Why Is Bring Your Own Device (BYOD) So Hard?

This is not going to be about the legalities, policy, or privacy issues surrounding BYOD, that has been covered many times over in articles like this one; “Why almost everyone gets it wrong about BYOD” by Brian Katz.  I would hope that you are fully aware that regular information security policies do not cover the use of personal devices, and have established appropriate policies accordingly.

What I will be focusing on is a) the risks based approach, b) some musings on current ‘solutions’, and c) my thoughts on a possible technology solution.

A lot of these so-called BYOD solutions focus on the communication channels, secure browsing, malware protection, and/or Mobile Device Management.  All of them miss the major point, which is the risk to data at rest.  Do you really expect your employees to VPN into some kind of proxy just to browse the Internet?  Or how do you expect people to sign up to having their phone entirely erased if they loose it?

The issue is that not one mobile application, I repeat, not ONE, works at an Operating System (OS) layer that prevents jailbreaking.  Any encryption of either  the data channels or the data itself is performed by software running on top of the underlying OS.  Jailbreaks work AT the OS layer, meaning that any functionality of the application is immediately at risk, including any encryption keys.

Charles Henderson says it better than me; “Is Your Mobile App Safe?

So BYOD is not about keeping your data from being stolen, you can’t, it’s about agreeing on what you are prepared to loose, and what to do if (when) that happens. So instead of throwing ineffective technologies at the problem, you have go back to basics and look at Role Based Access Control, data classification, retention policies and so on.  You should even question whether or not the cost savings and assumed productivity enhancements associated with it are really worth the effort.

In other words, if you do decide to proceed, assume that whatever your employees are downloading on their phones and tablets is now available to everyone, and implement your BYOD solution accordingly.

I would argue that you are probably better off educating your employees to never put confidential information in emails than you are trying to control how they use / abuse their personal phones.

I believe that there is currently only one way to perform BYOD securely; in a hardware module.  If you accept that you cannot perform authentication / encryption safely at the application layer, and that you will likely never have access to the underlying OS (iOS for example), then you are left with hardware.

The hardware module would perform several functions;

1. Authentication – Once the module is plugged into the mobile device, it establishes a secure channel back to home base to perform whatever form of authentication you choose (LDAP, username/password, certificate, even biometrics).  All encryption keys are kept on the hardware device.

2. Encryption – Seeing as the keys are on the hardware device (some form of mini-HSM perhaps), you can leave the encrypted data on the mobile device when not used for work related applications.

3. Storage – The hardware module could also be used to store all work related data, and the mobile device provides nothing more than  a communications channel.

The form factor for the hardware module could be something that is already very common, the phone case / battery charger.  Like this for example;
Screen Shot 2013-07-08 at 16.43.01

Or it could be something like this that has many connection types;

Screen Shot 2013-07-08 at 16.46.01

There are many things to work through, and perhaps the most significant is that this module would literally have to jailbreak / hijack the mobile device before it could have the kind of control needed to enforce the BYOD policies.  Easy enough on Android/Windows, but I’m fairly sure Apple would have issues, they have already totally screwed the ancillary device market with their lightning adapter. I know Apple are also working on an secure embedded SIM technology, but I really don’t see how it can perform he above functions in something so small, and they haven’t even seen fit to add Near Field Communications (NFC) chips to their iPhones.

Thinking ahead, this may not be a viable solution for all businesses, you still have to purchase hardware, and the centralised management station would have to perform everything an MDM does, but for the hardware modules, not the mobile device.  However, for government, government contractors, military and so on, perhaps the encryption aspect alone would be of interest?

Who is currently best placed to corner this particular market?  I think POS / terminal manufacturers like Verifone, Ingenico, or Micros would be contenders.  They already have manufacturing capability, HSM technology, small-form storage modules, OS and mobile communications expertise etc.

All they would really need is deep expertise in the specific mobile technologies covering the majority of the smartphone / tablet market; Apple, Android, Samsung, maybe even BlackBerry.  I’m guessing those skill-sets are not too hard to find.

Clearly there is a lot more to it that I have mentioned here, I do want to keep something back for collaboration opportunities 🙂

What are your thoughts?  What have I missed?  Is this viable?

One thought on “Why Is Bring Your Own Device (BYOD) So Hard?

  1. Take a look at the solutions from Good Technologies, they can enforce policies such as password/pin, prevent screenshots etc etc without requiring a jailbreak. Devices such as the yubikey can enable a managed authentication with a degree of hardware security if desired – no jailbreak required. There is even one that supports NFC and works with NFC enabled androids.

    Combine :
    Sandboxing, and enforced device policy such as – Good Technologies
    Secure, hardware authentication – yubi key.
    Wireless internet in the office, requiring vpn back to corporate systems- can be authenticated and NACd

    Suddenly the cost saving of letting people use their own stuff is negated by all the additional controls.
    Support has to take a position, support the sandbox, the device, the sandbox and the device, the user, or you’re on your own.

    Although don’t know what all the fuss is about, ISPs have been letting people bring their own devices, forever… lets all start running our networks like them.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.