Why BYOD scares me

This is part one in a two-part series. Check out the second installment, “How to have BYOD and security, too.”

Make no mistake, BYOD is a huge paradigm shift. It’s an epic battle in the ongoing war of security versus usability. And usability is winning.

This battle carries major security implications. I’ve yet to meet the end-user who wants to be bothered by authentication, from CEOs to low-level employees to my own daughters. No one wants to fuss with a log-on of any type. They’ll accept security as long as it doesn’t get in their way. Every CEO I’ve encountered has asked me to get rid of nagging password log-ons so that they can get down to real business.

[ In an earlier post, Roger Grimes advised readers to pick their strategy for BYOD. | Take a guided tour of the latest threats and what you can do to stop them in “Fight Today’s Malware,” InfoWorld’s Shop Talk video. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

The inherent promise of BYOD is that it will have less security. Think about it. Users say they want — no, need — BYOD because it makes their worklife easier. What do they mean? It isn’t just the form factor; we’ve had small-form-factor computers for a long time. It isn’t usability by itself because no one can tell me how the browsing and computing experience improves once the browser is fired up in any platform. The browser on my mobile device works the same was as on my full-featured computer, albeit possibly in a less functional, slower manner.

No, what BYOD means to the average user is escape: Escape from the security enforced upon them by their organization. No more controlling what applications they run. No more controlling their browser settings. No requiring proxies, antivirus, firewalls, or anything else that can get in their way. The average new BYOD user seems miffed that they have to enter a PIN. They want instant-on and instant access at all times. Who can blame them? Freedom is great.

Security has always been about restricting freedom and/or usability in some way, no matter how small. Security wants to limit a user’s choices in the name of trying to prevent easy compromise, and end-users have fought us the entire way. It doesn’t help that our battle for security hasn’t resulted in significantly less malicious hacking (though I shudder to think about how bad it would be without security controls).

To the average user, BYOD means “my device, my way.” And that scares me.

Choice complexity First, the sheer number of possible devices and platforms means they will likely be unmanaged (or at least less managed) as compared to their predecessors. I covered the reasons to have managed devices in a previous column. Managed computers allow an organization to ensure that end-users employ some form of authentication, are using some form of encryption, have some sort of antimalware software running, and patch the device and software — ensuring some basic security defenses have been enabled.

Unfortunately, the vast amount of devices and platforms means that whatever managements options you come up with are weakened by the fact that no single solution supports all devices. For example, suppose you have picked virtual desktop integration (VDI) as the way to protect your data. With VDI or remote access, the data never really leaves the other machine. That’s great, and it works in all sorts of scenarios. But VDI solutions only work on a few models, and a minor device upgrade might require a whole new VDI solution.

Worse, more platforms and devices mean that the supporting IT group must come up to speed on the platform and its security benefits and risks. Each additional device and platform becomes another domain that must be learned.

Even if you don’t plan to manage your consumer devices (to many, this is the only solution), then you must make sure the device can successfully connect to your network, access the appropriate applications, and so on. Few organizations, when they say end-users must fully support their own devices, truly mean that. And each different device increases support costs.

A lot of BYOD strategies give up on management and tout “data-centric” protections. What does that even mean? If data is eventually represented on an endpoint device — and it is — then any comprehensive data defense strategy must include endpoint considerations.

To see the validity of that statement, it helps to take the argument to extremes. Assume your company has the world’s most valuable data and your users have access to a wide variety of devices, including the strongest- and the weakest-secured devices in the world. The weakest devices have no security at all, not even a log-on PIN. Would it be sane to allow your company’s most strategic and valuable data to be hosted or viewed on the world’s most insecure device? I assume you said no; if so, you don’t favor a data-only defense either. If you said yes, I’d love to do some penetration testing on your environment.

Even if all you’re doing is telling end-users what devices they can and cannot use to access your data, you’re doing more than “data-centric” defense policies. Let’s call data-only defense policies what they are: crap. We all need to have some control, across a spectrum of choices, over the mobile devices used to access private data.

Failure to learn It’s not like we took all the successful computer security lessons of yesterday and applied them on the new platforms. First, we’ve failed to fix most of the previous security problems. Even the best, most highly consulted solutions, like IPSec, DNSEC, and IPv6, languish in relative obscurity after more than a decade of attempts at wide deployment. Malware and hacking are worse than ever.

Second, we appear all right with letting the old lessons reoccur on the new platforms. We’re getting mobile malware, spam, authentication bypasses, and every old trick that worked on traditional PCs seems to work on BYOD items. Let me ask: Is there any threat that can happen on traditional computers that cannot currently be replicated on BYOD and mobile devices?

Not that I can see. The only thing that saves us from even more malicious hacking on the newer platforms is that they’re woefully underpowered compared to traditional computers. Try editing gigabytes of video on your mobile device, running huge spreadsheets, or connecting to dozens of mapped network drives — you might be able to do it, but it won’t be nearly the same experience.

We’re in a rest period right now. BYOD is gaining popularity, but within a year or so, the devices coming out will be capable of running heavy applications and storing heavy data. When they do, the hackers will be attacking them just as much as PCs.

New worries for security But all of the above is old, easy stuff to mention. What’s new that is scaring me? Here’s a sampling:

Global IDs. We’re quickly becoming a world of global IDs, whether Google IDs, Live IDs, OpenAuth, WS-Trust/SAML, or some other uber ID identity scheme. The misuse of global IDs scares me the most in the BYOD world. Should I let someone’s Google ID or Live ID integrate into my corporate Active Directory account? Is the same protection that protects my cloud-based email appropriate for what guards the crown jewels of the company? Probably not.

Right now, most ID providers are responding by trying to keep applications of different sensitivity from being accessed by the same ID. For example, in Windows 8, you can use your Live ID to access some cloud products and even log on to your Windows 8 desktop and profile. But a Live ID will not give you access to Active Directory-protected assets. This is great, and it’s the correct decision for the time being.

But it’s likely that all global IDs will spread out over time and access more items, including some cases their designers never anticipated. Standards will be extended, and security will come under stress. But the biggest problem is that we don’t know how the various interactions will play out because most people will have multiple global IDs — on the same devices and between different devices. We have not started to scratch the surface of what multiuse, multidevice global IDs means for computer security. Here’s hoping the researchers and implementers get it figured out ahead of the malicious hackers.

Application-centric IDs. Another big difference is that most of these global IDs will be handled and secured by all participating applications. Right now, you probably log on to your traditional computer with a single ID that allows access to every (or nearly every) application on your desktop. Fast-forward a few years and you’ll probably have different applications using different global IDs. The security of each ID will come to how well the application protects that ID from unauthorized reuse and theft. In a multiuser global ID scenario, the strength of that authenticator is only as strong as the weakest link. We already see some of the early examples of this when people reuse the same log-on names and passwords between multiple websites. BYOD will make this standard practice.

Data commingling. We all hear stories about someone accidentally putting private company data on to their spouse’s BYOD device. All the user did was let the other spouse plug into their laptop’s USB connection to charge up, and lo and behold, they synchronized their company’s data with their personal data.

Or how about a company managing a device when the item contains both corporate and personal data? If the device is owned by the user and contains both types of data, how can the company be assured that its controls won’t deny access or wipe personal data when it was trying to control business data?

Legal questions. This leads us to legal questions that have yet to be answered. Every BYOD project I’ve been involved with comes up with good legal inquiries that leave everyone in the room shaking their heads. If you don’t have a legal team involved in your BYOD project, now’s the time.

Another related legal issue is jurisdiction. Suppose your BYOD employee takes your data to a jurisdiction that doesn’t have the same data protection and privacy laws as your region. Many times at a country’s borders (this applies to the United States as well), your constitutional rights and normal data protection laws do not apply. Don’t agree? Then you don’t get to enter that country or even reenter your own country.

People don’t care about BYOD security My last major issue with BYOD devices is that many of the people who own and want those devices just don’t care about the security issues. They don’t care about the privacy issues, losing their identity (the bank will fix everything — they think), and the company’s data is the company’s problem.

If you want to see what I mean, suggest imposing the same password policy you have for the company’s normal computers on the BYOD item. Most BYOD users want four-character PINs, no complexity, or simple finger swipes. News flash: An l-shaped finger swipe can be easily guessed. A client’s employee was logging onto the first picture-swipe password protection slate I saw when someone across the room, without a direct line of sight, came over and told him his exact motions. I was floored — I’ve never seen it done so easily with a PIN or password.

Did that employee change the log-on method? Of course not. And he works in computer security. He didn’t even change the swipe motion. Many people don’t care about computer security, and BYOD is making it worse.

BYOD scares me. But tune in next week I’ll tell you my BYOD solution.

This story, “Why BYOD scares me,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.