BYOD: don't let the dream turn into a nightmare

Most vendors and analysts agree: you can’t avoid BYOD (bring your own device). But despite all the excitement about letting people use whatever smartphones, tablets, convertibles or latest thingamajig they want at work, many businesses are still wary of the BYOD trend.

Some organisations, by necessity, just cannot adopt BYOD policies. Government bodies holding highly sensitive data, such as intelligence agencies or NHS Trusts, might not be so keen to accept a more liberal techno-ideology, given some of the data protection snafus they have been embroiled in.

Rob Bamforth, analyst at research firm Quocirca, believes companies need to find their own place based on their business strategy and values.

“Like many other aspects of IT, BYOD operates across a spectrum from ‘definitely not’ to 'anything goes’,” he says.

High anxiety

Some simply can’t find the right technology to ease their anxiety over BYOD. Its potential for data leakage is too much to contemplate, according to Steve Durbin, managing director of the Information Security Forum.

“There will be some for whom BYOD is not the route to go down, principally due to concerns over their ability to implement effective data segmentation and access monitoring,” he says

A startling number of companies are not doing BYOD as a result. A survey by CompTIA of 400 IT and business executives released in June 2013 showed that as many as 51 per cent had no plans to permit the corporate use of worker-owned devices.

Of course, what IT permits and what employees do may differ wildly. A generation gap is at play here, with many younger people, or “millennials”, flouting the rules when it comes to using devices and apps.

A survey of 1,000 people carried out in June by custom-app development house Trackvia revealed that 70 per cent of those aged between 18 and 33 admitted breaking company policies on the use of unapproved software.

Perturbingly, 60 per cent said they did not think this would create a security problem for their company.

According to IT chiefs (and most people with a basic grasp of information security), they are wrong. Many problems are born out of this shift to “shadow IT”, where the rules have become more and more irrelevant.

A recent Webroot survey found 60 per cent of IT managers reported the use of personal devices by their employees and 58 per cent said they were “very” or “extremely” concerned about the inherent security risk.

“The device, with its data and the connection back to the enterprise, could become compromised at any point, especially when used for non-work purposes for a while and then re-introduced to the corporate network,” says Bamforth.

“Take your own device on holiday, connect it to lots of dodgy networks, install fun software, get infected, come back into the office and use it for work…” We all know what comes next, right?

Mind the app

Consumer mobile apps have proved to be leaky things too, making them especially attractive to hackers hoping to hoover up business information. Just look at the recent debacle caused by a vulnerability in the hugely popular SnapChat app for an example of poor security practices among developers.

Even corporate apps are likely to contain weaknesses because thorough security testing is not always being done at the development level, warns Durbin.

“The rapid uptake of BYOD is increasing the demand for mobile applications. To meet this demand, developers are working under intense pressure and on wafer-thin profit margins,” he says.

“The result is that products are more easily hijacked by criminals or hacktivists. This will only worsen as hackers and malware providers switch their attention to the hyper-connected landscape of mobile devices.”

Employees carry only half the responsibility for the problems caused by unmanaged, unknown devices on the network. Half of the respondents to the Trackvia survey said the apps their company had given them were simply not good enough.

The more paranoid and backward-thinking CIOs have failed to introduce the right tools to keep employees happy when it comes to mobile software.

Perversely, improvements in technology have exacerbated the IT-versus-the-rest divide. A more technologically savvy workforce should have brought the two sides together but in many businesses that hasn’t happened.

“For many companies the BYOD train has already left the station"

Frustratingly for those who try to deny BYOD, they risk bringing more security threats into the workplace as careless employees find ways to circumvent their controls and start moving business data into dangerous areas.

Meanwhile, whether it is IT or employees leading the way, BYOD is happening in one way or another.

“For many companies the BYOD train has already left the station. The journey is underway so we’re needing to retrofit security and good practice,” Durbin says.

Ideally, IT would lead the charge as this would result in a more secure organisation. A perfect BYOD rollout might seem like something of a chimera, but it is one that can be tamed.

A sound policy is the obvious first step, says Alan Carter, head of cloud services at security services provider SecureData.

“Before even thinking about investing in technology, get the policy sorted. Doing it the other way around will result in anything but a perfect rollout,” he says.

“Furthermore, make sure the policy considers the needs of the user and that you get sufficient buy-in before embarking on the rollout. Don’t underestimate how much of a bugbear it is for users when they are denied access to the technology they require."

A decent policy will also feature plans for replacement or compensation when phones go missing, as well as security protocols for protecting stolen data.

Policies won’t take a one-size-fits-all approach, though, and will require risk assessments of each department.

