Government // Mobile & Wireless
Commentary
11/4/2011
11:12 AM
Art Wittmann
Art Wittmann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

BYOD Strategy Should Start With Data-Centric Security

Is "your device is now our device" the approach that your IT team takes? It's time to get back to data security first principles.

It's human nature that when confronted with something new, we try to deal with it as though it's something we already understand. And the longer we've done something a certain way, the harder it is to adjust. My current car has keyless entry and ignition--you just push buttons. I've had it for a while now, but if my mind is the least bit preoccupied as I walk up to the vehicle, my reflex is to pull keys out of my pocket. Likewise, understanding new mediums takes time. If we had called radio "phonograph as a service," we would have missed much of the interactive potential.

It's not surprising then that as consumerization becomes the norm and more employees bring their own smartphones and tablets into the workplace, IT's first reaction is to treat these devices just like the ones they're used to dealing with--the ones the company purchased.

Understandable or not, if "your device is now our device" is the approach your team is taking, you need to rethink things.

It's tempting to paint all devices with the same brush. The justification goes something like: "We have a policy that everyone can understand; it's fair and serviceable." However, when it comes to gear that IT doesn't own, it's a risky strategy.

[For more advice on protecting data, see InformationWeek's research report on mobile device management trends and technologies.]

How will you deal with the irate user who had unique personal data on that device, until your team accidently remotely wiped it or sent a software update that blew away non-company content? Do you really want responsibility for unarchived irreplaceable family pictures, or bank records, or the office fantasy football pool, or whatever? Telling the user he should have had a backup won't get you far. It certainly won't win you the admiration and respect of your coworkers, and inevitably, somewhere, sometime, lost personal data will lose someone a lawsuit. Managing devices you don't own is a risk you shouldn't be willing to take.

When a device is owned by the company and workers clearly understand what data they should and shouldn't keep on it (because you have well written policy and it's been well communicated), any loss of personal data on the part of the employee can fairly be assigned as the employee's own risk. When an employee owns the device, the implicit contract is different--unless the employee explicitly bought the device for use at work. That's going to be less and less the case.

What most employees want is one device (or potentially one set of devices) to carry around. They can understand the need for work-only laptops. And they can understand why the company might not want to buy tablets, even though many people find tablets useful in their work. But they don't want two phones. And, what they won't understand, and shouldn't accept, is the company's insistence on managing personal devices as though they are company devices, including device management software that implements among other things, complex password policies and remote wipe capabilities.

And yet that's what many IT teams are doing, mostly because they've conflated "device management" with "data security." They do this sometimes because of poorly thought out compliance requirements, and in other cases because they themselves haven't thought it through.

The thing is, device management and data security have never been the same thing, and in this era of BYOD, they really need to be treated as completely separate issues.

Device management is something IT does for its own benefit to economically ensure delivery of apps to its constituents. When it's not the company's phone or tablet or laptop, that's no longer IT's problem. But appropriately securing sensitive data always is.

The good news is that, as it pertains to most employees in most industries, a better solution is easily achievable and won't cost you anything other than some training--an investment you should already be making. First, data should be protected at its native-use level. Got a spreadsheet of employees and proposed raises? Put a password on it. Keeping lots of personally identifiable information for business purposes? Encrypt it, make it very hard for that data to walk out the door, and consider making anonymized versions easily available. But the biggest and most important thing that IT must do is to stop viewing its customers as the problem and start viewing them as the biggest part of the solution. Educate your users. Make them aware of the ways they can access and use data safely, and how they should protect sensitive information. Well-meaning but uneducated users are your biggest risk. So teach them, and make them your biggest asset.

Art Wittmann is director of InformationWeek Analytics, a portfolio of decision-support tools and analyst reports. You can write to him at awittmann@techweb.com.

To find out more about Art Wittmann, please visit his page.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael A. Davis
50%
50%
Michael A. Davis,
User Rank: Apprentice
12/1/2011 | 8:26:14 AM
re: BYOD Strategy Should Start With Data-Centric Security
Also, without an MDM solution that is properly configured and installed on the phone, wiping only works if the SIM card is in the phone since your wipe command goes over the network. Steal the phone, take out the SIM card, and the attacker has all the time in the world to attack the data, encrypted or not.

My report on Data Centric Security also applies here as Art described - "It's the Data Stupid!" You can read it at http://www.informationweek.com...

We need to start looking at our phones as if the environment is hostile. How would you change your mobile security strategy if you assumed all apps on the phone were malicious? You'd protect the data itself not the phone.
AG4IT
50%
50%
AG4IT,
User Rank: Apprentice
11/14/2011 | 3:45:11 PM
re: BYOD Strategy Should Start With Data-Centric Security
It's possible to address your concerns by implementing BYOD in a ways that separates the Enterprise apps and data from the personal devices. This can be achieved with a solution like Ericom's AccessNow, a pure HTML5 RDP client that enables remote users to securely connect from various devices (including iPads, iPhones, Android devices and Chromebooks) to any RDP host, including Terminal Server (RDS Session Host), physical desktops or VDI virtual desktops G㢠and run their applications and desktops in a browser. This keeps the organization's applications and data separate from the employee's personal device.

