Should security concerns slow BYOD trend? Probably.
Summary: With user devices facing security threats from every direction and with no end in sight, BYOD should slow down a bit. The real question is, "What's the answer to this ongoing threat?" The answer may surprise you.
Writing a BYOD/Consumerization column doesn't necessarily make me a full-fledged proponent of the practice. My opinion is that you can do anything you want as long as you're willing to accept the risk. That includes snake hunting, parachuting, out-of-bounds skiing and bringing your own device. All have their benefits, all have their risks and all have negative outcomes should something go wrong. And it only has to go slightly wrong for those negative effects to outweigh any possible benefits gained.
Though many would disagree, I don't promote FUD*. I think that for any real progress to be made in the world, you have to have risk takers--those who're willing to do what no one else is. Without those kinds of people, we wouldn't have many of the technological, medical or agricultural advances made in the past 200 years.
Risk taking is part of business. However, you have to temper risk with return. Ask any energized entrepreneur about risk and he'll surely recite the "Without great risks, there are no great rewards" adage. It is true. But we're not talking about blazing new trails here, we're talking about BYOD vs. corporate-owned devices. That's a very different story than one that describes how the world's great business risk takers are also the big success stories.
This is about carrying on business--day-to-day operations, where risk isn't a good thing. Businesses spend billions to install backup systems, RAID arrays, SANs, disaster recovery and every kind of redundance and "airbag" you can think of to lower that daily risk to business operations.
True?
Undeniably true.
Does BYOD add to the risk of those daily operations?
It does.
How you deal with that risk determines how severe those disruptions will be when they happen.
BYOD brings risk because you're allowing user-owned devices within your network. You're allowing users to attach to corporate assets, to access corporate documents and to interact with users inside and outside of your network with those non-corporate owned (controlled) devices.
To allow these devices, you employ a mobile device management (MDM) or mobile application management (MAM) suite to lower your risks. Good job. But that suite is only part of the answer. It won't solve all of the security risks associated with BYOD. For example, it doesn't resolve an mobile OS-related security problems nor does it completely insulate you from malicious, ignorant or stupid users. If you know anything about computer support, people are never guilty of changing anything, installing anything or deleting anything essential to the operation of any computing device in their care.
A good application or device management suite does protect your network from jailbroken devices, from thousands of known malware programs and from standard risks via encrypted connections/communications back to the mother ship (the corporate network).
Your MDM or MAM is a great first line of defense against a lot of threats. But the weak links are still the user and the user's device. A user-owned device is an open door to accidental or intentional security breaches. If you don't believe me, ask any security professional.
To add to the problem is the fact that you don't fully control the user's device. They own it. You might want to control what the user does with it while connecting to your network and accessing your assets but you don't have full control of the device.
Full device control means that you can determine:
- When the device is updated.
- Which Apps the user can download and use.
- Which App providers are allowed.
- The type of device used.
- When to apply App updates.
- Which App versions are allowed.
I think you get the idea that you really don't have control of a user's device nor should you. It's a personal device. For this reason, some companies are using MAM, which fully controls specific corporate-owned applications. Those applications are under full control of the company, including their security, maintenance and life cycle. To remove a user's access, you simple uninstall the App, leaving the device generally untouched.
MAM is a good compromise for most users and companies alike. It allows the user to use their phones and devices freely as their own but also allows for a high level of security within the corporate-owned Apps.
The only flaw that I can see with MAM is that you can't prevent interaction with the underlying operating system. That interaction could compromise an App and, in turn, compromise what's on the other end of the App, which is your corporate network. And no operating system is safe from these threats. Android threats have mushroomed at an alarming rate. See the Kaspersky graphic below depicting the rise in Android threats.
As far as new malware threats and exploits, Android is the new Windows. There was a time when Android and Linux supporters assumed that the operating systems were not vulnerable to such malicious software.
All of this data and opinion boils down to one question for you and your BYOD program: How much risk are you willing to accept? An additional question added by MDM and MAM vendors is, "How will you mitigate that risk?" The answers aren't so easy nor as visually appealing as the threats.
Corporate-owned devices don't guarantee a trouble-free or threat-free environment either. However, the difference is that level of control that I wrote earlier. Corporate-owned devices carry that extreme level of control. The only weak link in the corporate-owned device scenario is that the user is on the other end of the device--a necessary evil.
You can't fully remove all risk because of those end users. You can minimize the risk but you can't get rid of it. Any amount of risk you're willing to accept comes down to the amount of money you're willing to spend to prevent, avert and mitigate.
It seems that the costs are very close for either BYOD or for corporate-owned devices. In other words, few find BYOD a money-saving practice. But the risks and costs associated with those risks might slow your BYOD program's momentum. And it probably should.
What do you think? Do you think that companies should take a second look at the security risks of adopting BYOD programs? Or do you think that this security thing is overblown FUD? Talk back and let me know.
*FUD - Fear, uncertainty and doubt.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
BYOD & Security
However, if BYOD is the reason that companies want to improve their security, they are compromised already. There is a lot of different ways to compromise data, from a dropbox account to sending an email with company information to your private email account. The BYOD threat should be treated as part of the overall security upgrade and infrastructure, it should not be the focus point however.
Good points
Malware per available apps
BB10 has the solution
ATT is touting this same idea
iOS phones and tablets have a vastly smaller malware problem than Android
Depending on your perspective, the consumerization of technology or BYOD means different things to different people. Since Apple has traditionally had very little presence in the enterprise, it is partly a way to acknowledge that Apple's superior consumer technology can no longer be kept out.
Enjoy!
They also have glaring weaknesses
Apple's approach to the enterprise
From an enterprise perspective, they do have some glaring weaknesses. Some will gradually be addressed. The difference is Apple won't be the first to solve many of these problems, but will wait to adopt the best solutions developed by others.
Enjoy!
BYOD is a pox
BYOD is like me (a project manager) going to the legal team and specifying what articles they can read, then telling the accounting department what software they can use, removing the ERP and making HR use only spreadsheets.
This is people who have 0 education or knowledge in the area of concern telling the people who have made it their lives to become experts in that same area just because they've used computers a couple times.
Yeah, and Dale Earnhardt takes my driving tips.
"BYOD" is a codename for you can use your iPhone or iPad for work
The term "BYOD" is an attempt by non-Apple fans to keep the door open for others including Microsoft who are late to the party. What's missing is a recognition that Apple's consumer focussed business model is giving them access to resources others can't match. So far, nobody else has been able to build products that compete effectively against the iPad.
I don't see enterprises rushing to adopt the Kindle Fire HD. Whether Surface Pro can challenge iPad adoption remains to be seen. Walt Mossberg wrote "It’s too hefty and costly and power-hungry to best the leading tablet, Apple’s full-size iPad. It is also too difficult to use in your lap."
Enjoy!
Know why and how to "BYOD"
You make some excellent points! Companies should definitely take a second (and perhaps even a third) look at the security implications of allowing BYOD. However, that doesn’t mean that it’s not a strategy that will work for them. It simply means that any BYOD implementation should be done intelligently. BYOD is a tool that enables user productivity; and can bring adverse results if not implemented meticulously. The fact of the matter is that BYOD is not the right strategy for every employee in every organization, but it is a great option for many. As a Symantec employee who works with MDM and MAM solutions all the time, I have seen firsthand that the BYOD initiative can be implemented in such a way that the expected benefits are easily possible without introducing added vulnerability. The key is for a company to partner with their respective solution provider to develop a strategy that is tailored to their specific needs.
Swarna Podila
Symantec
RDP as the bridge solution.
Desktop is under full Enterprise control and RDP is secure enough and is widely available on Android's and iOS ?
BYOD