A whitepaper from FrontRange, an IT services provider, recommends identifying mobile use cases and defining specific guidelines and policies for different sections of the organisation.

This typically involves determining what information and applications each department needs access to, outlining security procedures separately for each business unit, and getting to grips with regulations covering data usage and access in the countries where the organisation operates.

Trust me, I'm a user

A certain level of trust has to be lumped on the users too. This means necessary, but too often forgotten, education.

“As the devices are owned by individuals, the responsibilities for setting them up correctly, protecting them, installing anti-malware, keeping them set up correctly and installing only safe or known applications is, at best, shared. The focus has to shift from the device to the thing that really matters – what is done with it,” says Bamforth.

A thorough education programme is likely to have an impact beyond the workplace, so it is important to instill common sense in workers’ families, suggests Amar Singh, chair of the ISACA security advisory group.

“A great BYOD rollout and true adoption must deliver value to the end-user’s family. Help the staff and employees to protect their family members by engineering an antivirus solution or data protection solution that can be adopted by family members too,” he says.

After the policy comes the technology. Though expensive, buying a wide selection of sexy phones and tablets for what will resemble a corporate tech shop is likely to be hugely appealing to the average employee, especially if the business is paying for it.

This forward-looking CYOD (choose your own device) approach can be ideal for those who can’t do full BYOD, according to Quentyn Taylor, head of information security at Canon Europe.

“There are two sides to the consumerisation coin. There is BYOD on one side and CYOD on the other. If you were to ask employees whether they would like to use their own device or have the company pay for the same device, many would opt for the for CYOD,” he says.

"So while there has been a big push towards BYOD, CYOD – corporate ownership but offering a wider choice of devices – is where a lot of companies are headed, or towards a blend of the two.”

Company store

Whatever machines businesses offer their workers, they would be wise to choose those with a decent level of security built in before other layers are introduced.

Thankfully, vendors are starting to get it. A recent deal between Samsung and Google will see the some of the latter’s Knox security solutions embedded into the next version of Android.

That means Android devices will get mobile device management (MDM) features allowing IT to segregate business and play apps and add controls to provision and de-provision software when needed.

Some of the more hardcore protections, such as Trusted Boot and kernel protection, will remain for Samsung phones only.

Once the business has a hardware plan in place, it is time to look at the software. That device store for hardware can be replicated by a controlled approach to apps, with the launch of a corporate app store allowing for selection and choice “from within an acceptable framework of options”, says Bamforth.

Those apps developed in-house must follow the testing steps of a “recognised systems development lifecycle approach”, adds Durbin.

Ideally, identity and access management solutions will be device-agnostic. They will encompass much more than just phones and tablets and will cover and control the data on any user machine.

Indeed, across the industry, there is now much less emphasis on the hardware and operating system than on software and data.

The typical answer to the BYOD problem is MDM-type technology that promises containerisation, sandboxing and “bubbles of protection”, as Bamforth puts it.

Many vendors are striving for this effective segmentation and trying to create a business device within a consumer one, in the same way that virtualisation has made it possible to have different systems hosted on single machines.

Decent MDM products will also do the patching, billing, remote wiping and locking and encryption that responsible IT chiefs deem necessary for a BYOD rollout.

All this sounds excellent. But even these BYOD-embracing technologies carry security risks.

At the Black Hat Europe 2013 conference, Lacoon, a mobile security company, detailed ways to bypass MDM containers by downloading seemingly innocuous apps. These could exploit a vulnerability in an Android phone to hoover up data that was supposed to have been ring-fenced.

Living on the edge

Last year, students in Los Angeles reportedly took their school-provided iPads home with them and simply removed the MDM product to start downloading anything they wanted.

IT heads wanting to avoid such embarrassment will have to do thorough audits of the MDM solutions themselves.

It is easy to see why many are not going down the BYOD route, then. It is a big shift for starters. Even once the whole thing is rolled out, companies can’t guarantee a 100 per cent secure BYOD solution, nor can they brag about how much money they have saved.

Return on investment is especially hard to prove with BYOD as it involves layering a load of potentially costly software on existing hardware.

Only when device procurement is finally killed off can savings really be made, though the software costs will hardly be negligible. But all this has never been achievable in any single IT project.

“The MDM hack is a similar issue to that of hypervisor security in virtualised environments. If the hypervisor is compromised it is game over for all the host operating systems. We have lived with that risk for years and it is manageable,” says Taylor.

Living with that risk might seem unbearable to some. But the alternatives don’t offer much succour. The BYOD paradox is likely to persist for some time. ®