Malware hits the Mac but is it worth worrying about?
Malware hits the Mac but is it worth worrying about?

When a term gets boring but is still relevant, it may be time to rebrand it and look at a new way to make it matter and heard.

In this case, it is the old chestnut of bring your own device (BYOD). I've been covering this area for two years now and sometimes it is interesting, sometimes not. I am well aware of how much of an issue it is for businesses, and how challenging it is to manage and to enable it is an on-going problem.

When talking about BYOD in recent months, the concept of a new version of BYOD emerged where it was not about managing the device, but securing the data on it and that passes through it.

The concept was first suggested to me by MobileIron CEO Bob Tinker, who said that the first phase of the mobile control market was in how to enable device choice, and that was where mobile device management (MDM) came in. Now it is about how to enable mobile applications and content, and establishing the content of 'mobile IT'.

He said: “This is about how to enable applications and the content inside, it is not just MDM, it is turning into a bigger market. We believe in mobile application management; that is the next generation of mobile IT where access is to email and devices to enable application access and content. Applications that change a business to make your life easier. With mobile content, the biggest thing is access to applications and content.”

This was echoed by Dell at its December conference, where Ken Drachnik, director of marketing for Dell Kace, said that mobile management is not about hardware; but about the operating system and security policies.

The concept makes sense: it is a lot less intrusive on the personal device and while it does raise questions about the sandboxing capability offered by many of the mobile device management vendors, it could be the next stage or 'BYOD 2.0', a term coined by Nathan Pearce, EMEA product manager at F5 Networks.

He said: “BYOD cannot be inhibitive and adopters cannot lose everything on a remote wipe; you can try to secure the device and we believe the next big thing, or BYOD 2.0, is data classification, in understanding what data is secure and what needs to be secured.

“No other apps can communicate with each other and not access other data and if you need to do a remote wipe, you wipe the app and not the whole device. The focus should be on the app and what it does and then you know what you are protecting. MDM has failed as it has stopped you seeing what is in applications.”

Speaking to some other industry people on this concept, Peter Barker, senior vice president of engineering at Good Technology, agreed that you should secure the data and that should be what users focus on. “Our focus is on the data first and foremost and also securing data in addition; we also say secure data in addition as it needs to be compartmentalised to prevent it being seen by others,” he said.

“For the concept of BYOD 2.0, I say it is around the amount of data as BYOD has been around enterprise data. [You should] take that as an enterprise evolution on mobility, as they will have to enable devices for other partners and users, so they are enabling not only devices, it is really important to employees and our solutions cover all scenarios.”

Likewise, Richard Smith, strategic account manager at Soti, said that he believed that this concept will take off, as users will have a VPN enabled and it will offer the capability to improve security.

He said: “As the policy takes off and MDM becomes an enabler, it can be as lightweight or as heavy as you want it to be. So having it can be very different from user to user, as there is not one policy for everyone – from the CEO and management to the general employee there will be differences on what can be accessed and how obstructive it is.”

So the vendors agree with it, will it change their product offerings though? I personally cannot see millions of dollars of development in MDM abandoned on the reality of a mobile firewall and data loss solution being deployed. Even then, where does it sit – on the device? Is that any different to the general MDM offerings?

Released earlier this year, Forrester's 2013 mobile security predictions said that MDM technology providers will see opportunities increasingly move away from pure device management, and move toward bringing together an ecosystem of technologies that provide different business controls, including app management, mobile identity and access management, mobile virtualisation and even mobile analytics.

It also predicted that mobile data collection will continue and become more pervasive, as the continued growth of personalised services relies on the availability of massive user data sets, collected through mobile devices and smart environments, with location information.

Speaking at the SC Magazine Data Protection Summit in March this year, Dr Simon Rice, group manager (technology) at the Information Commissioner's Office (ICO), said that with BYOD it “doesn't sound like the data controller is in control and they must remain in control and have a set of standards” when a user can choose/purchase/own/maintain/control the device.

He said: “You have got to monitor compliance and know what people should be doing. Where does the data reside, is it on the phone? Think about the privacy of the user if your kids use the device, or is that not allowed? Can you segregate the data in some way? If you have all this disparate data, how can you comply with the Data Protection Act?”

Speaking at the same conference, Cameron Craig, partner at DLA Piper, said that from a data protection perspective, it is about maintaining control and knowing it is your data, and you're the controller and making sure you put steps in place that fit with the Data Protection Act.

Pearce made the crucial point that anything that inhibits the user experience or proves to be too much of a hurdle for users, will not be embraced. Glyn Hughes, technology director at G4S, said at the SC Conference that “BYOD is about happy employees” and he recommended putting a policy in first and the technology second, and communicate with employees and your expectations of them and what limitations you will put on their device.

Of the many BYOD stories I have received, the overarching theme is that businesses are embracing the concept and it is a way forward for them. The benefits are clear, but the challenge is change and as information security risk management consultant Lee Barney told me, organisations should embrace BYOD, but more importantly they should embrace change.

He said: “Many security professionals will be reading this with a cold sweat, just considering unknown change is in itself a terrifying thought. To them I say consider this, if you have appropriately reduced your endpoint footprint on your employees' devices and appropriately secured their access to your sensitive data, then where would you rather they access the internet?”

Barney's point was that every business should have a future change policy and these guiding principles and business decisions should be about good future change planning. Just like business continuity planning, it is something that is best done in advance of the event and should help set out automatic processes and procedures that will enable your business to take advantage of future change rather than just reacting to it.

Aside from the overall BYOD trend, the concept of mobile data security is one that does make sense. After all, if you lock an employee's mobile device down after approving it for use, that employee is not going to be happy. On the other hand, if they are given access to corporate data and you are only securing that data and having visibility to personal web use and applications, then that may be the solution.

The technologies exist, such as application wrapping and mobile firewalls, and having those in place and configuring them to work may be an even greater challenge than BYOD ever was.