Through a Handset Darkly: Grasping the BYOD Security Paradigm Shift
* This article originally ran on StateScoop on March 19, 2013.
"The golden age never was the present age."
That's a quote from Benjamin Franklin, who was about as close to a State CIO as you could get back in 18th century Pennsylvania.
And while it may seem jarring to think that we've progressed in just a few short years from a "golden age" of simple-to-secure state-owned mobile IT to a turbulent new era of employee-owned mobile IT, it's a reasonable assessment.
In state government today, attempting to own, distribute, and manage all of the mobile devices connecting to your network is about as practical as catching lightning with a kite.
The more I think about it, the more I'm convinced that the best lens through which to look at this issue is a historical one; by studying where we've been, it's much easier to grasp where we're headed.
In the past, laptops, desktops, and more than a few Blackberrys were purchased by state governments, distributed to employees, but owned, managed, and controlled centrally—giving the state a high level of control over each endpoint's governance and the security of the information it held.
Today, state employees are purchasing these devices for themselves, using them recreationally at home, and then bringing them to work to conduct state business. Typically, states have reacted to this development in one of two ways:
First, there's a model that says: “You can purchase the device, but we're still going to manage it for you.” In many cases, this is done by mandating specifications that facilitate state monitoring and control. Then, once those specially configured employee-owned devices are connected to the network, they're treated essentially like the state-owned devices of the past.
This is a popular model, but it isn't a long-term solution.
On the other hand, there's a model—being driven by what we call the "consumerization of IT"—in which states will cede control of their employees' hardware altogether.
This can be appealing to states, because it relieves a certain amount of financial and managerial burden. But controlling the sensitive information on these employee-controlled devices is much more complicated.
Remember, employees will be keeping personal applications (holding highly personal information like private financial data) on their machines, which creates the potential for a dangerous co-mingling of personal and state information.
State governments shouldn't have access to this personal data, and conversely, a state's business service applications and data cannot (by law) be co-mingled with any personal tools or applications.
As a point of fact, our security standards haven't changed; states need the same level of protection they had back during mobile computing's “golden age.” And that means we're in need of a brand new security paradigm.
Today's device management must become much less about the device, and much more about the sensitive information and applications it contains.
Or, as Ben Franklin once wrote: "without continual growth and progress, such words as improvement, achievement and success hold no meaning."