Should security concerns slow BYOD trend? Probably.

Should security concerns slow BYOD trend? Probably.

Summary: With user devices facing security threats from every direction and with no end in sight, BYOD should slow down a bit. The real question is, "What's the answer to this ongoing threat?" The answer may surprise you.

SHARE:

Writing a BYOD/Consumerization column doesn't necessarily make me a full-fledged proponent of the practice. My opinion is that you can do anything you want as long as you're willing to accept the risk. That includes snake hunting, parachuting, out-of-bounds skiing and bringing your own device. All have their benefits, all have their risks and all have negative outcomes should something go wrong. And it only has to go slightly wrong for those negative effects to outweigh any possible benefits gained.

Though many would disagree, I don't promote FUD*. I think that for any real progress to be made in the world, you have to have risk takers--those who're willing to do what no one else is. Without those kinds of people, we wouldn't have many of the technological, medical or agricultural advances made in the past 200 years.

Risk taking is part of business. However, you have to temper risk with return. Ask any energized entrepreneur about risk and he'll surely recite the "Without great risks, there are no great rewards" adage. It is true. But we're not talking about blazing new trails here, we're talking about BYOD vs. corporate-owned devices. That's a very different story than one that describes how the world's great business risk takers are also the big success stories.

This is about carrying on business--day-to-day operations, where risk isn't a good thing. Businesses spend billions to install backup systems, RAID arrays, SANs, disaster recovery and every kind of redundance and "airbag" you can think of to lower that daily risk to business operations.

True?

Undeniably true.

Does BYOD add to the risk of those daily operations?

It does.

How you deal with that risk determines how severe those disruptions will be when they happen.

BYOD brings risk because you're allowing user-owned devices within your network. You're allowing users to attach to corporate assets, to access corporate documents and to interact with users inside and outside of your network with those non-corporate owned (controlled) devices. 

To allow these devices, you employ a mobile device management (MDM) or mobile application management (MAM) suite to lower your risks. Good job. But that suite is only part of the answer. It won't solve all of the security risks associated with BYOD. For example, it doesn't resolve an mobile OS-related security problems nor does it completely insulate you from malicious, ignorant or stupid users. If you know anything about computer support, people are never guilty of changing anything, installing anything or deleting anything essential to the operation of any computing device in their care.

A good application or device management suite does protect your network from jailbroken devices, from thousands of known malware programs and from standard risks via encrypted connections/communications back to the mother ship (the corporate network).

Your MDM or MAM is a great first line of defense against a lot of threats. But the weak links are still the user and the user's device. A user-owned device is an open door to accidental or intentional security breaches. If you don't believe me, ask any security professional.

To add to the problem is the fact that you don't fully control the user's device. They own it. You might want to control what the user does with it while connecting to your network and accessing your assets but you don't have full control of the device.

Full device control means that you can determine:

  • When the device is updated.
  • Which Apps the user can download and use.
  • Which App providers are allowed.
  • The type of device used.
  • When to apply App updates.
  • Which App versions are allowed.

I think you get the idea that you really don't have control of a user's device nor should you. It's a personal device. For this reason, some companies are using MAM, which fully controls specific corporate-owned applications. Those applications are under full control of the company, including their security, maintenance and life cycle. To remove a user's access, you simple uninstall the App, leaving the device generally untouched.

MAM is a good compromise for most users and companies alike. It allows the user to use their phones and devices freely as their own but also allows for a high level of security within the corporate-owned Apps.

The only flaw that I can see with MAM is that you can't prevent interaction with the underlying operating system. That interaction could compromise an App and, in turn, compromise what's on the other end of the App, which is your corporate network. And no operating system is safe from these threats. Android threats have mushroomed at an alarming rate. See the Kaspersky graphic below depicting the rise in Android threats.

android_malware
From the Kaspersky Security Bulletin 2012 Malware Evolution.

As far as new malware threats and exploits, Android is the new Windows. There was a time when Android and Linux supporters assumed that the operating systems were not vulnerable to such malicious software.

All of this data and opinion boils down to one question for you and your BYOD program: How much risk are you willing to accept? An additional question added by MDM and MAM vendors is, "How will you mitigate that risk?" The answers aren't so easy nor as visually appealing as the threats.

Corporate-owned devices don't guarantee a trouble-free or threat-free environment either. However, the difference is that level of control that I wrote earlier. Corporate-owned devices carry that extreme level of control. The only weak link in the corporate-owned device scenario is that the user is on the other end of the device--a necessary evil.

You can't fully remove all risk because of those end users. You can minimize the risk but you can't get rid of it. Any amount of risk you're willing to accept comes down to the amount of money you're willing to spend to prevent, avert and mitigate.

It seems that the costs are very close for either BYOD or for corporate-owned devices. In other words, few find BYOD a money-saving practice. But the risks and costs associated with those risks might slow your BYOD program's momentum. And it probably should.

What do you think? Do you think that companies should take a second look at the security risks of adopting BYOD programs? Or do you think that this security thing is overblown FUD? Talk back and let me know.

*FUD - Fear, uncertainty and doubt.

Topics: Security, Malware, BYOD and the Consumerization of IT

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • BYOD & Security

    It is true that BYOD does bring with it numerous security risks, and if not managed correctly can lead to all sorts of risks and breaches.

