Policy Problems Vex Corporate Bring Your Own Device
Private-sector BYOD uses
have pitfalls and perks for employers and employees.
The jury is still out in the corporate world as to whether the bring-your-own-device trend will gain a permanent foothold. While the movement creates security worries and extra work for information technology employees, it presents a few perks corporate leaders are reluctant to turn down: cost savings and increased employee productivity. Efforts for full implementation for both businesses and government entities are stymied much more by policy than by technology, or the lack thereof, experts say. While some technological shortcomings create some security risk, viable solutions are on the horizon.
“BYOD [bring your own device] is not really that big of a technical problem. The bigger challenges are surrounding HR [human resources] and legal,” says Scott Montgomery, vice president of public-sector solutions for McAfee Incorporated. “I don’t think the technology is the limiting factor here. It’s organizations’ reluctance to have data on the gadget that they can’t control. So when you talk to most organizations, they actually don’t go through with BYOD, or it takes them longer than they thought they would, or they get through it, but it’s painful—but not because the technology doesn’t exist.”
The biggest disconnect is between how employees use personal mobile devices and how companies have implemented, or are trying to implement, BYOD policies. According to a recent BMC Software survey, 95 percent of companies permit some form of BYOD, with 84 percent providing minimal support for BYOD. The survey characterized the trend as a big productivity boost, with companies getting at least two bonus hours of work out of employees on weekdays and an additional 20 business emails sent each day.
If corporations are hesitant to fully embrace BYOD, employees are more so if it means turning over personal mobile devices to corporate or government control or oversight, Montgomery says. “If you pay for your own carrier service … and you buy your own gadget to run on one of those carrier networks, and I alter the data on your gadget, or I manipulate your gadget, or I connect to your gadget and make changes to it, they have a word for that. It’s called a felony,” continues Montgomery, who has been with McAfee since 2008 and designs solutions to information security and privacy challenges for industry worldwide.
“What organizations are trying to do is get people to agree that the organization’s data can be protected, even though they bought the gadget and they bought the carrier service. And this is tricky. So you go to your niece’s recital and you take a video on your iPhone of it, and that video is inadvertently deleted in the organization’s attempt to protect its data. … What is your response going to be? You’re going to sue.”
However, a 2013 survey by TEKsystems reports the trend can be popular among workers, who find it much easier to simply conduct minimal work endeavors such as checking emails on their personal devices, especially on private time. Employees can conduct work with a lot more flexibility, access necessary documents and apps at any time, from any place. Employees reported higher job satisfaction rates, which translated to higher retention rates, according to the survey of more than 1,500 information technology leaders and more than 2,000 professionals from the United States and Canada. Businesses that delay the implementation of BYOD struggle to attract workers. Hesitant company leaders cite security concerns at the pinnacle of the list of worries, which is validated by the TEKsystems survey. It reveals such fears are warranted because many companies’ BYOD policies are poorly designed, unevenly implemented or simply nonexistent.
Security woes, however, might be a red herring of distraction keeping companies and the Defense Department from catching up with the inevitable trend, according to Chris Williams, an authentication engineer for Leidos who spoke in June at the CyberSecureGov 2014 conference. “The technology works, but the policies don’t quite line up. And what I would offer to anybody who wants to listen is that the advantages of making a policy exception to allow [BYOD] to work vastly exceed the disadvantages of the possibility of compromise on that mobile device,” Williams offers.
Systems already are compromised any time employees surf the Internet at work, take home a company laptop or use virtual private networks to remotely connect to the company’s network from a system the company does not control, says Williams, who has been involved in the information technology security field since 1994 in a combination of U.S. military and civilian positions. “You’ve got unmanaged, out of control, compromised machines already on your network. Why are you worried about mobile?” Williams asks. “I assure you, people’s home machines are compromised at a rate that is 10 times the rate that you’re going to encounter with mobile” devices.
“You don’t have a mobile problem—you have an endpoint problem,” he continues. “Your mobile endpoint problem is generally no worse than your other endpoint problems, and unless you have gotten your other endpoint so locked down, … it’s quite likely that your mobile endpoints are a lot more secure than your regular computers.”
Already, derived credentials from the personal identity verification system can grant access to networks from mobile devices, Williams points out. “With so many people not actually setting foot into an office, so many telecommuters, the derived credential can become the primary credential,” he suggests, adding that the derived credential should replace the federal government’s reliance on use of the Common Access Card, the principal card used to enable access to buildings and controlled spaces and provide access to Defense Department computer networks and systems. “By doing this, I now have an electronic identity that is no longer limited to the card. It is derived from the card. It is governed by the identity life cycle that governs the card.”
The technology eliminates reliance not only on use of the smart cards themselves, but also on smart card readers and the one-time password generator technology. “Put all this together [in one device], and now I have a solution that satisfies 98 percent of my employees’ needs 98 percent of the time, and it delivers real business power,” Williams states.
While the Defense Department has mulled the topic for a few years, no policy is in place yet to permit the military and civilian workforce to use personal devices for defense purposes. “Despite the benefits, existing [Defense Department] policies, operational constructs and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition,” reads a memorandum signed by the department’s former chief information officer Teri Takai. It is dated February 2013. No commercial mobile device used as a personal device meets Defense Department security requirements and cannot be used. However, the Defense Information Systems Agency (DISA) and some Pentagon offices are examining technical alternatives and procedures and running pilot studies in an effort to bridge the security gap, a Defense Department official says.
Until businesses and the government reach a solution palatable to all, workers will have to accept—and have accepted—the practice of carrying two or more devices, allows Montgomery, who predicts BYOD use is inevitable. “It’s absolutely going to a place where people will be able to use their own gadgets. In the near term, I think people are going to be forced to use thin and zero clients because government doesn’t want to relinquish their control of the data.”
In the future, however, mobile devices likely will morph into what Montgomery calls “multiple personas,” which is similar to having two phones packaged into one device. “Some [companies] are doing it to the operating system; some are doing it at the bare metal or hypervisor layer. So you would have virtually different phones, but on the same piece of hardware.”
Additionally, a type of metadata technology would limit the kind of data users can access from a mobile device. “People are looking at metadata to determine which kinds of data are appropriate to be on a nonhardened laptop. This metadata says about this item that it shouldn’t be opened on an iPad. That technology is a little bit further out. There’s nothing really tricky about that, it’s just having the discipline to make sure your data is properly tagged up.”
Roughly 80 percent of information technology workers indicate they used personal mobile phones for work-related purposes on a typical business day, while 72 percent use laptops and 54 percent leverage tablets, according to the TEKsystems survey. “Considering these numbers, it is really no longer practical for businesses to simply forbid BYOD within their organizations, as too many information technology workers now expect to be able to use their personal devices in these ways,” reads a portion of the survey summary.
“This is where in these projects [of devising BYOD policies] the wheels come off the road,” Montgomery says. “All of this conundrum centers around the access rights to organizational data. This is the first decision that practitioners and organizations have to make,” he offers. “If they can get to a place where they’re going to be productive and protective, it’s going to be a variety of connection mechanisms, whether they’re thin client or zero client or multiple personas. It’s going to be hardware assisted … and it’s going to be, most importantly, data centric.
“The biggest chasm is that most organizations don’t have a really good handle on their data now,” Montgomery declares. “So there is going to be a forcing function here for organizations to get a hold of their data and treat it with better respect.”