Original URL: http://www.theregister.co.uk/2014/05/06/data_security/
Danger, Will Robinson! Beware the hidden perils of BYOD
And we're so nice, we're telling you how to dodge them
When I first became involved with networked PCs, the company I was working with was upgrading its NetWare 2.0a installation to 2.15. We were pushing the boundaries of networking with our three-way gateway connecting Ethernet, Token Ring and PCnet.
The only local storage on all but the most high-end PCs was a floppy drive, and even if you took data offsite you probably didn't have anything at home that you could read it on.
Now it is the opposite. Far from being confined to the office, we are actively encouraged to read and create data while out on the road, working from home, sitting in a client's office, waiting at the airport or speeding through the countryside on a train.
Making and using data wherever we are brings massive productivity boosts, but, as always with technology, this silver lining has a cloud.
If you take data out of the office, there is a chance that you will lose it. In fact, according to the stats on the Metropolitan Police's website, up to 10,000 phones are stolen in London each month.
Losing an expensive device is annoying enough, but placing the data it holds at risk of being seen by others can be legally or financially ruinous. Protecting the data on your users' devices is absolutely critical.
Lock the laptops
Where a user's primary point of contact with data is a desktop PC or thin client the risk is minimal and there is little you really need to worry about aside from locking the door at night. As soon as you give the user a laptop, though, you will want to protect it against loss.
Happily, if you are a user of the business-centric editions of Windows 7 or 8 you have the option of using BitLocker to encrypt the entire disk, and there are dozens of third-party equivalents if BitLocker's not available on your setup.
Of course, while no encryption technology is entirely secure, making the effort to encrypt your data will protect against all but the most persistent thief.
The same applies to USB memory sticks. There is really no excuse for not using encrypted sticks to carry important data as the range is almost infinite and they cost next to nothing.
The only issue with them is that they often use an on-board encryption application that runs when you insert the stick into your desktop or laptop, so if you are not a Windows user you need to be sure that the on-board app supports your Mac, Linux machine or whatever.
More portable and easier to lose than the average laptop, mobile phones bring a new level of risk to taking data offsite.
The approach devised by RIM, the makers of the BlackBerry range, was innovative: tie the devices into the enterprise using secure data links and a central management server (the BlackBerry Enterprise Server), which has total control over every device it knows about.
You can force the user to use a password as basic protection in case someone inadvertently picks the device up, and if someone walks off with it you can disable and wipe it remotely via the enterprise server.
Web browsing can be forced to go through the corporate network too, which means you can apply filtering rules just as when the user is on the office network.
When RIM came up with its own tablet, the PlayBook, it was particularly cunning in the way it dealt with confidential information.
As the device is intended as something of an iPad-basher it has the ability to work autonomously for web browsing and the like, but if you want to read your email or other confidential corporate stuff you have to pair it with your BlackBerry handset as a pretty (but dumb) window.
If it can't see the BlackBerry, you can't use it to read your mail. Sneaky but clever.
Managing all these mobiles
Expanding the concept outside a single vendor, we now step into the world of mobile device management (MDM). The idea is simple: make every other type of smartphone controllable in the way that made BlackBerry so attractive.
BYOD: great for working on the move, less so for security
It is no surprise that the range of offerings on the market is already big and it continues to expand as new vendors jump on the bandwagon.
Neither is it any great shock that the latest version of RIM's enterprise server package is multi-platform and encompasses iOS and Android devices as well as the company's proprietary handsets.
What does MDM bring us? Precisely what we have just discussed: centralised policies, mobile device wiping, control over the functions users are able to use, connectivity into corporate fileshares and so on.
Pretty well every decent offering has a similar baseline of functionality, including all of the above plus on-board encryption, the ability to share files securely with colleagues and third parties, and even the option not to permit the user to see files at all in the event that the device can't contact its “mother”.
There is just one snag, though: BYOD, or bring your own device.
Some bright spark has decided it is a good idea to let users bring their own computers in to work and read their corporate emails on their own iPhones. Many employers (mine included) even offer financial incentives for staff to use their own devices to reduce the capital and support costs of owning vast collections of PC software.
Your users probably won't want you to wipe all their data just because they have left the company
This messes up the MDM model because your users probably won't want you to be able to take control of their devices, enforce policies or wipe all their data just because they have left the company and you don't want them to see their email any more.
The problem, then, is data leakage – regardless of whether staff members are part of some formal BYOD scheme or just using their personal device to make that last-minute tweak to a document. When data finds its way onto someone's portable device you can assume it will be accessible for ever more unless there is some way you can control what that person can do with it.
There are a few solutions and you may well end up using more than one of them, because each addresses a different aspect of the problem.
If you install applications on users' mobile devices you have the problem of uninstalling them if users leave the company. The answer is simple: don't install them locally on the devices but instead make them accessible remotely.
Anyone who has ever used something like the Citrix Receiver client on an iPad will know that it is actually not a bad experience. True, you wouldn't want to write a novel on it, but you probably wouldn't want to do that on a locally installed word processor either.
The prevalence of 3G/4G mobile networks and wireless hotspots makes it economical for your users to treat their BYOD devices as thin clients and access applications over the internet.
This could be through a self-hosted or a cloud service, the latter often being preferable as users may well be connected automatically to their closest server, thus aiding performance.
The trouble with email
Thin-client operation is fine for many apps, but you really wouldn't want to have to depend on it for the apps you need little and often, email and calendar being the main examples.
Apps, apps, apps: You need devices that can handle common tasks – and more
Similarly, you wouldn't want to allow users simply to connect their smartphones' in-built email programs to your mail server because there is no way you can ever erase any messages they have downloaded.
The answer comes with the sandbox applications from the likes of Good Technology and MobileIron. These applications install on smartphones and connect to an enterprise server in the same way as the BlackBerry, except that instead of managing the entire device you can manage only the applications.
Because the app sits there holding its data in an encrypted archive which can be auto-disabled if the device loses sight of the server for any length of time, you are giving users everything they need while maintaining full control over it.
Furthermore, many of these packages can do cool stuff such as allowing controlled visibility to the rest of the phone into the content of the sandbox. Thus the corporate phone book could be available to the phone's native dialler so the user can look up and call people, but is then hidden if the application decides or is told that the user is no longer allowed to see it.
BYOD file sharing
This final issue is an extension of the problem with application access: you want to be able to access files natively with the mobile device's in-built functions or other popular applications (for example a PDF reader or MS Word viewer), but the files need to be controlled and eradicated if required.
We are back to the sandbox approach, this time with centrally controlled file sharing and file synchronisation tools which can, like email programs, be configured to encrypt data and eradicate it if legitimate access is curtailed.
The chances are that if your company owns the devices you will go for a full-blooded MDM offering because you are perfectly happy with the idea of managing the entire device and blatting its content when you part company with the user.
And if you are working with a BYOD model you may well choose two or three packages as best-of-breed but separate offerings for email, file and application access.
Overall, though, controlling the data created or held at the edge – or in most cases outside the edge – of your network is not rocket science. The technology is out there and you simply need to pick the packages that suit you best. ®