    However, if BYOD is the reason that companies want to improve their security, they are compromised already. There is a lot of different ways to compromise data, from a dropbox account to sending an email with company information to your private email account. The BYOD threat should be treated as part of the overall security upgrade and infrastructure, it should not be the focus point however.
    nicopretorius
    • Good points

      I agree. It should be something that's very carefully considered and done for the right reasons.
      khess
  • Malware per available apps

    I would expect the amount of malware to increase over time regardless of the platform. Out of curiosity, it would be nice to know what the fraction of malware per available app is over time. It would be even better to know when Kapersky or whom ever changes their methodology for finding malware.
    aeriform
  • BB10 has the solution

    Their innovative Work and Personal settings (aka Blackberry Balance) on their new phone is the best of both worlds...meaning that the employee can keep their personal information private and secure from corporate IT managers, while the company can keep their system secure, safe, and seperate from the employee's personal apps and info. I think this device is going to become very popular in the BYOD era.
    IsMarkWright
    • ATT is touting this same idea

      They didn't have many details at the presentation I attended, but ATT is claiming they can do the same thing for companies to help bring the benefits of BYOD to the office while insulating the company from all the risks. I couldn't tell from the presentation, but it sounded like something they did at the provider level rather than the hardware level, although I have to believe it is hardware dependent. I believe it goes by the name "Toggle".
      ejhonda
  • iOS phones and tablets have a vastly smaller malware problem than Android

    I think it's fair to say that those who claimed Apple's success in fending off malware was due to their small marketshare or only a matter of time have been proven wrong. It's time for people who are serious about BYOD security to acknowledge that different platform eco-systems have different strengths.

    Depending on your perspective, the consumerization of technology or BYOD means different things to different people. Since Apple has traditionally had very little presence in the enterprise, it is partly a way to acknowledge that Apple's superior consumer technology can no longer be kept out.

    Enjoy!
    psichel
    • They also have glaring weaknesses

      Apple gives the impression they feel their consumer popularity should be enough to give them a free pass to the enterprise. Most who don't take that at face value and dig to verify Apple's enterprise level credentials (controls, etc.) will find out it's not enough.
      ejhonda
      • Apple's approach to the enterprise

        Apple's approach has been to focus on the consumer first while doing just enough to allow enterprise use. The reason is not that Apple doesn't care about enterprise customers, but that they've lost a lot of money trying to chase enterprise customers in the past, so they are cautious preferring to stick with what they know.

        From an enterprise perspective, they do have some glaring weaknesses. Some will gradually be addressed. The difference is Apple won't be the first to solve many of these problems, but will wait to adopt the best solutions developed by others.

        Enjoy!
        psichel
  • BYOD is a pox

    No user should be allowed to bring anything that IT has not specifically researched, created infrastructure for, then approved for use.

    BYOD is like me (a project manager) going to the legal team and specifying what articles they can read, then telling the accounting department what software they can use, removing the ERP and making HR use only spreadsheets.

    This is people who have 0 education or knowledge in the area of concern telling the people who have made it their lives to become experts in that same area just because they've used computers a couple times.

    Yeah, and Dale Earnhardt takes my driving tips.
    qwetry
    • "BYOD" is a codename for you can use your iPhone or iPad for work

      Users love their iPhones and want to use them for work. Enterprises are adopting iPad in droves. That train has already left the station. These devices are being carefully researched and evaluated by IT.

      The term "BYOD" is an attempt by non-Apple fans to keep the door open for others including Microsoft who are late to the party. What's missing is a recognition that Apple's consumer focussed business model is giving them access to resources others can't match. So far, nobody else has been able to build products that compete effectively against the iPad.

      I don't see enterprises rushing to adopt the Kindle Fire HD. Whether Surface Pro can challenge iPad adoption remains to be seen. Walt Mossberg wrote "It’s too hefty and costly and power-hungry to best the leading tablet, Apple’s full-size iPad. It is also too difficult to use in your lap."

      Enjoy!
      psichel
  • Know why and how to "BYOD"

    Hi Ken,
    You make some excellent points! Companies should definitely take a second (and perhaps even a third) look at the security implications of allowing BYOD. However, that doesn’t mean that it’s not a strategy that will work for them. It simply means that any BYOD implementation should be done intelligently. BYOD is a tool that enables user productivity; and can bring adverse results if not implemented meticulously. The fact of the matter is that BYOD is not the right strategy for every employee in every organization, but it is a great option for many. As a Symantec employee who works with MDM and MAM solutions all the time, I have seen firsthand that the BYOD initiative can be implemented in such a way that the expected benefits are easily possible without introducing added vulnerability. The key is for a company to partner with their respective solution provider to develop a strategy that is tailored to their specific needs.

    Swarna Podila
    Symantec
    swarnapodila
  • RDP as the bridge solution.

    I have a question : why not to use RDP - Remote Desktop Protocol between employee's own device and his Enterprise Desktop ?
    Desktop is under full Enterprise control and RDP is secure enough and is widely available on Android's and iOS ?
    AuthenticVoice
  • BYOD

    BYOD is a big security problem, but there are standards an laws such as SOX and HIPAA that do help offer some protection. One of the biggest tools is education. Our hospital put a BYOD policy in place to use Tigertext for HIPAA complient text messaging, but the doctors still used their unsecure regular text messaging. Even though we had a good BYOD policy, it wasn't enough, we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have about 95% of the doctors in compliance. If you want employees to comply with your IT security program, you really need to educate employees about the BYOD policy and the technologies you use weather it is an app like Tigertext or a larger MDM system.
    parmerjanessa