The BYOD Conundrum
Recently, I wrote about the risks and issues associated with “free” apps for the various smart phones, tablets, laptop and desktop computers. In our connected world, we all need to be aware of and concerned with our personal privacy, but there is a parallel trend that extends those concerns into the corporate world – BYOD.
For any number of good business reasons, companies and their IT departments are considering or have actually transitioned from a standard corporate suite of computing hardware and software to a policy of allowing employees to Bring Your Own Device (BYOD) into the corporate network and use it for business.
The increasingly capable (faster processors, more memory, high resolution cameras, sensitive microphones, bio identification) hardware accessed by “free” (and other) apps, with their Terms of Service (ToS), open the window to access to proprietary company information by legitimate application developers – and by hackers and data thieves.
In fact, it is not impossible that a hacker could “break” a single BYOD device and, using the access that the device has to the company network, “invade” other devices on the network, gaining access to enormous amounts of both company and personal data and information.
IT managers and their departments are not oblivious to this problem, but the problem is an incredibly complicated one. “Complicated” here means a “system” comprised of a large number of parts that work together to perform predictably – the same input yields the same output every time) one with multiple operating systems (e.g. Windows, OSX, iOS, Linux, Java, etc.), multiple encryption systems, multiple ontologies and multiple security approaches – at the minimum.
This complicated technical problem (making everything play together effectively and efficiently) is convolved with a highly complex one. “Complex” here means a “system” comprised of components (including, specifically, the company IT security managers and the hackers) whose behavior changes on a continuing basis and so the same input does not predictably yield the same output or result every time. This complex system involves the interaction between the defensive tools and techniques of the company IT department and the offensive tools and techniques of the hackers. In an offense/defense situation such as this, the offense has the advantage since it can introduce new attack tools and techniques to circumvent the company’s existing defensive tools and techniques.
The company IT department must now develop solutions and incorporate the traditional technical tools of integration and security, but must also address the non-technical interplay of the widely varying ToS associated with every BYO Device and all of the equally widely varying apps on those devices. This latter challenge is a semantic and legal challenge that may not have a solution – it may not be possible to develop a policy and associated technical solution that resolves all the interoperability and security issues created by incorporating BYODs into a company network.
This leaves the company with a conundrum – adopt a BYOD-friendly policy and network, prohibit BYOD (and the associated benefits) or create a policy addressing permissible personal apps (and it’s not clear how such a policy would be accepted by civil liberty champions and the courts)?
The advent of BYOD to company networks is a serious issue that must be addressed by any company considering it. I think that BYOD is nearly inevitable, and the associated issues and risks are formidable.
Next week, I’ll close what has turned into a series of articles with a piece on an effort that is targeted on personal privacy, but which may result in a solution to the corporate BYOD risks and issues.