Home / Blogs

BYOD Woes and Worries

Gunter Ollmann

Like the scene of a movie in which a biblical character holds back the mighty sea and is about to release the tide against his foes, BYOD has become a force of nature poised to flood those charged with keeping corporate systems secure.

Despite years of practice hardening systems and enforcing policies that restrict what can and can't be done within the corporate network, businesses are under increasing (if not insurmountable) pressure to allow a diversifying number of personal devices to connect to their networks and be used for business operations. Bring your own device (BYOD) is the most intrusive trend that security teams have had to face for quite some time.

Unlike other business changes over the years that caused security teams to reevaluate their policies (such as allowing remote users to VPN in to the corporate network or enabling webmail facilities for roaming users), BYOD is being driven by all levels of the corporate hierarchy simultaneously. And it's forcing new changes in the way organizations conduct business and seek to secure themselves.

BYOD is directly forcing the hand of security teams; and those that don't (or can't) accommodate the change are in for a very rough ride indeed.

Organizations that have embraced the approach — allowing employees to bring in their personal devices and engage with business systems — appear to have reaped rewards ranging from increased productivity, through to a lowering of capital expenditure within their IT departments. BYOD is affecting all walks of life. For example:

  • Out-of-hours system monitoring and alerting through Android applications that can be trivially loaded on to an employee's Smartphone.
  • Larger pockets being added to medical staff's lab coats and smocks to accommodate the iPads they're increasingly carrying around.
  • Shared use of cloud storage facilities as employees jump back and forth between personal and corporate devices throughout the day.

Not all businesses have embraced a BYOD culture the same way. In the majority of organizations I deal with, the general security strategy is to treat the device as "untrusted" — typically only allowing the user of the device to connect to the Guest or dirty wireless networks and limiting access to those services or business applications that can ordinarily be accessed remotely (e.g. through a VPN). Meanwhile, a handful have gone 'whole hog' as it were, and are doing away with corporate supplied computing devices; instead they're offering to subsidize the employee's purchase and provide a list of "minimum" security standards for the device.

We are in a transitional period with respect to BYOD strategies and there is a lot of experimentation as organizations strive to achieve a new balance between security and convenience. As such, the security posture of an organization needs to take into account the continuous change going on about it. While it's been a common declaration within the security community that you can't protect the end-point from a determined attacker, as device ownership slips from the hands of the corporate entity into the hands of the employee, so too does the onus for protecting it.

For many organizations the frontline in security for the last two decades has been protecting computers with host-based defenses. Sure, there's been investment in perimeter defenses, but the war between the cybercriminals and their prospective victims has been happening with the operating systems, web browsers and applications of the end device. As such, with control of the end-point device slipping out from control and oversight of corporate security teams, an added emphasis is being placed upon two critical security approaches — securing the core (centralized) intellectual property and data of the organization, and rapidly identifying devices that have already been compromised.

Organizations with a mature security strategy flexible enough to accommodate BYOD demands have pursued an approach in which it is assumed that the user's device is likely (if not already) compromised and under control of an external criminal entity. As such, they have myopically focused their attention on securing the servers that really matter to the business and are securing the system and repositories that govern or track the data itself. In parallel, they've deployed systems that alert and identify devices that are acting suspiciously or are positively identified as being usurped by professional crimeware, and take immediate, automatic steps to restrict and cauterize the threat.

BYOD has forced a paradigm change in the way businesses approach and enforce security within their organizations. Security teams within organizations that continue to resist the adoption and use of personal devices (whether they be personal laptops, Smartphones, tablets or X-Box) are fooling themselves if they think they can hold back the tide. Security consolidation and threat alerting are the ropes they need to grasp.

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cybersecurity, Networks


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


We are trying to move to a Phil Howard  –  Apr 10, 2012 12:56 AM PDT

We are trying to move to a model where personal devices stay just that, and devices for use with business purposes stay just that.  We've just about reach the point of issuing a company laptop to all employees (with the policy rule to do company work only on the company laptop, and only company work on it).  Now we need to do tablets and probably many phones.  I think that will soon happen.  But it can be cumbersome for people to carry around two smartphones.  We'll probably try to go with something smaller for company work, and probably limited to sales people and critical support techs.  Developers may want to keep the laptops.  It may just come down to "pick one" and "you can change it later".

But there are risks (varying by industry) letting people use personal or home devices for company work.  You don't want to be browsing customer accounts or accessing the DNS server on the same home PC that also gets used by kids that download games from everywhere in the world.  There has to be a limit.

And certainly there are places within certain three letter government agencies where personal devices will never be allowed.  And many business (not just government contractors) will need to do likewise.  Still, a tablet can be a great tool within the company to do things like data center maintenance work.  Embrace, but be smart.

Silos of data David A. Ulevitch  –  Apr 10, 2012 8:21 AM PDT

Phil — Separating devices does not work. Human nature tells us that the workers will find the shortest path to accomplishing their work.  If they have a contact they need to email on their personal device, they will just email them from their personal email.  What results is an ecosystem where you are stuck with the security upper-bound being based on the path of least resistance.

Might be worth a read - IBM's BYOD Suresh Ramasubramanian  –  Apr 12, 2012 9:18 PM PDT



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic