I read news this morning quoting a survey by Coleman Parkes, an UK-based research company, saying that 15% of CIOs ban private devices to mitigate the BYOD risks. I personally don’t believe in that approach because it is just too likely to fail. It is like Don Quixote tilting at windmills, I’d say.
On first glance, banning private devices might seem the best choice. Using only devices you’ve provided yourself, evaluated and tested, well configured, seems to be the best approach when it comes to mitigating information security risks. But does this approach really work? Let’s focus on five questions:
- Will the managers accept this?
- How do you deal with remote workers?
- How do you deal with external collaboration?
- Are the devices really secure?
- Do you provide what your business requires?
When looking at remote workers, which are common in many organizations, then it is also hard to enforce the pure play approach on allowing only devices provided by the employer. That means that the employer has to provide the entire work environment. That’s difficult, however it might work.
External collaboration is another issue, because that is about giving externals access to some sort of shared workspace, if you don’t want to rely on eMail communication only. That is also feasible, especially in the days of Cloud Computing – but then there are other issues to solve for information security.
A really interesting question in these days of “Data Leakage by Design” and inherent security risks (for example in Android), not to speak of questionable concepts on privacy that for sure also affect corporate users, is whether the corporate devices are really secure. For sure it is much easier to mitigate information security risks in an environment with a limited number of device types, operating systems, and applications. But many types of devices including virtually all of today’s smart phones won’t support the required level of control. How to really insure that no “malicious” (in the broadest sense) app is used? How to avoid users accessing the “wrong” web sites? Many organizations have invested a lot of money to achieve that goal in the days before BYOD became popular and seldom reached their targets.
Finally, business is requesting specific types of devices. You might argue that no one really needs a tablet or some types of smartphone. You even might be right. But that puts you in the classical position of IT being an inhibitor for doing business better. And overall, there is some value in new types of devices, even while many things are overhyped. But a restrictive policy never will be able to keep pace with the changes requirements of business users and the way these are communicating.
Fighting BYOD is, from my perspective, the loser’s way. It is the Don Quixote approach not only on BYOD but on information security at all. The fundamental problem with the approach is that it focuses on device security instead of information security. That is very (!) “old school”. Information Security – like the name implies – is about securing information and what is done with that information – at rest, in transit, in use.
You will learn a lot more about BYOD at European Identity and Cloud Conference 2012. There is also a KuppingerCole report on BYOD available.