Why Security Isn't A BYOD Showstopper - InformationWeek
Government // Mobile & Wireless
04:24 PM
Craig Mathias
Craig Mathias
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Why Security Isn't A BYOD Showstopper

IT should view the bring-your-own-device phenomenon as less of a threat and more as an opportunity. Here's why.

9 Hottest Phones At Mobile World Congress
9 Hottest Phones At Mobile World Congress
(click image for larger view and for slideshow)
In a webinar on BYOD that I just did, a survey of the 500-plus participants showed that security is the way-out-in-front, lead concern of IT managers when it comes to implementing a bring-your-own-device program. More than 60% of those people voting reiterated what I hear every day. "Is it safe? Can we really trust users and their personal handsets with enterprise secrets?"

Security is, of course, the one part of IT where one can never be "done". Each week brings new concerns, new threats, and some previously unknown and unforeseeable challenge. Perhaps it's news of yet another IT breach, or, even worse, a discovery, not yet public, that something has gone terribly wrong and confidential information might be compromised. With security constantly under fire, then, aren't we just making things worse by allowing essentially any device on the corporate network? Aren't we just waving the proverbial red flag in front of the hacker community, daring them to do their worst once again?

Let me begin to answer that by saying that BYOD is, no matter what, going to become the norm in enterprise mobility during the next few years. Users want to carry only one handset, and it's their phone. The enterprise can save big bucks by eliminating the capital expense of unwanted (by users, anyway) handsets and sharing the operating expense of cellular service plans. Properly managed, then, BYOD looks like a win/win.

[ Read BYOD: How To Calculate Hidden Security Costs. ]

And proper management is the key. A number of vendors have announced BYOD solutions in recent days. Although each of these products addresses security, they are really at their cores about policy, and the enforcement thereof. So, then, is your security policy in place and up-to-date? How about your acceptable-use policy? Your agreements with your employees and contractors regarding the above and service-cost reimbursements? Have you updated your training? Training includes, by the way, basic consciousness-raising, along the lines of "loose lips sink ships".

As is always the case in IT, the place to start is with strategies and objectives; many questions need to be asked before any IT service goes live, let alone with BYOD. What information should be secured? Who should have access to it, and under what circumstances? What must be done in the event of a breach? How is confidential information tracked? What are the policies regarding authentication, file encryption, remote access, and VPNs?

All BYOD does is introduce a potential new vector; it doesn't redefine or even change the security problem very much. Got live USB ports on your PCs? Know how much a modern microSD card can hold? Still think BYOD is that big of a security threat?

We can learn a lot from the techniques employed in government-class security, which are based on the concepts of security clearance level (secret, top secret, etc.) and, more importantly, need to know. The former can be addressed through a careful and at least annual review of security policy and procedures, along with the tools applied. Need to know is addressed by carefully defining and controlling who belongs to what group of users, and what privileges are granted to any given group. See? BYOD doesn't really introduce much new here.

Indeed, a good BYOD solution is one coupled with mobile device management (MDM) and mobile application management (MAM) capabilities to make sure that mobile devices allowed on the corporate network are operationally secured and appropriately monitored, and that features such as device wipe are available when necessary (and, of course, that users are aware they might be applied).

I see BYOD evolving from Guest Access 2.0 to, ultimately, the enterprise network access control system of the future. The core functions in BYOD, which can include, depending upon enterprise philosophy and vendor implementation, all aspects of both security and integrity management, are common to both wired networks and enterprise-owned devices as well.

So perhaps we should view BYOD as less of a novelty or a threat, and more as an opportunity to improve security, cut costs, and, in the bargain, improve both user and operations-staff satisfaction across the board.

At this interactive Enterprise Mobility Virtual Event, experts and solution providers will offer detailed insight into how to bring some order to the mobile industry innovation chaos. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens May 17.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Richard Bliss
Richard Bliss,
User Rank: Apprentice
5/11/2012 | 1:00:41 AM
re: Why Security Isn't A BYOD Showstopper
Excellent point of identifying that the issue of security with BYOD is often more about policy enforcement. In addition, merging an MDM solution that secures the device, cuts the operating costs, and manages the apps and other functionality shouldn't be split up between vendors.

Experience would seem to say that the concern for security with BYOD seems to be more of a CYA in case anything goes wrong and necessarily because therer are state secrets that are going to leak out.

Richard Bliss
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll