One guy acting strangely is a nut. A bunch of people doing the same thing is called a church. - Shawn Mahaney
THE PHENOMENON of bring your own device (BYOD) is one of the most problematic in securing larger organisations. As we pass the point where more people in the world use mobile devices than personal computers to access the web, it is natural that they expect to be able to connect with their organisation on the move. It is convenient, and that is what technology should facilitate.
However, BYOD is just the latest in a long line of scenarios where the old dichotomy of convenience versus security re-emerges. Ensuring security should not make life onerous for users but at the same time there is little point in building a strong wall around your organisation only to allow people a backdoor through which authorised and unauthorised alike might enter.
The situation is compounded by how people feel about their mobile devices. They belong to them (hence BYOD) so they often feel that the organisation has no right to "mess" with the device. But, if an organisation is going to allow any device to connect to its network is there not a quid pro quo where that device must be subject to some level of scrutiny to ensure that it is not a danger to the organisation?
Does the organisation you are connecting to have further rights? For example, if data is downloaded onto the mobile device, or even if sensitive access details are available on the device, should the organisation have the right to force the owner to protect the device (with a PIN usually) and potentially wipe the entire device clean of data if circumstances dictate?
Most users would probably not know that their device is being health checked unless it is being refused access to a network, so that might be acceptable. However, I have lost count of the number of users I have heard complain that the organisation to which they wish to connect is "controlling their device".
I think BYOD is inevitable but we must be clear with users that the convenience it provides comes with some responsibilities, and whilst the organisation can provide safeguards, owners of devices must accept some overhead to ensure security.
External attackers do not attack a network head on but seek out the weakest link. If you allow users to subvert mainstream security by providing security holes via a BYOD policy then you may as well not bother with any of your security.
Having said that there is a good research to show that if security is made too inconvenient then users will subvert it anyway. This happens with BYOD, and the threshold of tolerance is lower as users see the device as their territory - most accept there may be a degree of overhead for attaching to a secure network but if it is seen as too invasive then users will find a way around it.
Security professionals have accepted this, and it is one of the reasons why ideas on security architecture have changed. Previously organisations erected a secure perimeter through which very few were allowed to pass. The increased connectivity between organisations has shown that if this border crossing is not to inconvenience users too much it has to have a light touch. But, of course, the lighter the security, the more chance you have of an unwanted visitor inside your perimeter. Hence organisations increasingly adopt a "defence in depth" approach: really precious data is secured individually rather than just relying on the perimeter defences. Rather like a castle where you have an outer wall but also an inner "keep". The "inconvenience" passes to the organisation rather than the user.
However, even the most advanced security architectures still require the user (or more particularly their device) to have more than the default security settings. And, it is still true that if you allow someone to take away that "previous" data then it is outside of your control unless you as an organisation have the ability to wipe it from the device.
We have a situation where despite the various technical solutions available, if a user is given access to the crown jewels of an organisation they must, quite simply, take a level of responsibility which means allowing their devices to be controlled. The corollary is that if a user wants general access but not access to the most valuable data then they can be left on a lower level of security.
Once organisations have made a conscious decision as to whether they allow BYOD, then they need to realise that the line of what users find acceptable security will shift so that they need to rethink how they approach security. This may be no bad thing. It is common for organisations to adopt a "one size fits all" approach to security yet when a detailed audit is done of what is protected, some is of little or no real value.
Perhaps BYOD offers us an opportunity where we may actually be able to please all the people all the time, but it takes non-trivial amounts of upfront effort to examine what you secure, how, and develop a security policy that considers that balance of convenience and security to be a little more fluid than perhaps it has been in the past.
But, it is a balance and not an opportunity for users to abrogate responsibility. We have seen many high profile breaches and most come down to the fallibility of us humans. Whilst we think we are not subject to attack, and that we would not make that mistake which leads to leaking sensitive data, it takes only one person to make one mistake.
If security is to be adjusted to make BYOD more convenient the organisation has to accept that it will cost a significant amount to implement such a new approach properly. Likewise users have to accept that with access to sensitive data comes responsibility. Everyone has a part to play in security and that includes in accepting that BYOD is something of a concession and that this means that users must play their part.
Everyone need to remember that BYOD, whilst highly attractive, is not a fait accompli. Organisations could always deny such access and allow the use of only their own equipment, managed and controlled by them. For some organisations, this may be the right answer. It will only happen properly where both the organisation involved and the users both see a benefit, and that will take a bit of give and take from all concerned. µ
Professor Alan Woodward is a lecturer in the Department of Computing at the University of Surrey
Sign up for INQbot – a weekly roundup of the best from the INQ