Government // Mobile & Wireless
Commentary
5/15/2012
11:40 AM
Art Wittmann
Art Wittmann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Can IT Be Trusted With Personal Devices?

Mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data.

Most IT teams weren't prepared for the BYOD challenge, and they're not handling it well. This assertion is borne out by our Mobile Security Survey, which shows that security education is still underfunded and underappreciated and that there's an ongoing mismatch between the mobile device management features IT deems to be important and what's in end users' best interests.

To illustrate just how pernicious the wrong BYOD policies can be, here's a hypothetical: A worker decides to buy an iPad so that, among other things, he can record and store pictures and movies of important events. Perhaps he manages to catch his baby's first steps or his daughter's piano recital, or he uses the iPad to store hundreds of family vacation pictures.

Being a good and proactive employee, he brings the iPad into work, to use for sales presentations and such. The IT organization tells him that before he can put any company data on the device, even what's freely available on the company website, it'll need to install some software that will enforce passwords (No. 1 on our list of most critical MDM security functions). The app will also perform remote locking and wiping of the device, offer some malware protection, and deliver security updates (Nos. 2, 3, and 4 on the list).

[ BYOD? Get used to it, says Interop panel. Read more at Mobile OS Proliferation Continues. ]

The software will require password changes every few months, enforce minimum standards for length and complexity, lock the device after a given time, and if too many failed password attempts occur, wipe the device (the top 5 password policies desired by IT pros).

Now, suppose one of the employee's young children plays with the iPad, exceeds the number of failed password attempts, and the device is wiped. No baby's first steps, no piano recital, no pictures from the family vacation. The employee had the best of intentions about iCloud backups but didn't follow through, and needless to say, IT hadn't provided any backup mechanism. The livid employee is left with a blank device and a "Gee, we're sorry about that" from IT.

While technology can play a part in protecting the company while letting employees use their own devices for business purposes, most IT teams are creating an insane set of rules for no apparent reason. That same employee could have emailed the sales presentation, which probably isn't encrypted or password protected, to his Gmail account, uploaded some product shots to Dropbox, and used the device for work without IT's involvement. And there's often incentive for employees to do just that, because IT's policies are onerous at best, and at worst downright counter to the employee's interests. If software can't tell the difference between company data and employee data, it has no place on a personally owned device.

Further, mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data. The data is what the company owns, and it's what the company values. But of course, data management involves user training and classification and some security finesse. For too many IT teams, it's easier to use a blunt instrument.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

There's a bit of good news in our survey: While only 32% of respondents have had a security awareness program in place for two or more years, 18% have recently added one, and an additional 25% say they'll get one in place in the next 12 months. Plenty of cloud-based backup services can add a layer of protection for both company and personal data; we recently did a roundup of 13 providers.

No doubt users represent a security risk, but they're also your first line of defense--if you take the time to clue them in on best practices. Explain how securing corporate data can help protect them as well; if their smartphone is stolen, they may want to nuke it. But for goodness sake, don't put device-wipe time bombs on their systems unless you want to explain why all of their personal data is gone and that there's nothing they can do to get it back.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
humberger972
50%
50%
humberger972,
User Rank: Apprentice
5/22/2012 | 5:54:35 PM
re: Can IT Be Trusted With Personal Devices?
GThe ability to carve out a section on a phone or ipad may not be possible. Probably requires developer and programming time -- all of which cost money no company wants to spend... on the possible hundreds of BYOD that folks want to bring into the work place. There are also few commercial software products to help do that either, and most corporations don't want to pay for it.
If your company doesn't pay for the support to protect data (expensive) vs total wipe - then it was a business decision, not IT. IT is not at the C level, they don't make these decisions.
As for backing up data on a device, if you decide to use your own device vs companies, than you are the responsible party. Why did we decide the overworked, downsized IT which is looking for cost savings is responsible for automating standard common sense behaviors? The end users was probably already told/trained about their responsibility to backup data, and follow the practices they were given at the time they were setup on their devices. I know following training, reading the rules is too much for end users.
IT can't solve your end user problem - by either automated a nanny solution for them, or sending out the rule list. The Business, the C levels have to spend money and/or strictly enforce the rules. This is not an IT issue, except by default - because the business doesn't want to deal with it or spend money on it.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/18/2012 | 2:44:00 AM
re: Can IT Be Trusted With Personal Devices?
A lot of the argument here depends on how strong the IT leadership is and how mature the organization is.

