Government // Mobile & Wireless
Commentary
5/15/2012
11:40 AM
Art Wittmann
Art Wittmann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Can IT Be Trusted With Personal Devices?

Mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data.

Most IT teams weren't prepared for the BYOD challenge, and they're not handling it well. This assertion is borne out by our Mobile Security Survey, which shows that security education is still underfunded and underappreciated and that there's an ongoing mismatch between the mobile device management features IT deems to be important and what's in end users' best interests.

To illustrate just how pernicious the wrong BYOD policies can be, here's a hypothetical: A worker decides to buy an iPad so that, among other things, he can record and store pictures and movies of important events. Perhaps he manages to catch his baby's first steps or his daughter's piano recital, or he uses the iPad to store hundreds of family vacation pictures.

Being a good and proactive employee, he brings the iPad into work, to use for sales presentations and such. The IT organization tells him that before he can put any company data on the device, even what's freely available on the company website, it'll need to install some software that will enforce passwords (No. 1 on our list of most critical MDM security functions). The app will also perform remote locking and wiping of the device, offer some malware protection, and deliver security updates (Nos. 2, 3, and 4 on the list).

[ BYOD? Get used to it, says Interop panel. Read more at Mobile OS Proliferation Continues. ]

The software will require password changes every few months, enforce minimum standards for length and complexity, lock the device after a given time, and if too many failed password attempts occur, wipe the device (the top 5 password policies desired by IT pros).

Now, suppose one of the employee's young children plays with the iPad, exceeds the number of failed password attempts, and the device is wiped. No baby's first steps, no piano recital, no pictures from the family vacation. The employee had the best of intentions about iCloud backups but didn't follow through, and needless to say, IT hadn't provided any backup mechanism. The livid employee is left with a blank device and a "Gee, we're sorry about that" from IT.

While technology can play a part in protecting the company while letting employees use their own devices for business purposes, most IT teams are creating an insane set of rules for no apparent reason. That same employee could have emailed the sales presentation, which probably isn't encrypted or password protected, to his Gmail account, uploaded some product shots to Dropbox, and used the device for work without IT's involvement. And there's often incentive for employees to do just that, because IT's policies are onerous at best, and at worst downright counter to the employee's interests. If software can't tell the difference between company data and employee data, it has no place on a personally owned device.

Further, mobile device management as a path to security is a fundamentally flawed strategy. You must manage the data. The data is what the company owns, and it's what the company values. But of course, data management involves user training and classification and some security finesse. For too many IT teams, it's easier to use a blunt instrument.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

There's a bit of good news in our survey: While only 32% of respondents have had a security awareness program in place for two or more years, 18% have recently added one, and an additional 25% say they'll get one in place in the next 12 months. Plenty of cloud-based backup services can add a layer of protection for both company and personal data; we recently did a roundup of 13 providers.

No doubt users represent a security risk, but they're also your first line of defense--if you take the time to clue them in on best practices. Explain how securing corporate data can help protect them as well; if their smartphone is stolen, they may want to nuke it. But for goodness sake, don't put device-wipe time bombs on their systems unless you want to explain why all of their personal data is gone and that there's nothing they can do to get it back.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ANON1241526426595
50%
50%
ANON1241526426595,
User Rank: Apprentice
6/12/2012 | 10:44:11 PM
re: Can IT Be Trusted With Personal Devices?
> This is irrelevant, it can happen with ANY device (corporate or private)

The point is, Art is upset about the fact that industry takes a hard line with management of personal devices. It's obvious that with industry-owned devices, they would include the same or more rigorous management.

> What magical device are you talking about?

Huh? The point is that you can protect enterprise grade technology better than mobile devices, not that you can't extract information from anything, which you can if you're willing to spend the resources.

> There are many professionals that think BYOD is the direction of the industry, and are working to address it.

Sure. But that doesn't mean that BYOD is a great policy for enterprise. If you're concerned about risk first, many hard working professionals simply say no.

> No, what really happens is lazy people that prefer the status quo don't look at the trends and determine solutions. Instead they WHINE about people pointing out that there is a shift in industry that we need to find solutions for.

You must either work for a mobile or MDM vendor. I'm very familiar with the fact that the iOS/Android APIs for managing mobile devices are so immature that most MDM features are limited mostly by what they can't do. To do most of the things that management products for other client technologies do it would have to root the phone to get the access privileges to allow it.

> Not required. Security is about acceptable risk, not perfection. If you knew anything about security, you'd know that fact.

I've been in security for over a decade. I never said it was about perfection. I said betting a million dollars on a nascent, consumer-grade platform is a decision most informed business people won't make, even if it inconveniences you personally.

> Maybe next time you could lead the charge for a calmer more rational approach?

