Risks of BYOD
A BYOD article that I was reading on the net started “BYOD is becoming a rule rather than an exception.” That set me thinking. Really? How many of the large corporates that I have worked with allow BYOD? Surprisingly (or unsurprisingly, if you wish) None. I looked at the article again. It is written by a company that sold MDM (Mobile Device Management) software. Now, I am sure the article was written in good faith by honest and unbiased people, but I want to explore a bit more.
As you can see, I am not exactly the biggest supporter for BYOD. However, as a security professional, I do understand the pressures faced, especially from top management. So, I tried to look practically at this entire BYOD conundrum to see if I could clear the smoke a bit. The key point I want to focus on are the risks in BYOD (You can take the consultant out of consulting, but you cannot take the consulting out of the consultant) and the organization can decide for itself.
- Theft/Loss of device - The first problem that comes to mind.
From an organization’s point of view, the hardware costs are no problem at all. “You own the device, you lose the device. We really don’t care.” What they are worried about is the data loss.
- What if the user has downloaded organization’s critical data on his phone?
- What if he has set the device to ‘remember’ logins to corporate networks and applications?
- What if he has not set a complex password to unlock the device?
These are of course, the first risks that come to mind. Most MDM companies have decided to address it. The effectiveness of things like ‘remote wiping’ is still suspect (what if the thief does not use the phone but connects it to a laptop for data transfer?, what if the device is rooted/jailbroken?), but there is a solution at least.
- The mobile and the cloud - Dig deeper for more dirt
How do you setup your mobile device for the first time? If you are on Android, you use your Gmail ID and if you are an Apple fanboy, you use your Apple ID. All further interactions are linked to that single ID. As an end user, if I buy my own device, I would definitely configure it with my personal ID (with the state the economy is in, one never knows when you might have to quit your job). If I configure additional information like mail, access to applications and organizational instant messengers, I can configure to save it on the cloud (iCloud or Google Drive). Since I want access to my key documents from anywhere, I would probably install Dropbox as well. Organization information is all over the place.
- Insecure applications - The feral little (ad-based) rogues sitting on my phone
Mobile applications are surprisingly easy to make and publish. There are countless applications available today that collect your data and do some sort of analysis on it (or worse). These apps could potentially send all your corporate information to your competition. A form of control suggested by MDM vendors is to create an enterprise app store and provide ‘approved’ apps. This is fine if the organization has provided the device to the employee. We are talking about BYOD. I would not want anyone dictating whether I can play Angry Birds or Fruit Ninja on my own device.
- Admin login - Can never get rid if that…
You can mandate all the controls for a mobile device, but the owner of the device is still an administrator. He can choose to follow or not follow any of the controls that you may levy. After all, isn’t the administrator some sort of a demigod who is omnipresent, omniscient and omnipotent? If you deny a user administrative rights on his own device, what is the motivation to BYOD? In fact, the organization should be lucky if they are not sued.
If the perceived benefits (notice the use of the word ‘perceived’) are more than the risks, an organization can choose to implement BYOD. Interestingly, I have never come across any benefit except vague, unmeasurable terms like ‘increases productivity’, but hey, to each his own.