Why BYOD scares me

BYOD is an epic battle in the ongoing war of usability against security -- and usability is winning out

Page 2 of 4

Unfortunately, the vast amount of devices and platforms means that whatever managements options you come up with are weakened by the fact that no single solution supports all devices. For example, suppose you have picked virtual desktop integration (VDI) as the way to protect your data. With VDI or remote access, the data never really leaves the other machine. That's great, and it works in all sorts of scenarios. But VDI solutions only work on a few models, and a minor device upgrade might require a whole new VDI solution.

Worse, more platforms and devices mean that the supporting IT group must come up to speed on the platform and its security benefits and risks. Each additional device and platform becomes another domain that must be learned.

Even if you don't plan to manage your consumer devices (to many, this is the only solution), then you must make sure the device can successfully connect to your network, access the appropriate applications, and so on. Few organizations, when they say end-users must fully support their own devices, truly mean that. And each different device increases support costs.

A lot of BYOD strategies give up on management and tout "data-centric" protections. What does that even mean? If data is eventually represented on an endpoint device -- and it is -- then any comprehensive data defense strategy must include endpoint considerations.

To see the validity of that statement, it helps to take the argument to extremes. Assume your company has the world's most valuable data and your users have access to a wide variety of devices, including the strongest- and the weakest-secured devices in the world. The weakest devices have no security at all, not even a log-on PIN. Would it be sane to allow your company's most strategic and valuable data to be hosted or viewed on the world's most insecure device? I assume you said no; if so, you don't favor a data-only defense either. If you said yes, I'd love to do some penetration testing on your environment.

Even if all you're doing is telling end-users what devices they can and cannot use to access your data, you're doing more than "data-centric" defense policies. Let's call data-only defense policies what they are: crap. We all need to have some control, across a spectrum of choices, over the mobile devices used to access private data.

Failure to learn
It's not like we took all the successful computer security lessons of yesterday and applied them on the new platforms. First, we've failed to fix most of the previous security problems. Even the best, most highly consulted solutions, like IPSec, DNSEC, and IPv6, languish in relative obscurity after more than a decade of attempts at wide deployment. Malware and hacking are worse than ever.

Second, we appear all right with letting the old lessons reoccur on the new platforms. We're getting mobile malware, spam, authentication bypasses, and every old trick that worked on traditional PCs seems to work on BYOD items. Let me ask: Is there any threat that can happen on traditional computers that cannot currently be replicated on BYOD and mobile devices?

| 1 2 3 4 Page 2