Video Screencast Help
Cyber Readiness and Response

BYOD is like a BYOB House Party

Created: 02 Aug 2012 • Updated: 02 Aug 2012 • 9 comments
Nick_Kael's picture
+5 5 Votes
Login to vote

The times when Mom and Dad left their young teenaged son at home was a perfect time to phone the friends and tell them the party’s at my parents’ house and to bring their own bottle, BYOB! Not thinking too clearly about the ramifications and risk associated to our home or personal belongings or even my parents getting sued by my friend’s parents. Those so-called friends would show up and inevitably things were broken and almost always things would come up missing. I would scramble to try and repair everything before my parents returned.

Our place of work is much like our home, and we invite friends or colleagues to bring their own mobile device to the party and consume some sensitive data, BYOD! They are intoxicated with the excitement of the ability to get their work data on their personally owned device and do not understand the implications of that data being removed from the house. What is the real impact to us and them? After all, it’s not like they are worried about their parents coming home.

If we are going to have the BYOD house party and allow the team to bring their own risk of personal applications comingling with corporate data, we need to set expectations before they show up at the door and explain the policies and rules to them. This way, when they violate them we can have our large football playing friend remove them from the house. But, how do we detect when people are sneaking off to our parents room to do inappropriate things? What will alarm us? Do I have the controls in place? Have I given them application protection around their BYOD so I am not cleaning up broken glass before the parents get home? Do I even know who did it? Did I have them Authenticate to the rooms in my home so I don’t get stuck cleaning up the mess by myself? If we get hungry while they are over, do I let them risk driving after consuming some beverages to get food or do we order out?

With the movement to BYOD and now we have added more acronyms such as BYOA (Bring Your Own Applications) we need to look at controls that are a hybrid of Mobile Device Management (MDM) and Information Management, and also layer in user and device authentication, application security and some level of application control. Most organizations patch the PC environment fairly well these days but what about mobile? Certificates for Corporate WIFI and VPN can also be tied into the solution. Data Loss Prevention (DLP) will play an important role in determining if sensitive data is on a mobile device and then how do we handle it from there? Do we move it? Encrypt it or both?

Plan out the house party and define the rules upfront, but do not get too wrapped up in the D in BYOD. We cannot marry ourselves to the devices of today as it is the information on that device we ultimately want to protect.

So how do you want to remember your BYOD House Party; for the good times had or the cleanups that were done in panic?

Cross-posted from In Defense of Data.

Blog Entry Filed Under:

Comments 9 CommentsJump to latest comment

Srikanth_Subra's picture

BYOD!!! large spoken topic now a days..we can impliment some application controls or restricting the corporate network access so that BYOD will become good times!!

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

-1
Login to vote
pattirbubbepatti's picture

ALL EQUIPMENT SHOULD BE LEFT AT THE DOOR. IT IS NO JOKE HOW EASY IT IS FOR PEOPLE TO HACK IN, NOT JUST ON TV.

+11
Login to vote
Nick_Kael's picture

Srikanth & Pattir,

I agree with both of you and thanks for the comments. I do not think we can stop this movement from happening though, so we will not be able to completly stop these devices from moving into the environment. I think there needs to be a hybrid of Device Management with Information protection (Protecting or Preventing Sensitive Data from being accessed on the Mobile) and authentication at a device and user level. Thoughts ?

-4
Login to vote
Srikanth_Subra's picture

Hi Nick,

Yes it is not possible to completely stop everything...All just in case they should come like that

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

-7
Login to vote
Dushan Gomez's picture

I wish all of my users know the issue / risk behind this BYO kind of thing, basically some of the developers bringing their own Mac and then installing Parallel Desktop to run WIn XP as VM

or even worst the Windows haters reformat the laptop and then installing Linux while running Windows XP inside Virtual Box (-_-)"

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

-7
Login to vote
dsmith1954's picture

It's not just the security risks behind BYOD. What about support of those devices? Even though policy may say: we don't support those devices technically, meaning if something goes wrong with that Mac Cat-of-the-Month OS, or Linux-flavor-of-the-month, we all know that support will be requested. And, how do you tell someone we can't fix your Mac Cat-of-the-Month OS or Mac Cat-of-the-Month OS? That's time spent away from users with "supported" problems that will cost thousands of dollars.

BYOD will be just as much of a fad as the Linux-flavor-of-the-month, or the Mac Cat-of-the-Month.

Of course it may just morph into a new name, just like the failed "Software as a Service" became Cloud services...

+1
Login to vote
dsmith1954's picture

Oh, and yes it could be stopped. All it requires is someone at the top putting their foot down, saying NO, and enforcing it. It isn't inevitable. It doesn't have to be. All it takes is someone with enough sense to say no way!

-3
Login to vote
Nick_Kael's picture

Thanks again for the comments,

I am absolutely seeing this become part of the results of BYOD, the "Cost of Support". I have also seen organizations place a line in the sand stating that we will not support your device related issues, only those issues related to connecting to your corporate data.

As for stopping it .... Well, I see that it is both top down and bottom up. What I mean is the Execs are as guilty of getting the shiny new device for a gift and then they want IT and Security to get it firgured out and connect it. as well as the new talent that has been refered to as the "Digital Native" almost require this to happen prior ro them accepting jobs out of college. With the Security Teams trying to help enable business, they are being forced to say yes, but here is how you should do it.  A well thought out policy and framework for Data/Device management in a hybrid is winning all over the place.

keep the thoughts coming and thanks again

-2
Login to vote
STHN's picture

From a management perspective I think BYOD is more a matter of corporate culture, thus identifying and explaining when and why it is beneficial.

From an administrative perspective I think you can learn A LOT from these guys: CERN NICE Services

PMCS GmbH & Co. KG - Consulting und Support für Altiris/SEP/EV und andere Symantec Produkte.
Please take the time and mark this post as solution if it solved your problem - thanks!

+1
Login to vote