Government // Mobile & Wireless
04:24 PM
Craig Mathias
Craig Mathias
DarkReading Virtual Event: Re-Thinking IT Security Strategy
Nov 15, 2016
Despite enterprises spending more money annually on cybersecurity defense than ever before, the nu ...Read More>>

Why Security Isn't A BYOD Showstopper

IT should view the bring-your-own-device phenomenon as less of a threat and more as an opportunity. Here's why.

9 Hottest Phones At Mobile World Congress
9 Hottest Phones At Mobile World Congress
(click image for larger view and for slideshow)
In a webinar on BYOD that I just did, a survey of the 500-plus participants showed that security is the way-out-in-front, lead concern of IT managers when it comes to implementing a bring-your-own-device program. More than 60% of those people voting reiterated what I hear every day. "Is it safe? Can we really trust users and their personal handsets with enterprise secrets?"

Security is, of course, the one part of IT where one can never be "done". Each week brings new concerns, new threats, and some previously unknown and unforeseeable challenge. Perhaps it's news of yet another IT breach, or, even worse, a discovery, not yet public, that something has gone terribly wrong and confidential information might be compromised. With security constantly under fire, then, aren't we just making things worse by allowing essentially any device on the corporate network? Aren't we just waving the proverbial red flag in front of the hacker community, daring them to do their worst once again?

Let me begin to answer that by saying that BYOD is, no matter what, going to become the norm in enterprise mobility during the next few years. Users want to carry only one handset, and it's their phone. The enterprise can save big bucks by eliminating the capital expense of unwanted (by users, anyway) handsets and sharing the operating expense of cellular service plans. Properly managed, then, BYOD looks like a win/win.

[ Read BYOD: How To Calculate Hidden Security Costs. ]

And proper management is the key. A number of vendors have announced BYOD solutions in recent days. Although each of these products addresses security, they are really at their cores about policy, and the enforcement thereof. So, then, is your security policy in place and up-to-date? How about your acceptable-use policy? Your agreements with your employees and contractors regarding the above and service-cost reimbursements? Have you updated your training? Training includes, by the way, basic consciousness-raising, along the lines of "loose lips sink ships".

As is always the case in IT, the place to start is with strategies and objectives; many questions need to be asked before any IT service goes live, let alone with BYOD. What information should be secured? Who should have access to it, and under what circumstances? What must be done in the event of a breach? How is confidential information tracked? What are the policies regarding authentication, file encryption, remote access, and VPNs?

All BYOD does is introduce a potential new vector; it doesn't redefine or even change the security problem very much. Got live USB ports on your PCs? Know how much a modern microSD card can hold? Still think BYOD is that big of a security threat?

We can learn a lot from the techniques employed in government-class security, which are based on the concepts of security clearance level (secret, top secret, etc.) and, more importantly, need to know. The former can be addressed through a careful and at least annual review of security policy and procedures, along with the tools applied. Need to know is addressed by carefully defining and controlling who belongs to what group of users, and what privileges are granted to any given group. See? BYOD doesn't really introduce much new here.

Indeed, a good BYOD solution is one coupled with mobile device management (MDM) and mobile application management (MAM) capabilities to make sure that mobile devices allowed on the corporate network are operationally secured and appropriately monitored, and that features such as device wipe are available when necessary (and, of course, that users are aware they might be applied).

I see BYOD evolving from Guest Access 2.0 to, ultimately, the enterprise network access control system of the future. The core functions in BYOD, which can include, depending upon enterprise philosophy and vendor implementation, all aspects of both security and integrity management, are common to both wired networks and enterprise-owned devices as well.

So perhaps we should view BYOD as less of a novelty or a threat, and more as an opportunity to improve security, cut costs, and, in the bargain, improve both user and operations-staff satisfaction across the board.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Richard Bliss
Richard Bliss,
User Rank: Apprentice
5/11/2012 | 1:00:41 AM
re: Why Security Isn't A BYOD Showstopper
Excellent point of identifying that the issue of security with BYOD is often more about policy enforcement. In addition, merging an MDM solution that secures the device, cuts the operating costs, and manages the apps and other functionality shouldn't be split up between vendors.

Experience would seem to say that the concern for security with BYOD seems to be more of a CYA in case anything goes wrong and necessarily because therer are state secrets that are going to leak out.

Richard Bliss
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll