Be Trusted With Personal Devices?
I agree that protecting the data is a better strategy than MDM, but MDM isn't all bad. As far as an employee's ipad getting remote wiped and deleting all of the baby pictures...this really needs to be the employees responsibility.

BYODpro.com
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
5/31/2012 | 4:46:41 PM
re: Can IT Be Trusted With Personal Devices?
Respectfully that level of arrogance is what this article is trying to address. If companies are going to adopt BYOD acceptance, then there is no excuse for requiring an employee to allow you to destroy their data. Furthermore, if the device is configured to backup and does so successfully, once the device is wiped, all the employee (or ex-employee if you have triggered the wipe) has to do to recover the information, is recover from the backup. The point is, it is correct to say that the data is what you are supposed to control, not the employees personal equipment.

Furthermore imagine the employee uses their own device to engage in illegal activities. Your company may be found culpable if you are focusing on controlling the device (and should have prevented the employee from doing what they did). I'm not an attorney, but it is something to consider.
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
5/15/2012 | 9:26:06 PM
re: Can IT Be Trusted With Personal Devices?
Great article Art. I still think the BYOD concept has too many dangers and potential gotchas for it to ever be truly be effective though.

Tom LaSusa
InformationWeek
n_dude
50%
50%
n_dude,
User Rank: Apprentice
5/16/2012 | 12:27:52 AM
re: Can IT Be Trusted With Personal Devices?
On a personal level I agree with the points raised in this article. The problem is that we as security practitioners have driven the standard controls for mobile devices (passwords, remote wipe) and have tried to port these across to personal devices rather than trying to focus on the corprorate data on the device and putting the appropriate security controls over that.
harringbones
50%
50%
harringbones,
User Rank: Apprentice
5/17/2012 | 5:32:11 PM
re: Can IT Be Trusted With Personal Devices?
MDM solutions such as MaaS360 take account for these variables by making BYOD Privacy Settings a part of their offering (taking account for the privacy of personally identifiable information such as apps and location info) plus the ability to remote wipe (only corporate data goes bye-bye). Learn more here: http://links.maas360.com/mobDe...
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/16/2012 | 1:14:39 AM
re: Can IT Be Trusted With Personal Devices?
Why is it that people feel the need to bring their own devices with them into the workplace? Let's start by looking at that... if your organization wants you to be available after hours for emergencies, why aren't they supplying you with a device?

Another good question that needs to be examined - if people are bringing their own devices, what about support? Is IT then going to have to be responsible for backing up that device? Does the local IT department need to become an expert in every device imaginable in order to keep users happy/working? Sounds like that might kill the budget by requiring a lot more man hours of training and support rather than setting on a standard device that all of the support staff gets trained on.

If people are bringing their own devices, are they going to get to bring their own computing platforms? Try bringing a Mac into a Windows-only infrastructure and see how long until chaos ensues. Or, for that matter, a Linux system into a Windows-only infrastructure.

What about people bringing their own data into the work environment? Couple of examples here - user takes their laptop home and does an inventory of their baseball card collection on thier work-issued laptop. Legally, that baseball card inventory would be considered as employee work-product. And what about the user that's working on her Master's degree and using her work-issued laptop to take those classes. Sure, the organization might support that idea (especially if the degree is in a field related to the user's work), but what happens when the portal that the user uses to access their class records becomes an attack vector on the system?

Why break the back of your IT support organization by encouraging the executives in the "Device of the Month" club and having that mindset filter down? There's a reason that organizations set hardware procurement standards - easier to support, easier and cheaper to procure, lower TCO.

