5

What are the problems with bring-your-own-device related to smartphones?

Companies see this more and more everyday, people want to use their personal devices on the corporate network or even use them to work. Because these are personal devices, an administrator cannot force restrictions as easily as with a company-owned device.

What are the risks of BYOD? What measures can we take to ensure security if we get into this situation?

D.W.
  • 98,420
  • 30
  • 267
  • 572
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196

3 Answers3

7

This is a really broad question that does not have a single answer. Some categories of challenges and risks include:

  • Reduced control. The corporation has to take whatever devices the employees select, and loses control over them. The corporation may also have reduced leverage to control the software on those devices.

  • Dependence. The corporation becomes dependent upon the security and availability of its employee's devices. It becomes harder for the corporation to manage those devices.

  • Heterogeneity. The corporation can no longer standardize on a single device, and instead has to be prepared to support a broad range of devices. For instance, if the corporation makes internal services available via a web service, it can't just target IE: it has ensure the site will work with all of its employees devices.

Some potential protections that can be considered include:

  • Server-side security. Architect services so they are less reliant upon the security of the user's device. For instance, store data on a server (or in the cloud) instead of on the end-user device.

  • Work with employees. Enable your employees to protect data on their own devices. Provide them with resources and motivation to do so. Educate them about the need and help reduce the barriers to security.

  • Web-based services. Make internal services available via the web and HTML5, rather than as native applications. (Admittedly, already a common practice.) The web is the least-common-denominator today.

  • Specific technology. There are some products and specific technologies being developed to deal with this challenge. For instance, one is full-disk encryption or software encryption on the end-user device. Another is use of virtual machines or other mechanisms to provide strong separation between work and personal usage of a device, so that personal use cannot compromise the security of work data -- and contrawise, so that the employee's personal activities stay private (as they are none of his boss's business). There are also products to facilitate remote wipe and remote disable, if an employee's device is lost. However, employers who demand remote-wipe abilities should go out of their way to make it easy for employees to back up their devices -- otherwise, a remote wipe can represent a major loss for an employee.

  • Establish boundaries. Companies can help establish clear boundaries. The widespread growth in always-connected devices (smartphones, etc.) have transformed the way people work, to the point where many people effectively feel "on call" in jobs where a decade ago this would not have been the case. You see many people checking work email outside of business hours and feeling the resulting pressure. This may feel more efficient, but there are some reasons to believe that in the long run it impairs employee effectiveness -- so companies can help by establish a healthy culture that encourages their companies to set boundaries and have a personal life outside of work.

  • Embrace the trend. Look on the positive side; BYOD is spreading because it brings major benefits, such as reduced technology costs for companies, improved employee productivity, increased employee morale, and increased flexibility for flexible work hours. So, don't caught up too much in the risks -- the risks must be managed, certainly, but the primary job of security folks should be to say "yes", not to say "no". IT security departments can think of this as a prime opportunity to gain a reputation as an enabler, not a barrier to progress.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    additionally, companies are embracing citrix and other VD technology to get around the heterogeneity issue. – Rory Alsop Sep 07 '12 at 08:02
4

One risk of BYOD is the idea that it reduces sysadmin and helpdesk costs. It is a myth but it can damage productivity a lot. With BYOD, the users themselves take charge of inventory and replacement of failed parts. But they still need to connect to the internal network and be helped with the corporate applications (i.e. intranet Web site), and since the hardware and operating systems can be quite varied with BYOD, the admin costs for these tasks tends to raise a lot. So don't enable BYOD as a cost-killer; it won't work. BYOD is there to make employees feel happier and more responsible.

Another issue with BYOD is compliance. If the company develops security-related software and goes after some kinds of certification (like EAL 2+ levels) then the development environment is taken into account, and the presence of uncontrolled machines in that environment may impair the certification process. To state things plainly, it is hard to guarantee that no backdoor was inserted in the code of an application when the developers' machines are outside of reach of any security policy.

A third risk is about boundaries. @D.W.'s excellent answer states that users should put boundaries between work and personal life, since the invasion of work into personal life is detrimental to the latter, and then to the employee productivity as a whole. It also works in the other direction: invasion of personal life into the work area can also destroy productivity. It is known that a little bit of non-work things within work helps people go through a day of work (that's the point of coffee breaks, really); it is also well-known that this can be overdone. If employees have their own devices, then they can bring their own leisure. The theory of BYOD is that employees feel empowered and responsible and this induces them to less slacking than what they would indulge in if their environment was less open. Practice, as always, perfectly matches theory... in theory.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
3

Where I am, the perceived problems are:

  • support costs - that the company will bear the burden of issues which aren't realy it's problem (Hello helpdesk, how do I configure my Whizzbang 3728-T for accessing the VPN?)

  • that unmanaged user devices become a conduit for malware into a controlled environment

  • that data on this devices is not adequately secured and the devices are more susceptible to physical loss

  • and to being compromised for data loss

  • data leakage - where the user deliberately stores company data outside of the company's control - e.g. using a cloud based app to maintain an address book

Personally, I disagree with the idea that there should be a very different inside and outside to a network in terms of security (yes, firewall policy should be different - but only to cut down on the noise). But I would have to concede that not everyone who works here has the skills / time to maintian their own devices to a reasonable standard.

an administrator cannot force restrictions as easily as with a company-owned device

This is a tricky one.

Firstly, your assertion is not necessarily true. You should have adequate controls in place that merely bringing a device into your workplace does not provide access to services you might consider restricted.

Once this is the case, then as an administrator you can enforce certain constraints on that access. There are lots of tools available now which provide remote wipe and remote access - but then you need to address the problem of how you seperate the company's data from the users data. Should you be asking your users to surrender their privacy? Should you be spending company money to buy security software to install on non-company devices?

Limiting access to web (with no download functionality for email) and/or remote screen goes a long way to solving the problem. (I recently discovered a pure HTML5/javascript VNC client - awesome!)

symcbean
  • 18,278
  • 39
  • 73