By Bruce Bonsall, CISSP – BT, Senior Security Strategist
I got some new shorts this past weekend. They’re a couple of inches longer than the ones from last year. My son told me not to wear the old ones because he said, “Hot pants aren’t in style.” They weren’t that short but I got the point — the style has changed; shorts have been getting steadily longer in recent years. I’ll change with the times and wear somewhat longer shorts but when they go below the knee, I draw the line; I’m not wearing those mid-calf capri pants, no way.
Styles come and go and often come around again. I’ve noticed that some of the styles we wore back in the 1970s are back in now. I won’t embarrass my son by taking my polyester leisure suit out of mothballs; that was one style that should be allowed to die, never to return again.
Computing has its own styles and approaches that seem to come and go too. More often than not, the approaches aren’t truly new but rather they are repackaged and called by another name. Re-branding is a common technique used in making the old seem new. Maybe I should change my name; I’ll have to think about that.
There’s nothing new about BYOD
Sometimes people are just new to computing and didn’t live through the prior iteration of the same old thing, so they think it’s new. Sort of like my teenage daughter thinking that bell-bottom jeans and peasant blouses are new; pseudo-new, maybe. A prime example today of this pseudo-new computing approach is BYOD, Bring Your Own Device…to work. The issue really isn’t new but rather, it has some slightly different nuances to it.
Ever since computers became relatively affordable, people have been using them to support the companies they work for. The early personal computers weren’t all that portable and typically weren’t actually brought to work, but they were used to connect to corporate networks and they were used to perform work and often process corporate and customer data. I used my first PC, with three megabytes of RAM and a 20 meg hard drive, to connect to and support corporate business networks back in the 1980s. I was bringing my own device, albeit virtually, into the work environment, thirty years ago.
Connecting to corporate data is the crux of the matter
From a security perspective, the concern isn’t that the device is on the company premises but rather that the device connects to the company network and, even more so, that it processes company data. In other words, if you bring your device to work but never connect it, nobody should care because there’s no risk of data compromise or passing some kind of malware infection to the network.
When we talk about bringing your own device to work, we’re really talking about using your personally-owned device to interact with corporate or customer data. The primary reason for the concern is that the company doesn’t have control over the device and consequently is not well positioned to ensure that the device is properly secure, something that companies in regulated industries are obligated to do. An improperly-secured device can become a source of infection and a launch pad for all sorts of nefarious activity on the network.
As computers have become more powerful, more portable, more affordable, and more varied in their designs, consumers have been buying them for personal use. Personal choice is a big factor today that’s driving the personal computer and smartphone markets. People like what they like. We arrange our desktops in ways that make sense to us. We prefer certain applications and we customise things the way we want them.
Like the device? Work more on the device
Studies show that people will spend more time working when they use their own devices than when they use a corporate-supplied device. More importantly, if the familiarity of the device and the way it’s configured makes me more efficient, there is a good business case for allowing me to use it. If a little bling on my bejeweled iPhone makes me want to use that little beauty more often, then why not?
If efficiency were the only criteria for deciding whether to allow BYOD, the decision might be easy but the very important need to protect the information and systems still persists. When the efficiency that can come with personal choice and the protection of information can be kept in balance, we have a win-win situation.
For many years, the only people using their personal computers to connect to corporate networks were Information Technology (IT) folks. As more people got computers and our workforces became more mobile, it became commonplace for all sorts of knowledge workers to connect into corporate networks from home and elsewhere to perform work, communicate, collaborate and achieve.
Today, in many cases, the PCs people have at home are better than those corporations provide. Even if they aren’t better in terms of power and speed, people like using them better because of that aforementioned familiarity with the device. And, of course, one size does not fit all so the variety of laptops, netbooks, tablets, book readers and smartphones provide even greater variety to device preferences.
Control and trust go hand in hand
Understanding the security strengths and weaknesses of devices is necessary in making informed decisions about allowing them access to confidential or otherwise sensitive data. You can’t very well trust that a device is secure enough to process or store important information when you don’t have any control over it. However, when you can exert enough control, you can trust the device.
To summarise that point: total control = total trust, partial control = partial trust, no control = no trust.
When total trust of a device is required, the best solution tends to be ownership and complete control of that device. When partial trust is sufficient, then partial control is acceptable. A common approach to achieving partial trust on smartphones and tablet computers today is to deploy an application to the device that creates a secure container on the device. This ‘sandboxing’ technique, creates a space on the device that is secure and most often can be wiped clean by the controlling entity (the corporation) when there’s a need to do so. Such applications give the controlling company the ability to impose their policies on the devices when they connect to the corporate network. Policies typically require strong passwords and inactivity time-outs and may include other security parameters as well.
When a company, agency or institution has no control of the end-point device, allowing it to connect directly to confidential or sensitive information is risky and inadvisable. In such cases, reputable organisations typically control access via web application portals or use virtual desktops that proxy the connection between the untrustworthy device and the protected data.