Security Analysis: Bring Your Own Device?
I had two very different internships for the past two summers, one at a investment bank technology division and one at a technical company in silicon valley. Despite other differences, one thing I remember was the attitude towards Bring Your Own Device(BYOD). In the bank, most people have their desktops at work, blackberries for checking emails and personal phones for daily uses. Most people don’t even have laptops and working from home was not a very common option. On the other hand, in the tech company, every developer has a laptop preinstalled with VPN, RSA token, a desktop at work and their personal phone with their working email account connected. People work from home regularly once a week. The two cases are extreme but the trend of BYOD is undeniable since the prevalence of iPhone, iPad and other smartphone/tablet. People like the freedom to have their own devices and the flexibility to use various apps to increase productivity. But for IT department, BYOD is a tempting but still risky policy to adopt.
Risks:
1. Data Loss:
One of the biggest concern of BYOD is data loss protection(DLP). Before smartphone era, people don’t really carry confidential data in their devices and wander around because what they can do with a blackberry is quite limited. But now smartphone especially tablet can do complicated tasks thus increase both the power and the danger of the device. If an employee now dropped his device on a cab and someone else picked it up, it would be harder to protect the confidential data from stolen if the employee doesn’t have the required firmware installed. Another problem is that the security of portable device is relatively weak. For iPhone, many things are related to the unlock password. Once the attacker found out the password either through social engineering or simply brute force, as most people only use 4 digits for their password, could unlock the phone and potentially peak into confidential information or documents. Application like Dropbox, Google Drive or Evernote are convenient and user-friendly but probably too friendly at some point. The separation of working and personal data will be harder thus even lowering the security.
2. Malware Protection
Tons of apps in either iOS App store or Android Google play store are malicious. Those apps might exploit vulnerabilities in the system or interact with other apps in an uncontrolled way. Sandboxing of the company internal apps is important. There was a paper I read through this class about how malicious apps using ads to do evil things on behalf of other apps. Though it’s unlikely an internal app will have ads, the possibility of different apps sharing some sort of resource can still be a headache for the IT department.
3. Deployment Issue
Even some security methods are implemented, how to make sure it is deployed in every device and functioning well? The device options these days are not limited to just one but at least 3 or 4 popular ones. And operating system like android has serious fragmentation of os versions. The cost is huge but not even that effective. Cloud seems to be a very popular way to do things these days and it solves some problem such as scaling and compatibility but security is still a big concern.
From an survey by HDI, the percentage of BYOD adoption is increasing and employees are definitely happier using their own devices but when asking about the future of BYOD, only 1/3 of the companies who currently don’t have BYOD program are considering adding that in the next 12 months. I think BOYD will be the future eventually because it can potentially be a win-win situation for both companies and employees.
Reference:
https://news.citrixonline.com/wp-content/uploads/2012/04/BYOD-Hot-or-Not.pdf
http://blog.fortinet.com/byoa-brings-new-and-old-challenges-for-it/
http://www.pcpro.co.uk/features/377659/the-truth-about-byod/2