AccessNow works natively with Chrome, Safari, Internet Explorer (with Chrome Frame plug-in), Firefox and any other browser with HTML5 and WebSockets support.

For more info, and to download a demo, visit:
http://www.ericom.com/html5_rd...
ArtWittmann
50%
50%
ArtWittmann,
User Rank: Apprentice
11/8/2011 | 3:28:57 AM
re: BYOD Strategy Should Start With Data-Centric Security
Hi David;

That's not actually what I said. What I said is that remote wipe is giving you false sense of security. Let me play it through for you:

If I leave my phone in cab and some miscellaneous person finds it, in all probability they'll wipe it for you before they sell it. It's the phone they're after, not the data.

If someone steals it for the intellectual property, they'll do so only if they already know my complex password (or know a way around it) and have a plan for extracting the data very quickly. By the time you've decided to wipe my phone, the damage is done, and the data is long gone. It only takes a few minutes.

But, if we had put proper protections on the data itself (as described in the article), then it's unlikely that a would-be IP thief is going to have the right passwords, and if for data that's really sensitive, we (you and I working together) would have found a way for it not to leave the company's walls, at least not in unencrypted formats.

For the vast majority of users, the answer is exactly not to do what you say. Don't use technology to solve a problem that should be solved with training and awareness. Make people the solution. Even lawyers will understand that the remote wipe capability is all but useless (just explain it to them slowly).

For other users, ones who constantly work with sensitive information, you may indeed need some technology. Elaine's link above lays out a pretty good way to look at that issue. And Jan, above, points out an approach that can also work. But the place to start isn't by throwing technology at the problem (or conversely throwing up your hands, saying we can't afford new technology, and slapping a wrong-headed policy on the management of equipment you don't own).

Seriously. Read the article. You might enjoy it.

I do agree that multiple personalities would be a good thing, and would be a big help in this situation. I'd let you (mis)manage a corner of my phone.

(Readers, David is the CIO of our company - and he and I disagree on the approach to this issue. He's a good sport for nicely responding here - even if he didn't read what I wrote)
DavidMichael
50%
50%
DavidMichael,
User Rank: Apprentice
11/7/2011 | 9:17:47 PM
re: BYOD Strategy Should Start With Data-Centric Security
If only smartphone manufacturers could keep up with the needs of users. Technology is available to create the world you describe Art but at an additional cost. BYOD is great until there is an incremental cost for the enterprise to support each personal device. When Apple and Andriod support separate personas where the enforced security measures and remote wipe only apply to enterprise data and not the whole device - then everyone will be happy!
ElaineR
50%
50%
ElaineR,
User Rank: Apprentice
11/5/2011 | 12:03:37 AM
re: BYOD Strategy Should Start With Data-Centric Security
Art, I agree with your suggestion to educate the users/customers...this is an IT best practice. Training people on security do's and don'ts is essential to mitigating information security risks and avoiding data loss or compromise. I disagree, however, with the statement that "When it's not the company's phone or tablet or laptop, that's no longer IT's problem." Within Intel IT, we are embracing BYOD because not only do our employees want it, it also makes them more productive. We are managing and minimizing the risks, with a completely new security strategy that our CISO, Malcolm Harkins, calls "protect to enable." If you want to learn more, this whitepaper gives a great overview of our security architecture:
http://www.intel.com/Assets/PD...

IT@Intelsme
JWiewiora
50%
50%
JWiewiora,
User Rank: Apprentice
11/4/2011 | 7:08:36 PM
re: BYOD Strategy Should Start With Data-Centric Security
I agree with this article G㢠with the consumerization of IT, companies need their BYOD polices to focus on the data, not just the device. As Art mentions, one way this can be done is by implementing mandatory end user and employee training. The training should cover the companyGăÍs security policies and show employees how they could become victims of phishing or social engineering attacks. It is essential that users understand that by bringing in their own devices, they must play a part in securing enterprise data. For example, in many federal agencies if you do not show completion of the security training your Used ID is locked until you do.

Of course it is also essential that IT sets the right security around data at the source. Enterprises should also consider using devices and software that support Information Rights Management or other methods to keep sensitive information from being distributed inappropriately. It can be so easy to attach a document to and email and hit send, then realize that the auto-complete function inserted the wrong email address. Properly implemented IRM can protect against that issue.

I recently blogged about steps enterprises can take to prevent data leaks, which you can read in more detail here: http://blogs.unisys.com/securi...

- Jan Wiewiora, Chief Systems Architect, Unisys Federal Systems Chief Technology Office
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.