Mobile security has been a major issue in IT security departments ever since the world went on a shift from BlackBerry to iPhone and, as a result, the IT deployment model changed from ‘push' to ‘pull'. End-users, it turned out, had decided they wanted to use their own devices at work.
The trend – known as Bring Your Own Device (BYOD) or more generally as consumerisation–brought about cost savings, greater productivity and workforce mobilisation but it isn't without its problems.
IT managers often have little visibility into the devices, the data or security, and it has taken time for businesses to roll out and enforce BYOD policies let alone Mobile Device Management (MDM) or Mobile Application Management (MAM) solutions. The use of personal cloud solutions like Dropbox and Box further complicate the management picture.
At SC Magazine's mobile security roundtable in London on 30th January, a peer-to-peer gathering of infosec managers discussed the issue – and concerns.
Lindsay Shure, head of information security for the Medical Research Council's clinical trials unit at UCL, was first to highlight some of the difficulties.
“We're learning all about it (mobile insecurity) and how to counter the risk. We have lots of patient data and sometimes it's difficult to persuade [people] not to carry these devices in their pocket.”
John Walker, visiting professor at Nottingham Trent University, touched upon some of the dangers in an opening keynote: “Users are just connecting to the network and downloading [data] onto private devices and making these devices their own. You have breach inside the network - it's a fact of life. Users will go against the policy.” He added that users would often look at policies like terms and conditions, while they simply wouldn't apply to senior executives – though needed to if the policies (such as remote wipe) were to be enforced. Privacy lawyer Dai Davis, senior partner at Percy Crow Davis & Co, agreed adding that only 60 to 70 percent of staff actually read a BYOD policy.
But Walker said that the policy is one of many problems – including legal ownership of data, data loss and usage costs (including roaming fees). Others queried what rights contractors should have as they would inevitably be using their own device.
“Whose device is it? If you allow someone to have a device connected to the network, is it the user's or is it your data, do you have any control?” asked Walker, who added that most firms still did not have controls to view the data. “It could leave you in very embarrassing position. The problem is that policies are not being thought through, and they tend to be written by IT people.”
BYOD: A two-tier approach
There are successful case studies however; Graham Thomson, CISO at Think Money, said that his firm has both corporate-owned and BYOD policy, with this policy signed off by HR and legal – as well as a line manager- before the user gets the authorisation to use their device to access corporate data. They must also ensure their device has the same level of security, including encryption, as corporately-deployed models. Having done so, emails are done via Exchange and all security settings are in line with ActiveSync.
BYOD is not a one-size fits-all strategy though; several speakers at the table professed to have a two-tier model with BYOD and CYOD (Choose Your Own Device) while others have corporately-deployed.