Andrew Hornback
InformationWeek Contributor

MyW0r1d
50%
50%
MyW0r1d,
User Rank: Strategist
5/16/2012 | 1:57:43 PM
re: Can IT Be Trusted With Personal Devices?
A lot of question marks in those comments partner, a few of which I can relate personal experience. Who is bringing devices, everyone from the GenX who approaches IT with the attitude that BYOD is a right and they know because they've read all about the push through IT online publications to the CEO who is an rabid Apple supporter and doesn't care what the rest of the company does, IT will make his Apple devices (iphone, pad, MAC and laptop) integrate and take care of this home PC as well for remote access. So you now have 4 non standard devices. I've worked in capital restricted companies which provide EOL equipment and senior managers who are willing to fund their own laptops rather than suffer with outdated equipment (try using a five year old laptop with less than 500mb RAM on today's interactive Flash enabled Web2.0 sites).

From the moment IT accepts the BYOD strategy, then they must accept the responsibility to protect at least the corporate data which will eventually be stored on the devices. A use policy which outlines responsibilities for data protection, the extent of IT responsibilities, and problem resolution methods should not only provided but part of a verbal briefing with the employee and documented (countersigned for receipt and understanding) before the device is configured for corporate use.

In the end, one concept must be a kind of guiding beacon. IT is present to support business and business objectives, the business is not there to support IT's (the dog has to wag the tail, not the tail wag the dog). It should drive acquisition, it should be used to develop strategic projects, and it should be in the forefront when designing IT policy and procedures. Business must only understand the cost of their needs and desires and treat them accordingly (needs being necessary, desires nice to have options).
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/18/2012 | 2:44:00 AM
re: Can IT Be Trusted With Personal Devices?
A lot of the argument here depends on how strong the IT leadership is and how mature the organization is.

In your scenario with the 5 year old laptop - look at the cost of upgrading the RAM vs. buying a new system. Even the most cash-strapped businesses will understand that the upgrade pays short-term dividends while a replacement will pay long term ones. Then there's the tangent regarding using non-warranty'd hardware in a business environment... I'll leave that one for later.

For a company with a good number of freelancers among their headcount, BYOD may make sense (why go through the trouble with setting a freelancer up with devices to do their work when they can provide it themselves), but in most other cases, I'm really not a fan of BYOD. Just because you bring a device into my office doesn't mean that I have to support it.

With regards to your final point, I'm fully aligned with that idea - IT is a support function in the vast majority of organizations. I had a former C-level in one of my organizations that made it very clear that they saw IT as a cost sink when it came to the budget as opposed to quite clearly understanding just what IT did, it's a necessary evil from their point of view. Since IT supports the organization, it has to do what is best for the entire organization - which brings me back to the idea of setting hardware standards and support boundaries in order to better deliver support to suported devices.

Point blank - IT can't be everything to everyone and BYOD, to some degree, tries to make IT be everything for everyone.
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
5/31/2012 | 4:46:10 PM
re: Can IT Be Trusted With Personal Devices?
In order for someone to be considered a "freelancer" or "contractor" in the U.S. the IRS REQUIRES that you are not providing things for them (even parking spaces). So BYOD is a fact of life. Next, which costs less, allowing people to bring their own devices which you are NOT required to support, and securing the data, or buying devices, and keeping them updated, AND securing the data. The risk profile is identical. In fact, I update my equipment more often than most businesses do, I have all the tools (software) I need to do my job on my equipment, I'm already familiar with my tools so there is no training expenditure... What benefit is there to adopting a NON-BYOD stance?
The Woodsman
50%
50%
The Woodsman,
User Rank: Apprentice
5/16/2012 | 8:02:33 AM
re: Can IT Be Trusted With Personal Devices?
It's easy to say IT security policies are at fault. But, just educating the staff is not the answer eaither. For example, we live in a society that's governed by laws and people break them all the time. So, you have to have consequences for breaking them.

Furthermore, if we expect corporate IT to properly protect the data, like taking backups and implementing good practices to protect the security of the data, why would we not expect the same from anyone using a device for personal reasons? We're all largely aware of privacy concerns with the likes of Google and Facebook...yet we still use them, in full knowledge of this fact.

What it boils down to is personal responsibility and accountability. Ignorance is no excuse and taking a hard line with the corporate IT department because we couldn't take responsibility for your own data is just an excuse.

