Why BYOD scares me

BYOD is an epic battle in the ongoing war of usability against security -- and usability is winning out

Page 3 of 4

Not that I can see. The only thing that saves us from even more malicious hacking on the newer platforms is that they're woefully underpowered compared to traditional computers. Try editing gigabytes of video on your mobile device, running huge spreadsheets, or connecting to dozens of mapped network drives -- you might be able to do it, but it won't be nearly the same experience.

We're in a rest period right now. BYOD is gaining popularity, but within a year or so, the devices coming out will be capable of running heavy applications and storing heavy data. When they do, the hackers will be attacking them just as much as PCs.

New worries for security
But all of the above is old, easy stuff to mention. What's new that is scaring me? Here's a sampling:

Global IDs. We're quickly becoming a world of global IDs, whether Google IDs, Live IDs, OpenAuth, WS-Trust/SAML, or some other uber ID identity scheme. The misuse of global IDs scares me the most in the BYOD world. Should I let someone's Google ID or Live ID integrate into my corporate Active Directory account? Is the same protection that protects my cloud-based email appropriate for what guards the crown jewels of the company? Probably not.

Right now, most ID providers are responding by trying to keep applications of different sensitivity from being accessed by the same ID. For example, in Windows 8, you can use your Live ID to access some cloud products and even log on to your Windows 8 desktop and profile. But a Live ID will not give you access to Active Directory-protected assets. This is great, and it's the correct decision for the time being.

But it's likely that all global IDs will spread out over time and access more items, including some cases their designers never anticipated. Standards will be extended, and security will come under stress. But the biggest problem is that we don't know how the various interactions will play out because most people will have multiple global IDs -- on the same devices and between different devices. We have not started to scratch the surface of what multiuse, multidevice global IDs means for computer security. Here's hoping the researchers and implementers get it figured out ahead of the malicious hackers.

Application-centric IDs. Another big difference is that most of these global IDs will be handled and secured by all participating applications. Right now, you probably log on to your traditional computer with a single ID that allows access to every (or nearly every) application on your desktop. Fast-forward a few years and you'll probably have different applications using different global IDs. The security of each ID will come to how well the application protects that ID from unauthorized reuse and theft. In a multiuser global ID scenario, the strength of that authenticator is only as strong as the weakest link. We already see some of the early examples of this when people reuse the same log-on names and passwords between multiple websites. BYOD will make this standard practice.

| 1 2 3 4 Page 3
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies