It's natural for IT pros and business managers to worry about BYOD security, but oftentimes their concerns are misplaced.
Without the right technologies and policies in place, a bring your own device (BYOD) program can undoubtedly lead to security breaches. If IT insists, however, on handling security the way it always has -- maintaining full control, locking down endpoints and so forth -- the problem could actually become worse. Successfully addressing BYOD security concerns requires a new approach, one in which IT and end users work together to enable secure productivity.
Matt Kosht, IT manager at Michigan-based SEMCO Energy, will speak about the perception and reality of BYOD security concerns at TechTarget's Modern Infrastructure Decisions summit in New York in April. In this interview, he discusses the importance of mobile data protection and the important role of BYOD policy.
What is the biggest difference between perception and reality when we're talking about BYOD security concerns?
Matt Kosht: The perception gap is pretty large. The IT perception is that BYOD can't be secure because IT doesn't dictate all aspects of the device. They don't control what software's on it. They don't control what kind of permissions it has, or even what kind of device it is. It's a major shift. Traditionally, they've always been the gatekeeper.
The reality is, you can secure it. It just requires different thinking.
Do most IT professionals equate control with security, and is that necessarily true when we're talking about BYOD?
Kosht: Most IT people do equate control with security. They think, "If I can control it, I can make those security decisions. I know more than the user does, therefore it's more secure."
The reality is, that's not the case. Control does not equal security. It actually is the opposite. The more control you put on a user, the more incented they are to get around your roadblocks. If users are forced to use a PC that's suddenly locked down, they might just pull out their iPad and do whatever they want.
In a BYOD setting, should the endpoint still be IT's top security priority?
Kosht: Is it the endpoint that's the most important thing? It's probably not. The data is really the asset you're trying to protect. The endpoint's just a way of consuming data.
You shouldn't ignore securing the endpoint. There's plenty of no-brainer things you can do, like device encryption, PIN locks and things like that, but the real thing you have to look at is data. If you start backwards from data and work your way up to the endpoint, you come up with a really different approach than you would if you started with the endpoint.
Can you take this data-first approach to security without taking away the features that make mobile devices so popular with users in the first place?
Kosht: It's really possible. A lot of this 'feature-neutering,' as I like to call it, is really kind of an overreach. Most IT departments -- I hate to say it, and I am in IT -- tend to want to punish the user. It's 'You picked BYOD. Boy, are you going to be sorry, because I'm going to lock this thing down to the point where you're not going to want to use it,' which really doesn't achieve what either side wants.
There has to be some compromise there. If users don't like what you do to their device, they're just going to end up creating this shadow IT and using whatever they want, and it's going to be in a way that really is not secure.
What are some of the technologies that can address IT's BYOD security concerns while also enabling users to be productive?
Kosht: Your enterprise Dropbox, things like [Citrix Systems'] ShareFile, allow you to set really granular permissions for what you can do with data, without necessarily leaving it on BYOD devices in some kind of insecure manner.
More on BYOD security concerns
Why you shouldn't fear BYOD security issues
BYOD security policy considerations and best practices
How to minimize BYOD security risks
Desktop virtualization allows BYOD people to get to the corporate desktop without sacrificing how they would use the device in any other capacity. That keeps the data in the data center, where it's theoretically more safe.
[Mobile device management], you can use it to secure the device if it's lost, enforce some policies on it. But users don't want really invasive uses of MDM. App wrapping is another thing you can do.
The lines between all these products are really blurring. Not any one of these things is a complete solution by itself.
How can IT and end users work together to maintain BYOD security?
Kosht: The very first thing is to define a policy. The key is that this doesn't happen in a vacuum. Users have a stake in this. They really don't want an onerous policy. IT, on the other hand, doesn't want a policy that's so loose that it could be abused. The business as a whole has to be involved. There's a lot of [human resources] concerns. There's a lot of laws that are applicable.
It's probably not good enough just to have a policy. You have to educate your users about how to protect data, no matter where they use it.