Yes, corporate IT does care about the data and they are using the tools and advice that is available to them. So, rather than beating on them, let's support them in there efforts to wrestle with the relentless march of technology.
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
5/16/2012 | 3:34:15 PM
re: Can IT Be Trusted With Personal Devices?
Part of what really bothered me about the survey findings was that the ability to do a total device wipe ranked higher on the list of desirable features than doing selective deletes did. It seems to me that a far better policy is for the company to carve out a corner on the user's device and manage that along with the data that resides there. You may want some other software to determine that the OS isn't hacked, but beyond that, IT needs to confine itself to managing its data. It shouldn't attempt to manage devices it doesn't own. That's a liability problem.

There's nothing wrong with limited MDM, but the results of the survey indicate to me that the problem isn't being well considered. And since a poor policy can now affect data the company should never even consider touching, users need to think through what they're doing and assess whether their IT team's policies make sense. If they don't, then don't subject your equipment to a policy you don't agree with.
humberger972
50%
50%
humberger972,
User Rank: Apprentice
5/22/2012 | 5:54:35 PM
re: Can IT Be Trusted With Personal Devices?
GăˇThe ability to carve out a section on a phone or ipad may not be possible. Probably requires developer and programming time -- all of which cost money no company wants to spend... on the possible hundreds of BYOD that folks want to bring into the work place. There are also few commercial software products to help do that either, and most corporations don't want to pay for it.
If your company doesn't pay for the support to protect data (expensive) vs total wipe - then it was a business decision, not IT. IT is not at the C level, they don't make these decisions.
As for backing up data on a device, if you decide to use your own device vs companies, than you are the responsible party. Why did we decide the overworked, downsized IT which is looking for cost savings is responsible for automating standard common sense behaviors? The end users was probably already told/trained about their responsibility to backup data, and follow the practices they were given at the time they were setup on their devices. I know following training, reading the rules is too much for end users.
IT can't solve your end user problem - by either automated a nanny solution for them, or sending out the rule list. The Business, the C levels have to spend money and/or strictly enforce the rules. This is not an IT issue, except by default - because the business doesn't want to deal with it or spend money on it.
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
5/22/2012 | 6:36:34 PM
re: Can IT Be Trusted With Personal Devices?
The ability carve out a section of the phone both is possible and increasingly reasonable. You can find our MDM buyer's guide here: http://reports.informationweek... There's a lot of comercial software to do this, and the list gets longer by the day.

If a company decides not to buy the appropriate software to be a good caretaker on a device that the company doesn't own, then the user shouldn't let the IT shop manage their device - period. It's not really a matter of whether the CIO makes that call or someone down further in the organization. The campany isn't taking the issue seriously, so the user should walk away.

As for backing up the device, i agree, it is the end user's responsibility - but when IT installs and uses software that can wipe the device, I think the responsibility shifts. For a user who doesn't risk getting his device wiped, a once a month backup might be sufficient - once IT installs that software, don't you think IT has some responsibility to help the user figure out what changes he should make to his own procedures?

Your comment indicates a tendency toward one of the worst IT behaviors, which is an unwillingness to work the user community to educate them in a way that's actually helpful to the company. More helpful, I'd argue than that device wipe capability that ranks so high on IT's lists of wants.

The BYOD era is here, it needs a bit more nuance in its management than we'll do the cheapest, easiest thing possible. That'll work right up until it doesn't, then it'll be a huge problem that you could have had the luxury of time to address.
humberger972
50%
50%
humberger972,
User Rank: Apprentice
5/22/2012 | 8:04:46 PM
re: Can IT Be Trusted With Personal Devices?
I'd like to agree with you, and in a perfect world this would be the solution. But I've dealt with end users, and experiance teaches me that I can bend over backwards, provide the software support, show them how to do backups -- but unless the process is 100% automated, the user is never going to do. No matter what threats, training, or explaining you do... they won't do it -- but they will complain like crazy if they get wiped. Now be honest is your home system regularly backed up? Phone , pad? If yes you are probably a techie, and a part of a very small group, because even techie's don't back up their personal devices. Mine are, because everything is 100% automated.

