- May 28, 2012
- Dan Ford
When it comes to mobile security, risk management and compliance, people often bring up the topic of the bring-your-own-device (BYOD) approach. Should we allow it? Can we stop it? How can we manage the associated risks? Etc. Well, brace yourself for a potentially controversial statement: When it comes to mobile security, BYOD doesn't matter. Yes, BYOD is a very important and real topic. In fact, it is a critical foundation for the next generation of enterprise computing and will have a big impact on how we manage employees and endpoint computing devices going forward. But BYOD (like MDM) can also be a red herring when it comes to talking about mobile security and risk management. So why is that? Doesn’t BYOD introduce greater risk and vulnerabilities into an organization?
First – it is important to understand that every mobile device is vulnerable to attack and data theft, and its attack surface is defined by the system itself, not by who owns the device or which policies are configured. Second - most, if not all, mobile devices used for business will also be used for personal use and will have unverified third party apps installed onto them no matter who owns it . Third - most, if not all, business professionals have a personal attachment to their mobile devices and will end up using them accordingly. The security vulnerabilities and operational risks associated with mobile devices are very real, and can be very costly. However, they are entirely independent of whether a device is owned by the corporation or the employee, and they expose an organization to the same sets of risks and vulnerabilities either way. The risks of corporate data loss, cyber attacks and security breaches that could lead to corporate espionage, private data leaks and compliance breaches. What DOES matter when it comes to mobile security and risk management is the following:
- What types of mobile devices and OS’s will you permit onto your network, and what are the associated vulnerabilities and threats?
- Which corporate assets (i.e. email, documents, business data, etc.) will you allow to be stored and accessed, and by which employees?
- What are your corporate policies related to private data protection and prevention of cyber attacks?
- What are your corporate requirements related to regulatory compliance reporting and auditability?
For most organizations, these are the fundamental security issues that need to be considered when developing a mobile security and risk management strategy. The question of BYOD is largely irrelevant. The more important question is whether or not you will permit employees to use iOS, Android and/or BlackBerry devices and if so, what will you allow them to do on those devices and what type of information can they access. Once you've made those decisions, you need to understand the vulnerabilities and potential attack vectors that come as a consequence of those decisions. Based on this, a set of corporate policies can be established to address your security requirements across the entire spectrum of mobile devices you will support – whether they are BYOD or corporate-owned. And finally, the technology decisions can be made in a way that ensures you can adhere to the requirements and policies above no matter who owns the device.
So in summary, BYOD does not expose an organization to additional risk or security threats. The presence of consumer-grade mobile devices DOES, no matter who owns them, and you need to ensure you create the right policies and choose the right technologies to protect yourself, understanding that you may be more constrained in the kinds of device-level policies that you can enforce on BYOD devices (this doesn't change the kinds of threats you are protecting against or your overall security policies, but it may change the technical approach you take to implementing a solution). But don't get caught thinking that a corporate-owned device is more secure than a personal-liable BYOD device or that the corporate policies you create should discriminate between the two. The risks are the risks and the policies are the policies - understand what those are and find the right technologies that enable you to implement them whether a device belongs to the company or the employee.