Thursday, December 13, 2012

Why industry will move away from MDM way of securing BYODs and why privacy intrusion will be of much bigger concern than information security?



Before I say anything let’s see what people say it. Here are the results from the recent (2012) Harris survey to look at just that very issue. The survey revealed that employees are alarmed about employers’ ability to access and collect personally identifiable information through business-owned or employee-owned mobile devices.

The survey concluded that many employees are overwhelmingly concerned and would not want employers to have this access into their personal lives. The following provides a summary of what employees said about the issue:
  • 82% consider the ability to be “tracked” an invasion of their privacy
  • 76%  would not give their employer access to view what applications are installed on their personal device
  • 75% would not allow their employer to install an app on their personal phone which gives the company the ability to locate them during work and non-work hours
  • 82% are concerned to extremely concerned about their employers tracking websites they browse on personal devices during non-work time.
  • Only 15% are not at all concerned about employers tracking their location during non-work time
And this is what a US customer had to say:

“Privacy concerns are a major challenge for MDM and BYOD, as we found out at our hospital. We were looking to bring in a larger MDM system, but the doctors (who own the hospital) felt it was too intrusive since they all wanted to use their own devices, but didn’t want IT to have total control over them. Still, they wanted the ability to send HIPAA compliant patient info (mostly text messages) to admin and other doctors. We changed our strategy and started looking for individual apps to deal with the various security issues and the doctors didn’t feel it violated their ‘privacy’ which made it acceptable to them.”

If you look at today’s mobile device management solutions they have just replicated how the traditional IT used to work and that worked well. But there is a difference. Then IT owned the device and today they don’t own the device (BYOD). The rule is, “if you don’t own the device, you can’t dictate everything that is done on that device”. So enterprises have to deal with this whole issue of BYOD security with a new look.

Also with BYOD there is another new issue that needs to be addressed: privacy. Installing a client on a BYOD for monitoring should be a strict no-no considering all the privacy concerns it brings on. Whether the enterprise monitors them (devices) during their off-office hours or not is a separate issue but the concept of an employer provided monitoring client sitting on their device will definitely bother the privacy concerned employees which is north of 80%.

Not just privacy but you need to look into the legal aspect too. Lot of MDMs provides the ability to IT to track location coordinates of the device. In some countries there are privacy laws which prohibit doing this. Not just doing but having the ability to do so.

BYOD is bringing in a new era of consumerization of the IT. Devices belong to employees so does the apps which connects to the enterprise applications and servers and databases. What IT today should look into mainly is the security aspect of all. What IT should not do is never compromise the privacy of the employees and in my opinion will be much bigger (atleast the legal bills) issue than the information security. This is where the new holistic way of thinking is the need of the hour as far as security due to BYOD is concerned. I believe in this new thinking, one should follow the data and not the device. It is a hard problem but technology can come to help here and one should use it to make sure all features and controls are implemented such a way that we don’t need a client sitting on the BYOD (that is the easy way to go) and there is no intrusion in any way to the privacy of the employee especially in no way they are tracked be it location or be it heir cyber trail during their non-office hours.

That's why I think the industry will move away from MDM and toward agentless way of doing security with keeping employees privacy at utmost importance, which will help move the security focus from the device to the data and the applications--where it should belong in reality.

Manjunath M Gowda
“Got BYOD? Get control…agentless”

No comments:

Post a Comment