BYOD: Ready or not, here it comes
You can’t hide
Video Whisper it. The techies have lost control. Partially at least.
The rise of the smartphone, slate/tablet/whatever you want to call it, means that more and more unqualified devices are creeping onto the corporate network.
In our recent broadcast, Many Devices, One Policy, Tim Phillips, Andy Buss and Sasi Myrthy explored how this trend is causing the IT department to pull out its collective hair, especially when it comes to the potential security threats when a business is not prepared for such a change.
Andrew brought along a pile of research he’s done with Reg readers, that covered the problems involved in implementing a single security policy. Sasi on the other hand brought a batch of experience from real projects she’s undertaken in her role at Blue Coat.
So did this panel reveal how a single security policy can work on multiple devices?
You can find out when you tune into our on-demand version of the event here, from the device of your choice. ®
We're not seeing a lot of BYOD what we are seeing is Buy Me A Device. Staff getting bought a shiny new tablet device because of some "business need" and then expecting to use that as a personal device to connect to facebook, play angry birds, show off to their friends etc.
Dear El Reg
Please stop it. I don't know who is paying you for this constant barrage of posts but have some decency and say no. It's not happening except in the narrow sense described by Nigel 11. Few people have these privileges.
This isn't a question of being nice to the employees, its about not further eroding the ability of a company to comply with the law. Making it easy for people to copy corporate and personal data on to private devices is not going to happen and it seems a bit reckless of this organ to promote that expectation.
Sure most employees will not actively arrange to breach their obligations as employees. But then most hacks are the result of people on the inside doing things, probably unwittingly, which supports hacking. And that this on top of the personal data already left lying around on laptops and the like for which companies are liable. Can you imagine the volume of personal data that would be exposed if private devices were attached to corporate service with even a degree of trust?
Access is not the problem. The problem is too much access.
For instance, you connect to your VLAN, and you want to access files. Now we have issues with viruses (if I break your phone you'll sue me, if you break my network I'll kill you), data protection, data retention, etc. etc.
But because you *DON'T* control those external devices there's no way to say that you're legally in charge of them (even if the users "agree", you're still failing in your duty as a data retainer, and CANNOT make the employee submit those devices to your whims without a lot more hassle - e.g. "we need to show a court that file you deleted from the network last week shortly after copying it to your phone"). You have no right to enter, seize or otherwise control a user device EVEN IF they did give you permission once. And it would be your fault if something goes wrong and gets out (because someone's phone is nicked, say, and sensitive pages are recovered from the browser history of an insecure browser that THE USER chose because you did not lock down what apps they can use) because your policy, despite forbidding the action, will be pretty much blamed because it allowed it to happen anyway.
Yes, there are workarounds but everything BYOD creates extra hassle in this area. You can VLAN everything off, open up only external access to verified users over secure connections with certified-clean devices, push everything through a centrally-controlled and logged web-based interface with zero permissions. But they can still run off with data that you, as a company, can be required to provide by law and/or not allow distribution of. And do so accidentally, automatically, and unrecoverably.