BYOD Security Concerns: Does IT Protest Too Much?

Mobile security concerns about bring-your-own devices are overblown, says an IT security expert in this Q&A.

The bring-your-own-device phenomenon, or BYOD, has really stirred up the hornet's nest in the enterprise, particularly among CIOs. They're worried that BYOD gives too much control to employees and may even be the beginning of the end for IT.

Some CIOs are countering the BYOD effect by drafting severe user policies that lead to legal wrangling over privacy rights. People with a stake in the corporate IT game point out that BYOD's lack of adequate security measures puts sensitive corporate data at risk.


And then there's John Mensel, director of security services at Concept Technology, a 10-year-old IT consulting firm serving midsized companies. He should be leaning hard on the side of IT in the political turmoil caused by BYOD. Instead, he's telling anyone who'll listen to calm down. talked with Mensel about BYOD's real security issues and what BYOD means to the future of IT.

What are the key concerns that you've seen about BYOD and privacy?

Mensel: BYOD has been creeping into our clients' consciousness for the last few years. It's only been in the last six months that people have been caring and worrying about it. I'm talking about smartphones and tablets.

The key difference there is the phone number. My business phone number and my personal phone number are extremely valuable property. People have been calling my business phone number for 10 years. If that number changed, I'd have a big problem.

(For more, check out BYOD's Phone Number Problem.)

A prototypical case is where a salesperson brings his or her own device. Their prospects and contacts are calling them on their personal phone number. When they leave your company, the phone number is leaving, too. This is the single biggest argument in favor of the business providing the device to people who are high profile. I just don't think there's any exception.

There are workarounds, such as Google Voice, call forwarding and others that let your BYOD smartphone receive calls from two different numbers. Can this solve the problem?

Mensel: Sure, if you want to commit to the administrative overhead of managing all of that. In all of the cases where this has been an issue with our clients, we've just said, "Provide the employee with the device so that you have control over it and there's no ambiguity."

In an enterprise that has already committed to BYOD in a large scale, it's a different proposition. They're talking about a huge savings.

(For more, check out BYOD: If You Think You're Saving Money, Think Again.)

We're touching on the topic of virtualization on the smartphone or tablet, basically enabling separate areas for business and personal apps and data. Do you think this is where BYOD is going?

Mensel: It's a really cool idea, and you can solve an immense number of problems. But until it works on iOS devices, it's not useful. The whole point of BYOD is that people can bring whatever they want. It's central to the value proposition. A substantial portion of the time, it's going to be an iOS device.

Until those mobile hypervisors work on iOS, which isn't going to happen anytime soon, it's a non-starter.

John Mensel, director of security services

There's an alternative to virtualization that offers many of the same benefits. Here's what we've been doing: A client has an application that we have to put a lot of strict security protocols around. But a few principal users need to access it from a mobile device. Well, we use terminal services with SSL-based VPNs wrapped around it.

It's been a really good solution. The user can call up a remote desktop and access the privileged data. It's just the remote desktop protocol, so it works brilliantly on iOS devices as well. You can implement it with technology that 99.9 percent of the companies already have. Most IT folks already understand this at a deep level.

It's cheap, fast and secure.

Security seems to be a hot topic when it comes to BYOD. I often hear the standard response of remote wipe. But this isn't really security management, right?

Mensel: We advise our clients to tell their employees that, in the event the device is lost or stolen, they'll remote wipe it. I know that's a contentious point with lots of legal issues surrounding it.

But in our market space, a lot of our clients aren't able to make huge investments in things like MobileIron where there's really granular control. The wipe-your-device policy provides a lot of blanket protection for everybody. You need to have a kill switch.

That said, I think you've really hit the nail on the head. If you have to remote wipe a device to prevent a serious security breach, you've already lost.

Almost all of the really severe security problems surrounding mobile devices can be mitigated through basic network security and data protection. Your most critical data, such as customer credit card numbers, need to be locked away behind another layer of security protocols.

If you have to wipe a mobile device because someone was able to download a database of your client's social security numbers onto it, then the problem isn't the mobile device. Your security policy is out of line anyway.

Another problem with remote wiping a mobile BYOD is that the employee will lose personal data, too, right? That's why lost or stolen devices aren't reported to the IT department right away.

Mensel: I don't necessarily agree with that, at least the part about not wanting their personal stuff wiped. We could take all 40-something personal mobile devices that my engineering team owns and throw them into a pit of lava. I don't think we'd lose a shred of essential data.

Sure, there would be some inconvenience. We'd have to buy new phones, punch passwords back into them, and synch them up with our iTunes libraries. But smartphones and tablets allow you to view and interact with data that lives elsewhere.

If people are keeping personal data on their smart devices, and that's the only place where the data lives, then they're not using the device properly.

I've heard about some companies having BYOD user policies that forbid employees from using iCloud.

Mensel: If you want to have a draconian user policy, the company needs to own the devices. I don't think it's appropriate for a company to say, "You have to bring your own device, it's your responsibility, but you have zero control over it."

I know a lot of companies that will and do abuse that, but I wouldn't work for them.

Companies want to have the cake and eat it, too. They want all the advantages of BYOD, like not having to make huge investments to outfit their people with really nice technology, and want it locked in a set of steel hoops.

Sorry, you have to pick one or the other. If you want total control, then you supply the device.

(For more, check out BYOD: Time to Adjust Your Privacy Expectations.)

There's a lot of hand-wringing over the BYOD mobile security threat, yet I haven't run across any doomsday cases. Is this "threat" being blown out of proportion?

Mensel: I'm at odds with many of my security-minded brethren. Yes, it's being blown way out of proportion.

We've been dealing with this same problem for years, only worse with laptops. I can hardly think of a better method for stealing data or introducing viruses into a company network than connecting a laptop to it over a VPN.

A laptop is a much more flexible tool for causing damage than a tablet or smartphone will ever be.

Sounds like the BYOD mobile security threat is a red herring by IT. Why is IT so worried?

Mensel: I keep hearing people asking, "Is the consumerization of IT the end of IT as we know it?"

A friend of mine who managed the Rackspace cloud mentioned to me over beers that guys like me will become obsolete in three years. Everything is going to be in the cloud.

Yeah, we're going to be getting out of the business of doing day-to-day desktop support. But our business is going to turn into the business of providing people with interfaces that they can plug their devices into. We'll be facilitating interfaces.

Slideshow: 10 Coolest Tech Devices to Bring to Work

In a traditional model, there's a desktop with a bunch of applications installed on it—all of which are configured by IT. It's a very tightly controlled environment.

Now we're moving to a consumerized environment where the user owns the interface. At this point, IT is providing data feeds and interfaces. The vast majority of applications my team has deployed over the last few years wasn't Exchange or SQL Servers, but Web applications.

IT's role is shifting away from supporting desktop applications to serving up interfaces, whether they be Web-based, Java apps, Flash apps, or things you get in an app store.

Tom Kaneshige covers Apple and Consumerization of IT for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline and on Facebook. Email Tom at

Copyright © 2012 IDG Communications, Inc.

Learn how leading CIOs are reinventing IT. Download CIO's new Think Tank report!