So you say automation is the solution, but if the company is doing the backup, where is it putting the backups? Because now those backups include their employees personal data - which opens so many cans of worms, because employee x is downloading illegal copies of movies and music, employee y had their personal legal law suit info on their machine, and now it is discoverable in his lawsuit..... how does a company do an auto backup if the data needs to not be on company assets?

And in what special place do you have users who will do weekly backups of their phones, pads, and laptops.....just saying.
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
5/22/2012 | 8:29:33 PM
re: Can IT Be Trusted With Personal Devices?
In a perfect world, the company invests so that it can take advantage of the BYOD trend, and help the company in so doing. In that perfect world, the user is responsible for the user's data and the company is responsible for its. The company can wipe, restore, set the weirdest password policies known to man, but only for its corner of the world.

The user can back up or not, and it shouldn't affect the company or its data. As I said in the original post - if software can't the difference between a company file and the user file, the user shouldn't allow it on his device, and just walk away from BYOD. In this case, I think the company loses a lot more than the user does.

I little user education won't hurt either. Some of it sticks, and users really do want to do the right thing to help and support the company. That's why they brought in their own equipment in the first place.
ANON1234378329170
50%
50%
ANON1234378329170,
User Rank: Apprentice
5/16/2012 | 7:33:43 PM
re: Can IT Be Trusted With Personal Devices?
I don't think the users understand what is happening with the BYOD trend. The corporations are slowly pushing the equipment costs to the employees. You pay for your device and data plans. It will not be long before having a specifc device, owned by the potential employee, will be a requirement for employment.
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
5/31/2012 | 4:54:36 PM
re: Can IT Be Trusted With Personal Devices?
Both the company and the employee benefit. The company benefits with reduced costs of ownership, reduced cost of training, lower risk. The employee benefits by having the tool they are familiar with, whenever they need it, and the employee has a vested interest in keeping the equipment updated and protected. It is easier to educate employees about one process, security, than it is to train on security, application training, equipment usage, etc. People that use computers will soon need to have basic certifications as a function of hiring. There's no reason not to require everyone that uses a computer to have passed Security5, Security+, or any other basic computer security course.

ANON1241526426595
50%
50%
ANON1241526426595,
User Rank: Apprentice
5/31/2012 | 1:52:41 PM
re: Can IT Be Trusted With Personal Devices?
Can Art Wittmann be trusted with a column titled "Practical Analysis"?

When an enterprise can be fined millions of dollars by overzealous regulators because an employee forgets a device in a public place, when the security of the enterprise can depend upon the absent-minded care given to a personal consumer device never designed nor currently capable of delivering enterprise-class data protection, when tech pundits can rail against IT because it inconveniences users who bring personally-owned devices into the workplace against the policy and the better judgement of the professionals charged with the protection of said enterprise, there's a definite disconnect in the world.

For *no apparent reason* tech pundits criticize the protections that enterprise IT departments are forced to adopt because the platforms are so rudimentary that there is really no choice. Are you willing to bet your job, millions of company dollars, and the company's reputation that containerized MDM corrals ALL the sensitive data on the device? Really?

When enterprise is no longer held responsible for the irresponsible actions of users that refuse to understand what is at stake and what they can do to keep the enterprise data secure, and for the lack of security architecture of the lowest-common-denominator consumer devices, I'm sure that a calmer, more rational approach can prevail.
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
6/1/2012 | 12:30:40 AM
re: Can IT Be Trusted With Personal Devices?
"When an enterprise can be fined millions of dollars by overzealous regulators because an employee forgets a device in a public place"

This is irrelevant, it can happen with ANY device (corporate or private)

"when the security of the enterprise can depend upon the absent-minded care given to a personal consumer device never designed nor currently capable of delivering enterprise-class data protection"

I'm coming up short on a list of these devices. iPhones, Androids, and other consumer grade devices have capability to provide "enterprise class" protection. I've been able to use forensics techniques to recover information that has been deleted on BlackBerry's. What magical device are you talking about?

