Original article can be found at 10-steps-for-writing-a-secure-byod-policy-7000006170
Fashionable article, remotely!
I am not touching the 9-10 other steps, as we all know THEY ARE REQUIRED – and they are required in even in operational security discipline currently, not just with BYOD. Though the article focuses highly on mobility, it opens few interesting points to share elsewhere also. I’ll call ‘it’ mobility here to distinct it as just one area of endpoints).
I’ve been ‘checking’ phenomenon called BYOD inside and outside for some time now and my verdict is for the application stack provided on top of the current technologies to make ‘BYOD’ happen, safely and by the policy they say, is NO – BYOD can not be made any secure than the base is.
However, I do have to say – YES, BYOD is happening – unfortunately to very un-solid ground. So I believe, as well, that there is need for proper operational security management and for good discipline to maintain.
I believe the qualities such as providing more response is pretty much up from the organization business and tendency to utilize technology in their operations. What I am totally against is that ‘new and complex challenge’ – Sir, here YOU are WRONG! The issues surrounding the security of ‘BYOD’ is age-old and exists even now with corporate desktops, cellphones and other devices. The same issues shall cumulate through BYÖD world and leave organizations standing on two crippled legs on hazardous, unsolid grounds.
The severe amount of security issues organizations currently encouter are somehow related to end point vulnerabilities and misuse of them.
How you push security policy to ones own device, mobile or laptop, while the basement is not secure at all? Does’nt that corrupt the policy itself and render it unusable? How you then measure the effectiviness or KPI:s of such policy implemented?
Thing I agree, and appreciate highly, is you’ve put it on display is those cloud services, such as DropBox. Taking DB as an example, I was recently in discussions with their people about the data security within the DB; well, its not encrypted. That’s violates the idea “data in rest is encrypted”.
So yes, this is just one example for the place where private and “secure” corporate data goes messed up together. However, no BYOD solution solves the issue.
Unfortunately the whole thing, having all the fruits (mine, company’s, crowd) in same basked makes things go dramatically wrong. Whatever vendors promise YOU, its going wrong, will be expensive and create a un-paralleld information security management paradigm in which You do not want to be involved within. There is NO WAY that requirements even with basic controls for safety can be implemented with any of the BYOD concepts in wild.
So what to do – well, here is a glimpse of thoughts I am building at the moment:
Create imaginary ‘enclave’ that surrounds your device, mobility or stationary. Now imagine to put one enclave inside of the device so that it is ‘streched’ from the cloud service(s) provided by distinct service providers. The whole environment you are utilizing inside the enclave is your corporate environment, with its rules and policies, mdm capabilities etc. Lets even think so that the whole enclave is loaded to the device. There may be several, at least isolated enclaves within your device. The latter one is for private stuff.
There we should go, that is the way for secure operating: in current desktops and in ‘BYOD’, mobility and stationary. Virtualization technology allows this.
I am going through all this in more detail with article to be released near future and I am going to deliver my insane arguments against, the current theorem in wild and introduce, potentially, a way (“model”) to dismantle discussion around BYOD.