In your scenario with the 5 year old laptop - look at the cost of upgrading the RAM vs. buying a new system. Even the most cash-strapped businesses will understand that the upgrade pays short-term dividends while a replacement will pay long term ones. Then there's the tangent regarding using non-warranty'd hardware in a business environment... I'll leave that one for later.

For a company with a good number of freelancers among their headcount, BYOD may make sense (why go through the trouble with setting a freelancer up with devices to do their work when they can provide it themselves), but in most other cases, I'm really not a fan of BYOD. Just because you bring a device into my office doesn't mean that I have to support it.

With regards to your final point, I'm fully aligned with that idea - IT is a support function in the vast majority of organizations. I had a former C-level in one of my organizations that made it very clear that they saw IT as a cost sink when it came to the budget as opposed to quite clearly understanding just what IT did, it's a necessary evil from their point of view. Since IT supports the organization, it has to do what is best for the entire organization - which brings me back to the idea of setting hardware standards and support boundaries in order to better deliver support to suported devices.

Point blank - IT can't be everything to everyone and BYOD, to some degree, tries to make IT be everything for everyone.
harringbones
50%
50%
harringbones,
User Rank: Apprentice
5/17/2012 | 5:32:11 PM
re: Can IT Be Trusted With Personal Devices?
MDM solutions such as MaaS360 take account for these variables by making BYOD Privacy Settings a part of their offering (taking account for the privacy of personally identifiable information such as apps and location info) plus the ability to remote wipe (only corporate data goes bye-bye). Learn more here: http://links.maas360.com/mobDe...
ANON1234378329170
50%
50%
ANON1234378329170,
User Rank: Apprentice
5/16/2012 | 7:33:43 PM
re: Can IT Be Trusted With Personal Devices?
I don't think the users understand what is happening with the BYOD trend. The corporations are slowly pushing the equipment costs to the employees. You pay for your device and data plans. It will not be long before having a specifc device, owned by the potential employee, will be a requirement for employment.
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
5/16/2012 | 3:34:15 PM
re: Can IT Be Trusted With Personal Devices?
Part of what really bothered me about the survey findings was that the ability to do a total device wipe ranked higher on the list of desirable features than doing selective deletes did. It seems to me that a far better policy is for the company to carve out a corner on the user's device and manage that along with the data that resides there. You may want some other software to determine that the OS isn't hacked, but beyond that, IT needs to confine itself to managing its data. It shouldn't attempt to manage devices it doesn't own. That's a liability problem.

There's nothing wrong with limited MDM, but the results of the survey indicate to me that the problem isn't being well considered. And since a poor policy can now affect data the company should never even consider touching, users need to think through what they're doing and assess whether their IT team's policies make sense. If they don't, then don't subject your equipment to a policy you don't agree with.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Strategist
5/16/2012 | 1:57:43 PM
re: Can IT Be Trusted With Personal Devices?
A lot of question marks in those comments partner, a few of which I can relate personal experience. Who is bringing devices, everyone from the GenX who approaches IT with the attitude that BYOD is a right and they know because they've read all about the push through IT online publications to the CEO who is an rabid Apple supporter and doesn't care what the rest of the company does, IT will make his Apple devices (iphone, pad, MAC and laptop) integrate and take care of this home PC as well for remote access. So you now have 4 non standard devices. I've worked in capital restricted companies which provide EOL equipment and senior managers who are willing to fund their own laptops rather than suffer with outdated equipment (try using a five year old laptop with less than 500mb RAM on today's interactive Flash enabled Web2.0 sites).

From the moment IT accepts the BYOD strategy, then they must accept the responsibility to protect at least the corporate data which will eventually be stored on the devices. A use policy which outlines responsibilities for data protection, the extent of IT responsibilities, and problem resolution methods should not only provided but part of a verbal briefing with the employee and documented (countersigned for receipt and understanding) before the device is configured for corporate use.

In the end, one concept must be a kind of guiding beacon. IT is present to support business and business objectives, the business is not there to support IT's (the dog has to wag the tail, not the tail wag the dog). It should drive acquisition, it should be used to develop strategic projects, and it should be in the forefront when designing IT policy and procedures. Business must only understand the cost of their needs and desires and treat them accordingly (needs being necessary, desires nice to have options).
The Woodsman
50%
50%
The Woodsman,
User Rank: Apprentice
5/16/2012 | 8:02:33 AM
re: Can IT Be Trusted With Personal Devices?
It's easy to say IT security policies are at fault. But, just educating the staff is not the answer eaither. For example, we live in a society that's governed by laws and people break them all the time. So, you have to have consequences for breaking them.

Furthermore, if we expect corporate IT to properly protect the data, like taking backups and implementing good practices to protect the security of the data, why would we not expect the same from anyone using a device for personal reasons? We're all largely aware of privacy concerns with the likes of Google and Facebook...yet we still use them, in full knowledge of this fact.

What it boils down to is personal responsibility and accountability. Ignorance is no excuse and taking a hard line with the corporate IT department because we couldn't take responsibility for your own data is just an excuse.

Yes, corporate IT does care about the data and they are using the tools and advice that is available to them. So, rather than beating on them, let's support them in there efforts to wrestle with the relentless march of technology.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/16/2012 | 1:14:39 AM
re: Can IT Be Trusted With Personal Devices?
Why is it that people feel the need to bring their own devices with them into the workplace? Let's start by looking at that... if your organization wants you to be available after hours for emergencies, why aren't they supplying you with a device?

Another good question that needs to be examined - if people are bringing their own devices, what about support? Is IT then going to have to be responsible for backing up that device? Does the local IT department need to become an expert in every device imaginable in order to keep users happy/working? Sounds like that might kill the budget by requiring a lot more man hours of training and support rather than setting on a standard device that all of the support staff gets trained on.

If people are bringing their own devices, are they going to get to bring their own computing platforms? Try bringing a Mac into a Windows-only infrastructure and see how long until chaos ensues. Or, for that matter, a Linux system into a Windows-only infrastructure.

What about people bringing their own data into the work environment? Couple of examples here - user takes their laptop home and does an inventory of their baseball card collection on thier work-issued laptop. Legally, that baseball card inventory would be considered as employee work-product. And what about the user that's working on her Master's degree and using her work-issued laptop to take those classes. Sure, the organization might support that idea (especially if the degree is in a field related to the user's work), but what happens when the portal that the user uses to access their class records becomes an attack vector on the system?

Why break the back of your IT support organization by encouraging the executives in the "Device of the Month" club and having that mindset filter down? There's a reason that organizations set hardware procurement standards - easier to support, easier and cheaper to procure, lower TCO.

Andrew Hornback
InformationWeek Contributor

n_dude
50%
50%
n_dude,
User Rank: Apprentice
5/16/2012 | 12:27:52 AM
re: Can IT Be Trusted With Personal Devices?
On a personal level I agree with the points raised in this article. The problem is that we as security practitioners have driven the standard controls for mobile devices (passwords, remote wipe) and have tried to port these across to personal devices rather than trying to focus on the corprorate data on the device and putting the appropriate security controls over that.
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
5/15/2012 | 9:26:06 PM
re: Can IT Be Trusted With Personal Devices?
Great article Art. I still think the BYOD concept has too many dangers and potential gotchas for it to ever be truly be effective though.

Tom LaSusa
InformationWeek
<<   <   Page 2 / 3   >   >>
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 17, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.