" against the policy and the better judgement of the professionals charged with the protection of said enterprise"

Argument from authority much? There are many professionals that think BYOD is the direction of the industry, and are working to address it.

"For *no apparent reason* tech pundits criticize the protections that enterprise IT departments are forced to adopt because the platforms are so rudimentary that there is really no choice. "

Really, no choice? No, what really happens is lazy people that prefer the status quo don't look at the trends and determine solutions. Instead they WHINE about people pointing out that there is a shift in industry that we need to find solutions for.

" Are you willing to bet your job, millions of company dollars, and the company's reputation that containerized MDM corrals ALL the sensitive data on the device? Really?"

Not required. Security is about acceptable risk, not perfection. If you knew anything about security, you'd know that fact.

"When enterprise is no longer held responsible for the irresponsible actions of users that refuse to understand what is at stake and what they can do to keep the enterprise data secure, and for the lack of security architecture of the lowest-common-denominator consumer devices, I'm sure that a calmer, more rational approach can prevail."

Maybe next time you could lead the charge for a calmer more rational approach?
ANON1241526426595
50%
50%
ANON1241526426595,
User Rank: Apprentice
6/12/2012 | 10:44:11 PM
re: Can IT Be Trusted With Personal Devices?
> This is irrelevant, it can happen with ANY device (corporate or private)

The point is, Art is upset about the fact that industry takes a hard line with management of personal devices. It's obvious that with industry-owned devices, they would include the same or more rigorous management.

> What magical device are you talking about?

Huh? The point is that you can protect enterprise grade technology better than mobile devices, not that you can't extract information from anything, which you can if you're willing to spend the resources.

> There are many professionals that think BYOD is the direction of the industry, and are working to address it.

Sure. But that doesn't mean that BYOD is a great policy for enterprise. If you're concerned about risk first, many hard working professionals simply say no.

> No, what really happens is lazy people that prefer the status quo don't look at the trends and determine solutions. Instead they WHINE about people pointing out that there is a shift in industry that we need to find solutions for.

You must either work for a mobile or MDM vendor. I'm very familiar with the fact that the iOS/Android APIs for managing mobile devices are so immature that most MDM features are limited mostly by what they can't do. To do most of the things that management products for other client technologies do it would have to root the phone to get the access privileges to allow it.

> Not required. Security is about acceptable risk, not perfection. If you knew anything about security, you'd know that fact.

I've been in security for over a decade. I never said it was about perfection. I said betting a million dollars on a nascent, consumer-grade platform is a decision most informed business people won't make, even if it inconveniences you personally.

> Maybe next time you could lead the charge for a calmer more rational approach?

Instead of your headlong rush into mobile device information-loss peril that you advocate because it's the popular thing to do?
Rhadamanthos
50%
50%
Rhadamanthos,
User Rank: Apprentice
6/1/2012 | 12:37:33 AM
re: Can IT Be Trusted With Personal Devices?
Maybe the next article can be about Active Undelete. In my opinion: an obvious software tool for any IT employee who has ever ran into someone who: 1) accidentially deleted the "new folder 3" on my desktop that happen to have all my updated xls spreadsheets. or 2) has had a client/customer who got a virus, decided to wipe/reinstall windows on their own, but now all their programs and files are missing. these are about the only two I can think of in short time.

Maybe it was just the way a certain part of this article was written but it sounded at a certain point like the IT crew had never heard of a program like Active Undelete. Or that data recovery was something no one had ever heard of---again we're not talking about recovery of data from a server with SQL that gets 1000 req's every minute and changes and updates the sales website every 10 minutes. but if it's a BYOD with a single hard drive there shouldn't be any reason why they shouldn't try this---but now we're getting into "wasting" corporate IT hours on personal peoples problems. Needless to say: some of my best experiences with clients/customers is that moment when they realize that all their data has been saved from the ether.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.