Welcome to the SecAware blog

I spy with my beady eye ...

9 Feb 2012

BYOD security awareness - follow up

Having just released a brand new security awareness module on BYOD (Bring Your Own Device), we have been surprised (in a nice way!) with the level of interest this topic has generated for us, more so than, say, the cloud computing security awareness module we put out last April.

I've been pondering what's going on here.  What's so special about BYOD?  What makes BYOD security awareness sexier than cloud computing security awareness?

First off, BYOD is quite new.  The concept has been around for a while but as soon as it picked up the BYOD tag and started appearing in the computer press about a year ago, it has started to buzz.  In other words, it's a hot topic.  Well OK, but so is (and was, last April) cloud computing, so hotness alone is not enough to account for the differing levels of interest in these topics.  Strike one.

Second, "BYOD" is a distinctive, easily-searched term, so our awareness materials got some instant Web exposure purely by dint of using the term.  Great!  Cloud computing, in contrast, is not so distinctive.  Search for "cloud" and you'll find a lot of weather sites.  Search for "cloud computing" and there are plenty of commercial offerings out there, desperate to relieve your corporation of the contents of its IT budgets.  Search for "cloud security" and the field thins noticeably, putting it on a par with "BYOD" alone or "BYOD security".  So that's not quite it either.  Strike two.

Exploring "BYOD security" on the Web is a frustrating pastime. Most of the stuff that Google knows about is facile ("Like this blog item!" I hear you say), and nothing much is new or different.  The same few concepts are trotted out time and again.  And just like cloud computing, most of the 'security advice' pushed by the journalists, vendors and other pundits is to implement technical controls, or "solutions" as some insist on calling them.  Take for instance this short article in SC Magazine which talks about tiered mobile management functionality, broad platform support (which evidently means Android and iOS), and "mobile management solutions" (bzzzzzzzt, there we go, buzzzword bingo), or this piece concerning IBM's move into Mobile Device Management having consumed a minnow. Apparently Big Blue's MDM stuff helps achieve "policy compliance", by which I think they mean technical conformance with some sort of technical standard, not what I would call a policy.  But that's just me, being picky with the marketing droids as always.

So maybe, just maybe there is a merest hint that people might be looking for information on ways to tackle their BYOD security issues.  For some reasons, they either don't look or are satisfied with what they find from the big cloud vendors, but BYOD is a different ball-game.

Compared to technical controls, security awareness is conspicuously absent from most of the stuff Out There in Security Land, but that's a near universal finding, a truism if you like.  The main reason, I suspect, is that the firewall and antivirus vendors who have dominated the IT security industry for more than a decade have engineered the market, their oh-so-valued customers, to expect "technical solutions" to all their security issues, often implying that installing whizz-bang-software X or appliance Y will magically solve everything because, of course, they make $lots from selling X and Y to organizations that swallow their bait.  To be fair, WE run firewalls and antivirus software too - but to us, they and various other IT/technical controls are just part of a far more comprehensive suite of information security controls ... and mere commodities at that.  Can you honestly tell the differences between AV products from different AV vendors?  I bet in a blind tasting, you would be hard pressed to pick out your normal security solution from any other instant-security-in-a-box.

So perhaps that's the difference.  In cloud computing, the dominant vendors such as Amazon and Google already have a stranglehold on the market (both supply and demand sides) and can gloss-over the information security issues, selling their "solutions" to a receptive market on the strengths of their respective brands, and their sheer size.  Ask awkward questions about data ownership or confidentiality (including privacy) and no doubt the sales people start to fidget but then push back with scaleability, access from anywhere, and all that hand-waving that led to the term "cloud" in the first place. I suspect some cloud customers may not even appreciate the information security issues they are taking on: how many information security professionals have made the time to research the issues and timidly raise their hand from the back before the CIO confidently announces they are being 'outplaced to the cloud to save the company $loads!'?  How many have thought through the security implications of even the simplest of cloud services such as webmail and online backups?  We have, and they are scary.

But with BYOD, not only is information security a major concern but (as yet) there are no dominant vendors pushing their technical solutions down our throats, in other words there are no full-on sales pitches to displace those nagging questions from the back of the class about data ownership and confidentiality (including privacy).  Oh and compliance.  And copyright.  And all the other security issues that are associated with BYOD.  The issues are of no greater concern than with cloud, really (less in the sense that employers have the upper hand with their employees over what they do with their personal devices, while their relationships with the major cloud service providers are in a different league), but the technical solutions in BYOD, and particularly the vendors pushing them, are comparatively weak.

At least it gives those of us who believe in the value of human factors as much as technology a chink of light, an opportunity to remind organizations that there is more to security than just buying the shiniest technology from the pushiest sales creatures.  That BYOD security policies are not technical security standards.  That helping their staff, managers and IT pros understand, rehearse and polish their respective roles in the security show will actually make a difference to the performance.

Oh and by the way, even those shiny IT security gizmos have to be specified, designed, developed, tested, implemented, maintained, managed and, oh yes, used by PEOPLE.  Fallible humans, just like me.  People who create bugs in software, and misconfigure technologies, and disable or bypass controls that get in our way.  People who fail to appreciate that we are as much part of both the problem and the solution as the technology.

Gary (Gary@isect.com)

No comments:

Post a Comment