Security Experts:

BYOD: One Size Risks All

A colleague of mine has strict ideas about how he manages the security of his assets, both information and physical. He has two bank accounts, one in which he only keeps around $1,000 at any given time, and he uses it for online banking. The account has automatic overdraft declined and is tied to his PayPal account. The other account, kept at a separate banking institution, is where he keeps the majority of his free cash. It has overdraft protection, but he’s jumped through hoops to disconnect it from Internet banking. He actually has to go to the bank—that’s right, get in his car and drive downtown, walk into the building, and interact with the banking staff face to face.

BYOD RisksI don’t know too many people who’d want to regress to the days before ATMs. We’ve become accustomed to the flexibility that information access provides us. It’s what we think of as the modern world, all others being arcane and populated with fools sporting jerkins of motley.

And yet the truth somewhere in the middle lies.

We’ve come to rely on the ubiquitous Internet, in our homes, in our pockets, at the airport, in the men’s room, at dinner, in bed. It’s the green eggs and ham of our time: we will online bank in a house and with a mouse, check in with FourSquare in a box with a fox, buy shoes form Zappos on a boat with a goat; we will surf here and there and everywhere.

I just used my mobile to navigate from a conference in Quebec to the airport, check in for my flight, wielded it as my boarding pass, and as a camera to send a picture of my driver’s license to my wife so we can process the remortgage on my house. I do not, however, have corporate email—or any data from my employer for that matter—on my one active mobile phone, which is my own personal device.

Jack Danahy has discussed the trade-offs of intermingling your personal and business devices. The other colleague I mentioned earlier has extended this to separating his assets even within his personal life, with two bank accounts. The sacrifice in both cases is a certain measure of convenience that we’ve all come to enjoy.

Now there are those that would argue that all this technology simply encumbers us with, well…technology. It hasn’t freed up our time to cure cancer or affect world peace. One might even argue the love for our flat and shiny pets is one cause of the rampant obesity in our modern society. Maybe more striding up to teller windows would not only burn off a few calories, but also keep us from consuming more as we march around performing chores. (The fast food chains already have a jump on that one, though; just about every type of food is now available in a walk-around version wrapped in tin foil.) As for world peace, I’m not sure if having our heads buried in our mobile phones is good or bad: we’re not interacting as much, but we tend to be an argumentative species anyway.

But I didn’t come here to wax philosophic about the benefits and failings of the information revolution, but rather how we can protect ourselves from ourselves. We seem to have transitioned from a period ten or so years ago where security professionals said “no” by default, then gave ground by inches, making sure to place severe restrictions on any new IT project. This created an environment where the security killjoy was often omitted from meetings, then after the functional, architectural, and budgetary decisions were a fait accompli, tasked with making sure everything was safely swaddled and safe from all evil.

Fast-forward to today and the culture of security has changed. We’re expected to say yes to all technology requests, as long as they have a business case, and enable the initiative by building security in. Hey, at least we’re being invited to the party while the hors d’oeuvres are still being selected and the ice sculpture picked out. But for that privilege the pendulum has swung from one extreme to the other. Now it’s time to start saying no again, but discriminately. And politely.

For example, is BYOD really necessary in most businesses? The promise was that it would save on capital expenses and productivity by letting employees use their own equipment instead of company provided laptops. Kris Lovejoy, at the recent Reboot Ottawa conference, mentioned that in her role as VP of IT Risk she finds that IBM spends more on securing and managing employee purchased devices than they do on those that are provided by the company, even when the cost of the hardware is factored in.

Now some organizations may find sound business reasons for supporting BYOD policies, and may even work out the financials in their favor; however, in many cases I suspect organizations would be better off from a security perspective to provide mobile phones and tablet computers for business use and enforce the same acceptable use policies that apply to laptops and desktops.

For example, hospitals might provide iPads to physicians for electronic health record (EHR) access, but those devices would be forbidden to be used for personal pursuits. No web browsing except for sanctioned sites relevant to patient care and the business of the hospital, no loading music or books or Angry Birds. The devices would have strict configuration control and replication of data to a cloud service so if a remote wipe is necessary no hospital information is lost and there would be no hard feelings about the loss of the physician’s personal stuff. Of course the cloud backup service would be vetted and supported by the hospital for personal health information, with appropriate security controls and encryption; no risk of accidentally sending ePHI to an iCloud account with a password of ‘password’. The physician could bring his own Android tablet or Kindle Fire for personal use, but would be strictly forbidden from putting hospital data on it; Internet access might be provided by a guest/personal wireless network, with no cross-connection to the organizational infrastructure.

We talk about creating virtual separation within mobile devices so we can apply separate policies to personal and organizational data, but there’s nothing wrong with keeping your money in two banks; why not two phones? The more we blur the line between personal and organizational data, the more we expose the latter to the inevitably looser security habits of the user, and congruently invade the user’s experience with eight digit passcodes that are overkill for their playlists, hang the sword of Damocles over their data and applications with the possibility of a big red data nuke button back at corporate, and create feeling of malaise about what can be monitored from Big Brother at the SOC in the sky.

I’m not saying every organization needs to dismantle their mobile device strategy and adopt a Noah’s Ark policy where all employees carry two of everything. Not all organizations have the same business and security needs, so don’t be afraid to step away from the status quo and put on your critical thinking hat. Before you join the stampede with all the organizations who have bought into the concept of unifying personal and business devices, consider that one size can risk all.

Sometimes contextually appropriate security is simply inconvenient.

Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Officer at Q1 Labs. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., an information security consulting practice.