Skip Links

BYOD keeps expanding, and IT just has to deal with it

With a growing number and type of devices, enterprises need to assume that they are vulnerable, analysts say

By Taylor Armerding, CSO
January 03, 2013 07:30 AM ET

CSO - The debates about whether the BYOD (bring your own device) trend makes economic and security sense for enterprises raged on during 2012, and will continue through 2013 and beyond.

Now on CITEworld: Switching From iPhone To Windows Phone: A Personal Journey

But the reality is that BYOD is expanding, not only because of the number of employees doing it, but also because the kinds of devices are expanding as well. Instead of just laptops and smartphones, there are now tablets and mini-tablets.

Mat Young, senior director of the products group for Fusion-io, was only stating the obvious when he observed earlier this week, "Many enterprise employees no doubt received new tablets this holiday season. And many are likely to bring them to work on Wednesday, Jan. 2, 2013 -- perhaps the biggest day ever for the BYOD trend."

So, for most enterprises the question is not whether to encourage BYOD or block it, but how best to cope with it.

[Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]

Ian Tibble argues at Infosec Island that the security of the devices themselves is almost irrelevant. "The place where security is at these days, isn't a place where we can effectively manage user device security ... we lost that battle," he wrote. "The stance has to be based on an assumption that one or more devices in corporate subnets has been compromised."

And Luke Philips at TechSling noted that Google's new security feature called "application verification service" with the release of Android 4.2 is not as secure as advertised.

Citing a study by Xuxian Jiang, a computer science professor at North Carolina State University, he wrote, "the Google AVS is only effective in stopping 15% of known malware threats. This is a scarily low number for IT departments ... IT departments, if they haven't already, need to make enterprise mobility policy their top priority for the new year," he wrote.

One idea came during a recent panel discussion of mobile security by CISOs at an event hosted by CSO magazine: Since the device is untrusted anyway, let users do as they like, but isolate corporate apps, data and network access from whatever else is on the device -- "containerize" it.

But, the CISO acknowledged that it was still just an idea, not a product.

In the realm of reality, Gartner recommended after a major survey last year: "Enterprises should focus on mobile data protection (MDP), network access control (NAC), and mobile device management (MDM) tools to support their BYOD and new enterprise mobile platform efforts."

Andrew Jaquith, CTO of Perimeter E-Security, agrees in part. "MDM can help ensure that the most essential mobile security policies are enforced, for example requiring a PIN and an auto-destruct policy," he said.

"MDM can ensure that content, or full-device encryption, is enabled on platforms that support it, such as iOS and BlackBerry," he added. "However, Android devices offer no guarantees about whether encryption will be present or not, so we generally recommend retrofitting Android devices with a lightweight encrypted container app."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News