Home / Blogs

BYOD Woes and Worries

Like the scene of a movie in which a biblical character holds back the mighty sea and is about to release the tide against his foes, BYOD has become a force of nature poised to flood those charged with keeping corporate systems secure.

Despite years of practice hardening systems and enforcing policies that restrict what can and can’t be done within the corporate network, businesses are under increasing (if not insurmountable) pressure to allow a diversifying number of personal devices to connect to their networks and be used for business operations. Bring your own device (BYOD) is the most intrusive trend that security teams have had to face for quite some time.

Unlike other business changes over the years that caused security teams to reevaluate their policies (such as allowing remote users to VPN in to the corporate network or enabling webmail facilities for roaming users), BYOD is being driven by all levels of the corporate hierarchy simultaneously. And it’s forcing new changes in the way organizations conduct business and seek to secure themselves.

BYOD is directly forcing the hand of security teams; and those that don’t (or can’t) accommodate the change are in for a very rough ride indeed.

Organizations that have embraced the approach—allowing employees to bring in their personal devices and engage with business systems—appear to have reaped rewards ranging from increased productivity, through to a lowering of capital expenditure within their IT departments. BYOD is affecting all walks of life. For example:

  • Out-of-hours system monitoring and alerting through Android applications that can be trivially loaded on to an employee’s Smartphone.
  • Larger pockets being added to medical staff’s lab coats and smocks to accommodate the iPads they’re increasingly carrying around.
  • Shared use of cloud storage facilities as employees jump back and forth between personal and corporate devices throughout the day.

Not all businesses have embraced a BYOD culture the same way. In the majority of organizations I deal with, the general security strategy is to treat the device as “untrusted”—typically only allowing the user of the device to connect to the Guest or dirty wireless networks and limiting access to those services or business applications that can ordinarily be accessed remotely (e.g. through a VPN). Meanwhile, a handful have gone ‘whole hog’ as it were, and are doing away with corporate supplied computing devices; instead they’re offering to subsidize the employee’s purchase and provide a list of “minimum” security standards for the device.

We are in a transitional period with respect to BYOD strategies and there is a lot of experimentation as organizations strive to achieve a new balance between security and convenience. As such, the security posture of an organization needs to take into account the continuous change going on about it. While it’s been a common declaration within the security community that you can’t protect the end-point from a determined attacker, as device ownership slips from the hands of the corporate entity into the hands of the employee, so too does the onus for protecting it.

For many organizations the frontline in security for the last two decades has been protecting computers with host-based defenses. Sure, there’s been investment in perimeter defenses, but the war between the cybercriminals and their prospective victims has been happening with the operating systems, web browsers and applications of the end device. As such, with control of the end-point device slipping out from control and oversight of corporate security teams, an added emphasis is being placed upon two critical security approaches—securing the core (centralized) intellectual property and data of the organization, and rapidly identifying devices that have already been compromised.

Organizations with a mature security strategy flexible enough to accommodate BYOD demands have pursued an approach in which it is assumed that the user’s device is likely (if not already) compromised and under control of an external criminal entity. As such, they have myopically focused their attention on securing the servers that really matter to the business and are securing the system and repositories that govern or track the data itself. In parallel, they’ve deployed systems that alert and identify devices that are acting suspiciously or are positively identified as being usurped by professional crimeware, and take immediate, automatic steps to restrict and cauterize the threat.

BYOD has forced a paradigm change in the way businesses approach and enforce security within their organizations. Security teams within organizations that continue to resist the adoption and use of personal devices (whether they be personal laptops, Smartphones, tablets or X-Box) are fooling themselves if they think they can hold back the tide. Security consolidation and threat alerting are the ropes they need to grasp.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under


We are trying to move to a Phil Howard  –  Apr 10, 2012 7:56 AM

We are trying to move to a model where personal devices stay just that, and devices for use with business purposes stay just that.  We’ve just about reach the point of issuing a company laptop to all employees (with the policy rule to do company work only on the company laptop, and only company work on it).  Now we need to do tablets and probably many phones.  I think that will soon happen.  But it can be cumbersome for people to carry around two smartphones.  We’ll probably try to go with something smaller for company work, and probably limited to sales people and critical support techs.  Developers may want to keep the laptops.  It may just come down to “pick one” and “you can change it later”.

But there are risks (varying by industry) letting people use personal or home devices for company work.  You don’t want to be browsing customer accounts or accessing the DNS server on the same home PC that also gets used by kids that download games from everywhere in the world.  There has to be a limit.

And certainly there are places within certain three letter government agencies where personal devices will never be allowed.  And many business (not just government contractors) will need to do likewise.  Still, a tablet can be a great tool within the company to do things like data center maintenance work.  Embrace, but be smart.

Silos of data David A. Ulevitch  –  Apr 10, 2012 3:21 PM

Phil -- Separating devices does not work. Human nature tells us that the workers will find the shortest path to accomplishing their work. If they have a contact they need to email on their personal device, they will just email them from their personal email. What results is an ecosystem where you are stuck with the security upper-bound being based on the path of least resistance.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC