Bring your own X (BYoX)
We are all part of a technological revolution that is changing the way we interact with technology.
Why BYoX? Because the X can be ‘device’, ‘technology”, ‘phone’ or even ‘PC’. The truth of the acronym is a consumer owned and managed electronic device working in the context of a business situation. This basic confusion about its own identity has not helped frame the problem for organisations or legislators who for the most part struggle with the concepts involved.
If we were to look at this subject in a broader context it becomes apparent that the person to blame for the whole BYoD (Device) movement is ultimately the late Steve Jobs, who brought us the shiny things we all love. In fact BYoD is linked to a much broader conversation around the consumerisation of IT and its ever increasing footprint in our everyday lives. If you really look at it, we are all part of a technological revolution that is changing the way we interact with technology.
We used to use technology as a tool to help us perform tasks at work; now we use technology to support our everyday existence, and if we extrapolate, it’s obvious to me at least that the future is BYoD.
So let’s look at the issue in its most basic form.
As an organisation you are allowing a device that you have no ownership of or control over inside your private networks, and providing it with access to your most sensitive data assets. Furthermore, you are then allowing this device to be totally mobile, able to traverse the organisation's information boundary without challenge or check on a daily basis.
Ludicrous, right?
The obvious solution to BYoD. therefore, based on this explanation, is to simply squash it and file it under ‘bad ideas I had after a few too many sherries’. Unfortunately, this is exactly the approach a large number of organisations have taken and unfortunately, it simply does not work.
So let’s look at the consumer side of the BYoD argument:
As a consumer you like shiny things, you have shiny things at home, you are used to working with shiny things, and you understand that shiny things always work. When you come to the office they give you one of those dull grey things that always break, so your argument is why can’t I just use my shiny thing that always works? What is it with this company and dull grey things anyway?
It’s a fairly solid perspective: ‘my stuff works and yours doesn’t so let me use mine’. Welcome to BYoD!
Another longstanding argument you tend to hear are the ‘cost savings’. This one, I have to say, tends to originate with those purveying BYoD solutions, and in my own humble experience I have yet to see a company that makes any cost savings in the short to medium term as the re-tooling costs to do it right simply offset any potential savings.
It’s hard to see a future where the device you use for everyday personal ‘life management’ is not also the same one you use for ‘business management’. Granted, the business side of life will be backed up with many other systems and applications, but your basic interface or window to the technological world will be the same.
So given this inevitability, it’s hard to understand how saying no to BYoD is anything other than burying your head in the sand. This is certainly an observation I have made again and again in countless organisations that ‘do not do BYoD’, yet when we actually take a real look and ask around, they very much do.
Facilitating BYoD properly, however, requires a fundamental shift in the organisation’s governance, architecture, platforms and software. It’s not just a ‘quick bolt on’ if you want to do it right and ensure the boundaries of your information stay where you want them to. In fact, BYoD is best suited to a redesign of your whole IT if you want to maximise the value from it.
This is why BYoD typically either completely fails, causes a massive security headache or fails to deliver on the massive cost savings you hear connected to it. A typical organisation’s approach to BYoD tends to follow a common path. First, someone important decides that their iPhone is better than their BlackBerry and that they only want to carry one communications device with them. IT responds by caving in to business pressure and allowing email onto the phone. Then the important user demands more data on their device, and more devices with their data.
Soon you have the critical assets of the company sitting on various devices outside your control which drives the implementation of a ‘mobile device management’ (or MDM) platform. MDM is often billed as the saviour of BYoD, promising an all-encompassing solution that fixes the problem. Unfortunately it’s just a small part of the overall solution required, but is often considered the whole thing. MDM delivers key functionality that is part of the BYoD strategy but additional considerations need to be covered. MDM assumes the device is portable, typically a phone or pad style device and provides key features such as data segmentation, application whitelisting, remote wiping and many other highly useful features for managing portable devices.
But what about all those other devices people want to use, like their MacBooks or their shiny Asus laptops? Even if your MDM can help with these issues, fundamentally, the fabric of your network would have typically been designed within a traditional architecture that assumes that all devices on it are owned and trusted. BYoD breaks the fundamental basis of that architecture and as such the very fabric of the infrastructure is fundamentally wrong.
Then, let’s consider the governance in place: again, it is based on a set of principles that simply don’t exist in BYoD land, so all of the policy frameworks, control architectures, and documentation are all worthless. In fact, now you have to consider new issues with data ownership and monitoring devices with the ability to remotely delete data that you may not entirely own.
So how do we fix it?
Well, quite simply, we start again from an entirely different set of principles.
- We do not trust the endpoint
- We provide individual corporate services
- We containerise data…
…there are more, but these three are a good starting point.
If we fundamentally don’t trust the endpoint and assume that it is compromised before we even start, then the way in which you provide it access to a corporate service such as email is fundamentally different to the traditional approach. Equally, the way you provision corporate services is fundamentally different as well. In fact a lot of the principles you start to employ are directly loaned from building online / internet based systems instead of internal / corporate ones.
For instance, rather than making email available to the default email client on an iPhone or Android tablet, email is provided through a third party sandboxed application instance such as ‘Good’ from Good Technology. Here the email is totally sandboxed from the end user's device, yet the user has access to it seamlessly. That way if the device is compromised, lost or stolen, access to the actual email data is restricted in such a way as it is not possible to compromise it.
Equally, if that same user wants to access corporate email from their MacBook, rather than allowing that device to plug into the corporate network, it can be connected to an isolated BYoD network that has access to the internet and limited access to a ‘virtual desktop infrastructure’ (or VDi) platform. VDi providers such as Vmware or Citrix allow an entire corporate desktop instance or specific corporate applications and services to be provisioned in a seamless, containerised and controlled way to any device.
In short, there are many solutions available to do BYoD well, and in fact the best example of BYoD I have ever seen is Cisco. It operates a global BYoD platform by default, so when you join, you get a voucher to go and buy yourself a new laptop of your choice and access to all corporate assets is through some of the techniques I have discussed.
So BYoD is possible, it can be highly beneficial, and one thing for sure is it cannot be ignored. Trying to sum up BYoD in a thousand words or so is near impossible, so there are literally hundreds of details missing from this, but hopefully it’s enough of a basis to get you thinking and starting to ask the right questions. I do recommend reading through the government’s guidance on the subject from CESG. It’s pretty good.
Jay Abbott - managing director, Advanced Security Consulting Ltd