OK, so the other week, I opened a line of questioning about whether or not BYOD increases risk in enterprise. It got to be fairly long, so I promised a return to the topic at some point. So now, here you have it – the second part of that discussion.
To tee up, if you recall from last time, we outlined two premises that form the core of “traditional wisdom” about BYOD and risk; notably:
- Corporate-provisioned devices are de facto more secure than personal ones
- An organization’s ability to centrally manage a device is key to the security of that device
Last time we looked at the first of these two points in detail, and concluded that the “real answer” is more variable than it appears. Specifically, some enterprises may be able to secure a device better than most users would do on their own – and that can have value. However, another subset of users might perform the tasks equally well – or even in some cases do a better job. Which means that corporate-owned devices aren’t magically more secure on their own without some kind of plan on the part of the hosting organization… TLDR version: just assuming that a device is more secure if you buy it isn’t a good idea.
The second assumption we didn’t get to, but I think has a similar conclusion. Namely, that there are different types of centralized management with different security properties. If that’s true, central management is a spectrum where some might be very good and some might be less good. If that’s true, once again logic dictates that centralized management isn’t a “midas touch” where everything gets resolved “just because.”
Here’s what I mean by that. We know, for example, that 61% of organizations do not use a MDM. We also know that only 17% universally disallow user app installs for corporate-issued devices (though, to be fair, a higher percentage disallow known-bad malware.) Yet, an Aberdeen survey cites 70% of enterprises as reporting remote management capabilities. This seemed like a disconnect to me – perhaps naively since I’m no mobile expert.
Anyway, to figure out what was going on, I did some digging into a few technical “how to” guides on centralized mobile management. Having done that, my take is that some organizations are considering tools like ActiveSync a central management alternative. In other words, because ActiveSync allows you to encrypt the device and require a password, and in some cases allows you to initiate remote wipe, there are some “centralized management” capabilities. It seems that way intuitively and some guidance out there does in fact position it that way.
So, if that’s the case, it seems to me we can break premise 2 into (at least) two distinct sub-items for discrete values of “centrally manage”; there’s probably more than two, but these are the two based on the guidance I was looking at earlier:
- 2.1 - An organization’s use of MDM is key to the security of a mobile device (“centrally manage” = MDM)
- 2.2 – An organization’s use of ActiveSync is key to the security of a mobile device (“centrally manage” = ActiveSync)
NIST guidance more or less equates central management with MDM. Or rather, a tremendous oversimplification of their guidance implies this. 2.2, while still offering value, seems like it has different security properties though – at least it does to me.
For example, if I’m connecting to Exchange using ActiveSync on an Android client running TouchDown, is the remote wipe capability equal from a security standpoint to that provided by an MDM? Now, don’t get me wrong — I’m not knocking TouchDown (I’ve been a user since back when I got my G1 phone). As a user, I like the fact that it doesn’t wipe my whole device but only the exchange repository. But unless I’m also using something like Android Device Manager or an add-on product that I as a user install to implement complete device reset, it seems to me that there could still be corporate data on the device (e.g. stuff I downloaded) that maybe my employer would like to delete. Ok, so they could prevent me from downloading attachments — but who wants that when an alternative would be full remote wipe?
Anyway, the point is that 2.1 and 2.2 are not necessarily equivalent in every respect. Therefore, just like with point #1, discretion and intelligence is required on the part of the organization to make sure that their plan is up to par for what they define as acceptable. Bear with me, because in part 3 I’m going to draw a connection between these two and explain why I think BYOD doesn’t have to be any worse security-wise than corporate-owned mobile.
< The views expressed are mine and do not necessarily reflect those of my employer. >