BYOD security concerns: Perception vs. reality

If you take the same old heavy-handed approach to BYOD security, you can actually make the problem worse. IT must adapt and focus on data protection.

It's natural for IT pros and business managers to worry about BYOD security, but oftentimes their concerns are misplaced.

Matt Kosht Matt Kosht

Without the right technologies and policies in place, a bring your own device (BYOD) program can undoubtedly lead to security breaches. If IT insists, however, on handling security the way it always has -- maintaining full control, locking down endpoints and so forth -- the problem could actually become worse. Successfully addressing BYOD security concerns requires a new approach, one in which IT and end users work together to enable secure productivity.

Matt Kosht, IT manager at Michigan-based SEMCO Energy, will speak about the perception and reality of BYOD security concerns at TechTarget's Modern Infrastructure Decisions summit in New York in April. In this interview, he discusses the importance of mobile data protection and the important role of BYOD policy.

What is the biggest difference between perception and reality when we're talking about BYOD security concerns?

Matt Kosht: The perception gap is pretty large. The IT perception is that BYOD can't be secure because IT doesn't dictate all aspects of the device. They don't control what software's on it. They don't control what kind of permissions it has, or even what kind of device it is. It's a major shift. Traditionally, they've always been the gatekeeper.

The reality is, you can secure it. It just requires different thinking.

Do most IT professionals equate control with security, and is that necessarily true when we're talking about BYOD?

Kosht: Most IT people do equate control with security. They think, "If I can control it, I can make those security decisions. I know more than the user does, therefore it's more secure."

The reality is, that's not the case. Control does not equal security. It actually is the opposite. The more control you put on a user, the more incented they are to get around your roadblocks. If users are forced to use a PC that's suddenly locked down, they might just pull out their iPad and do whatever they want.

In a BYOD setting, should the endpoint still be IT's top security priority?

Kosht: Is it the endpoint that's the most important thing? It's probably not. The data is really the asset you're trying to protect. The endpoint's just a way of consuming data.

You shouldn't ignore securing the endpoint. There's plenty of no-brainer things you can do, like device encryption, PIN locks and things like that, but the real thing you have to look at is data. If you start backwards from data and work your way up to the endpoint, you come up with a really different approach than you would if you started with the endpoint.

Can you take this data-first approach to security without taking away the features that make mobile devices so popular with users in the first place?

Kosht: It's really possible. A lot of this 'feature-neutering,' as I like to call it, is really kind of an overreach. Most IT departments -- I hate to say it, and I am in IT -- tend to want to punish the user. It's 'You picked BYOD. Boy, are you going to be sorry, because I'm going to lock this thing down to the point where you're not going to want to use it,' which really doesn't achieve what either side wants.

There has to be some compromise there. If users don't like what you do to their device, they're just going to end up creating this shadow IT and using whatever they want, and it's going to be in a way that really is not secure.

What are some of the technologies that can address IT's BYOD security concerns while also enabling users to be productive?

Kosht: Your enterprise Dropbox, things like [Citrix Systems'] ShareFile, allow you to set really granular permissions for what you can do with data, without necessarily leaving it on BYOD devices in some kind of insecure manner.

More on BYOD security concerns

Why you shouldn't fear BYOD security issues

BYOD security policy considerations and best practices

How to minimize BYOD security risks

Desktop virtualization allows BYOD people to get to the corporate desktop without sacrificing how they would use the device in any other capacity. That keeps the data in the data center, where it's theoretically more safe.

[Mobile device management], you can use it to secure the device if it's lost, enforce some policies on it. But users don't want really invasive uses of MDM. App wrapping is another thing you can do.

The lines between all these products are really blurring. Not any one of these things is a complete solution by itself.

How can IT and end users work together to maintain BYOD security?

Kosht: The very first thing is to define a policy. The key is that this doesn't happen in a vacuum. Users have a stake in this. They really don't want an onerous policy. IT, on the other hand, doesn't want a policy that's so loose that it could be abused. The business as a whole has to be involved. There's a lot of [human resources] concerns. There's a lot of laws that are applicable.

It's probably not good enough just to have a policy. You have to educate your users about how to protect data, no matter where they use it.

Dig Deeper on Enterprise mobile security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

13 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization treat BYOD security?
Cancel
We need to look at BYOD differently than traditional IT.
Cancel
Protect corporate data without the need to lock down the device while using the native mail app- www.letmobile.com
Cancel
Great discussion! Loved reading through it. Matt, I completely agree with you about how IT should equate themselves to “control” and how mobile devices -- no matter who owns them -- can be securely enabled with a policy that defines what users can and cannot do with the corporate data on them. That last word, data, as you emphasize above is key. IT is fully aware of the restrictions, constraints and regulations of their respective industries and hence they need to define app and data level policies, with less of a focus on the various devices being used. That is why MDM solutions don’t cut it anymore when it comes to BYOD. IT needs to be better prepared to secure company apps and data no matter where they reside. Enter MAM.

Swarna Podila
Symantec
Cancel
We will use mdm technology based on kaspersky security center.
Cancel
In BYOD main problem is endpoint control.Today endpoint at desktop seems to be adequate control.
Cancel
In my axis BYOD is not really taken cared of it is seen as a status symbol
Cancel
I think the discussion dint touch any of the pain areas. HOW is still missing.. just having a policy is not the ideal solution. There has to be a different approach or method of implementing controls. Control does equate to security at times. control gives you a freedom enforce security, unless you dont control you can t talk of securing it.
Cancel
The how I agree wasn't explored in this short interview much. Many have not even reached define policy stage. This should be done before implementing/considering solutions to drive the policy
Cancel
I would agree that control of DATA in the scope of BYOD would yield better security in that context. The point I am making is by trying to control everything you end up controlling nothing. User will just bypass. -Matt Kosht
Cancel
Swarna, thank you and agree with you. Especially "That..MDM solutions don’t cut it anymore when it comes to BYOD. IT needs to be better prepared to secure company apps and data no matter where they reside." Well put. -Matt Kosht
Cancel
We ignore it, no policies guarding the use of personal devices yet
Cancel
Security and BYOD have many issues that IT department have to deal with, and many companies are turning to expensive MDM systems like Centrify or Secure SOX and HIPAA compliant texting apps like Tigertext. What I find interesting, that wasn't mentioned in the article, is that more companies are writing thier own data security app for their employees. Tigertext now has a secure texting API called TigerConnect that companies are intigrating into thier own data security apps. Building thier own data security/BYOD app for employees might be the wave of the future for many companies.
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close