Instead of your headlong rush into mobile device information-loss peril that you advocate because it's the popular thing to do?
Rhadamanthos
50%
50%
Rhadamanthos,
User Rank: Apprentice
6/1/2012 | 12:37:33 AM
re: Can IT Be Trusted With Personal Devices?
Maybe the next article can be about Active Undelete. In my opinion: an obvious software tool for any IT employee who has ever ran into someone who: 1) accidentially deleted the "new folder 3" on my desktop that happen to have all my updated xls spreadsheets. or 2) has had a client/customer who got a virus, decided to wipe/reinstall windows on their own, but now all their programs and files are missing. these are about the only two I can think of in short time.

Maybe it was just the way a certain part of this article was written but it sounded at a certain point like the IT crew had never heard of a program like Active Undelete. Or that data recovery was something no one had ever heard of---again we're not talking about recovery of data from a server with SQL that gets 1000 req's every minute and changes and updates the sales website every 10 minutes. but if it's a BYOD with a single hard drive there shouldn't be any reason why they shouldn't try this---but now we're getting into "wasting" corporate IT hours on personal peoples problems. Needless to say: some of my best experiences with clients/customers is that moment when they realize that all their data has been saved from the ether.
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
6/1/2012 | 12:30:40 AM
re: Can IT Be Trusted With Personal Devices?
"When an enterprise can be fined millions of dollars by overzealous regulators because an employee forgets a device in a public place"

This is irrelevant, it can happen with ANY device (corporate or private)

"when the security of the enterprise can depend upon the absent-minded care given to a personal consumer device never designed nor currently capable of delivering enterprise-class data protection"

I'm coming up short on a list of these devices. iPhones, Androids, and other consumer grade devices have capability to provide "enterprise class" protection. I've been able to use forensics techniques to recover information that has been deleted on BlackBerry's. What magical device are you talking about?

" against the policy and the better judgement of the professionals charged with the protection of said enterprise"

Argument from authority much? There are many professionals that think BYOD is the direction of the industry, and are working to address it.

"For *no apparent reason* tech pundits criticize the protections that enterprise IT departments are forced to adopt because the platforms are so rudimentary that there is really no choice. "

Really, no choice? No, what really happens is lazy people that prefer the status quo don't look at the trends and determine solutions. Instead they WHINE about people pointing out that there is a shift in industry that we need to find solutions for.

" Are you willing to bet your job, millions of company dollars, and the company's reputation that containerized MDM corrals ALL the sensitive data on the device? Really?"

Not required. Security is about acceptable risk, not perfection. If you knew anything about security, you'd know that fact.

"When enterprise is no longer held responsible for the irresponsible actions of users that refuse to understand what is at stake and what they can do to keep the enterprise data secure, and for the lack of security architecture of the lowest-common-denominator consumer devices, I'm sure that a calmer, more rational approach can prevail."

Maybe next time you could lead the charge for a calmer more rational approach?
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
5/31/2012 | 4:54:36 PM
re: Can IT Be Trusted With Personal Devices?
Both the company and the employee benefit. The company benefits with reduced costs of ownership, reduced cost of training, lower risk. The employee benefits by having the tool they are familiar with, whenever they need it, and the employee has a vested interest in keeping the equipment updated and protected. It is easier to educate employees about one process, security, than it is to train on security, application training, equipment usage, etc. People that use computers will soon need to have basic certifications as a function of hiring. There's no reason not to require everyone that uses a computer to have passed Security5, Security+, or any other basic computer security course.

wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
5/31/2012 | 4:46:41 PM
re: Can IT Be Trusted With Personal Devices?
Respectfully that level of arrogance is what this article is trying to address. If companies are going to adopt BYOD acceptance, then there is no excuse for requiring an employee to allow you to destroy their data. Furthermore, if the device is configured to backup and does so successfully, once the device is wiped, all the employee (or ex-employee if you have triggered the wipe) has to do to recover the information, is recover from the backup. The point is, it is correct to say that the data is what you are supposed to control, not the employees personal equipment.

Furthermore imagine the employee uses their own device to engage in illegal activities. Your company may be found culpable if you are focusing on controlling the device (and should have prevented the employee from doing what they did). I'm not an attorney, but it is something to consider.
wn7ant
50%
50%
wn7ant,
User Rank: Apprentice
5/31/2012 | 4:46:10 PM
re: Can IT Be Trusted With Personal Devices?
In order for someone to be considered a "freelancer" or "contractor" in the U.S. the IRS REQUIRES that you are not providing things for them (even parking spaces). So BYOD is a fact of life. Next, which costs less, allowing people to bring their own devices which you are NOT required to support, and securing the data, or buying devices, and keeping them updated, AND securing the data. The risk profile is identical. In fact, I update my equipment more often than most businesses do, I have all the tools (software) I need to do my job on my equipment, I'm already familiar with my tools so there is no training expenditure... What benefit is there to adopting a NON-BYOD stance?
ANON1241526426595
50%
50%
ANON1241526426595,
User Rank: Apprentice
5/31/2012 | 1:52:41 PM
re: Can IT Be Trusted With Personal Devices?
Can Art Wittmann be trusted with a column titled "Practical Analysis"?

When an enterprise can be fined millions of dollars by overzealous regulators because an employee forgets a device in a public place, when the security of the enterprise can depend upon the absent-minded care given to a personal consumer device never designed nor currently capable of delivering enterprise-class data protection, when tech pundits can rail against IT because it inconveniences users who bring personally-owned devices into the workplace against the policy and the better judgement of the professionals charged with the protection of said enterprise, there's a definite disconnect in the world.

For *no apparent reason* tech pundits criticize the protections that enterprise IT departments are forced to adopt because the platforms are so rudimentary that there is really no choice. Are you willing to bet your job, millions of company dollars, and the company's reputation that containerized MDM corrals ALL the sensitive data on the device? Really?

When enterprise is no longer held responsible for the irresponsible actions of users that refuse to understand what is at stake and what they can do to keep the enterprise data secure, and for the lack of security architecture of the lowest-common-denominator consumer devices, I'm sure that a calmer, more rational approach can prevail.
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
5/22/2012 | 8:29:33 PM
re: Can IT Be Trusted With Personal Devices?
In a perfect world, the company invests so that it can take advantage of the BYOD trend, and help the company in so doing. In that perfect world, the user is responsible for the user's data and the company is responsible for its. The company can wipe, restore, set the weirdest password policies known to man, but only for its corner of the world.

The user can back up or not, and it shouldn't affect the company or its data. As I said in the original post - if software can't the difference between a company file and the user file, the user shouldn't allow it on his device, and just walk away from BYOD. In this case, I think the company loses a lot more than the user does.

I little user education won't hurt either. Some of it sticks, and users really do want to do the right thing to help and support the company. That's why they brought in their own equipment in the first place.
humberger972
50%
50%
humberger972,
User Rank: Apprentice
5/22/2012 | 8:04:46 PM
re: Can IT Be Trusted With Personal Devices?
I'd like to agree with you, and in a perfect world this would be the solution. But I've dealt with end users, and experiance teaches me that I can bend over backwards, provide the software support, show them how to do backups -- but unless the process is 100% automated, the user is never going to do. No matter what threats, training, or explaining you do... they won't do it -- but they will complain like crazy if they get wiped. Now be honest is your home system regularly backed up? Phone , pad? If yes you are probably a techie, and a part of a very small group, because even techie's don't back up their personal devices. Mine are, because everything is 100% automated.

So you say automation is the solution, but if the company is doing the backup, where is it putting the backups? Because now those backups include their employees personal data - which opens so many cans of worms, because employee x is downloading illegal copies of movies and music, employee y had their personal legal law suit info on their machine, and now it is discoverable in his lawsuit..... how does a company do an auto backup if the data needs to not be on company assets?

And in what special place do you have users who will do weekly backups of their phones, pads, and laptops.....just saying.
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
5/22/2012 | 6:36:34 PM
re: Can IT Be Trusted With Personal Devices?
The ability carve out a section of the phone both is possible and increasingly reasonable. You can find our MDM buyer's guide here: http://reports.informationweek... There's a lot of comercial software to do this, and the list gets longer by the day.

If a company decides not to buy the appropriate software to be a good caretaker on a device that the company doesn't own, then the user shouldn't let the IT shop manage their device - period. It's not really a matter of whether the CIO makes that call or someone down further in the organization. The campany isn't taking the issue seriously, so the user should walk away.

As for backing up the device, i agree, it is the end user's responsibility - but when IT installs and uses software that can wipe the device, I think the responsibility shifts. For a user who doesn't risk getting his device wiped, a once a month backup might be sufficient - once IT installs that software, don't you think IT has some responsibility to help the user figure out what changes he should make to his own procedures?

Your comment indicates a tendency toward one of the worst IT behaviors, which is an unwillingness to work the user community to educate them in a way that's actually helpful to the company. More helpful, I'd argue than that device wipe capability that ranks so high on IT's lists of wants.

The BYOD era is here, it needs a bit more nuance in its management than we'll do the cheapest, easiest thing possible. That'll work right up until it doesn't, then it'll be a huge problem that you could have had the luxury of time to address.
Page 1 / 3   >   >>
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.