To be honest, I’m somewhat amazed at the amount of recent press that the so-called BYOD (Bring Your Own Device) Movement has drawn. While there’s no doubt that BYOD is an inescapable reality in the modern IT world, it’s not as if everybody has all of a sudden started carrying their smartphones and tablets to work.
To make the debate more interesting, there’s been a mixed reaction to the security challenges associated with this movement. It is more about users than security? Can BYOD go wrong for an enterprise? Does BYOD lead to a false sense of security? Clearly, I’ve more questions than answers at the moment.
The National Institute of Standards and Technology (NIST) yesterday released a proposed update to its guidelines for securing mobile devices, which includes recommendations for smart phones and tablets (official and BYOD inspired) used by federal employees.
I think the first and foremost thing that needs to be understood about BYOD is that it isn’t a one size fits all approach. IMO, the key is to develop a flexible mobile device management (MDM) policy. Of course, I still maintain that there’s no place for employee-owned devices in organizations that need to abide by extremely strict security and privacy requirements. At the same time, I know of enterprises that have successfully employed effective MDM solutions for several years, especially cases which deployed RIM’s Blackberry smartphones and used RIM’s software to manage them.
The good part, though, is an increasing number of other device makers are turning more attention towards adding enterprise security features. Additionally, I agree that the best way to deal with this problem is to take a three-pronged approach which breaks security down into three layers: the device, the data and protecting the network. The devices themselves can be controlled only to a limited extent and can become a source of internal risk, but I strongly believe security of the data and the network can be achieved with a sound MDM strategy, a strong code of compliance and strict vigilance.
“Many mobile devices, particularly those that are personally owned (bring your own device [BYOD]), are not necessarily trustworthy. Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed,” write the co-authors of the NIST document, Murugiah Souppaya, computer scientist at NIST and outside consultant Karen Scarfone, principle at Scarfone Cybersecurity. “Organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data. “
While I support some of NIST’s recommendations such as use of encryption of data, setting up app stores for an organization’s use etc., I think remotely wiping people’s personal devices is stretching it a bit too far. What do you think?