Tuesday, June 5, 2012

ATR: BYO Mobile

It's been a while since I posted last. The iPad experiment continues with varying degrees of success. I haven't completely given up bringing the laptop home, but it certainly stays in the office a lot.

I'm now looking at my cell phones. As some of you know, I'm seldom found without two phones on my hip. One is the personal phone; the other is the work phone. Some of you likely have heard me talk about why I carry two phones, with the punch line being, "I know what my forensics guys can do." My stance to this point has been that I wanted to keep my personal life apart from my work life. Problem is, in this day and age of smartphones, it is quite hard to do. Android phones prefer a Gmail account in order to function properly and that means the work phone has my personal Gmail account on it. And with smart phones, even a couple short generations apart, there is a lot of redundancy. That said, my personal phone is newer and more capable. And with two phones, I have to buy Bluetooth devices that come with dual pairing capability so I can use both phones in the car.

The work phone is about two and a half years old. It is the first Droid. In cell phone terms, it is geriatric. It is somewhat flaky, and periodically needs a factory reset to behave. I keep taking apps off that phone since my personal phone is more useful to me. Now I could go and have the company buy me the latest and greatest, but I'm finding that I don't use the work phone much for phone calls and it seems like a waste of resources simply to have that quasi-separation of personal from corporate. I'm always going to carry my personal phone around with me, so why have to carry two? Just carrying the personal phone also means carrying one phone charger and only having to find a single outlet in a hotel room. It makes for a little less spaghetti in the computer bag.

We're in the process of looking at our BYO policies and the associated risks. My mindset is changing as I spend time thinking about the issues. For quite a while, the concern has been that litigation would mean turning over a phone for forensic examination. That would mean that personal data could get exposed. In some cases, that might be embarrassing and disruptive. But it seems that cell phones are seldom requested in our litigation. And honestly, I would expect that an opposing attorney determined to take a look at a cell phone is also going to subpoena all mobile devices for examination and likely manage to convince a judge that even the target's personal devices should be examined.

The next risk area is loss of corporate intellectual property. While cell phones and tablets can hold a remarkable amount of data, I can go buy a two terabyte hard drive and walk out the door with much more data that I could manage to get from a mobile device. There is certainly a risk, but the risks from other portable / concealable devices are much greater. That said, mobile devices that contain Active Sync enabled email can generally be wiped by the user or a corporate email administrator with a couple of mouse clicks. So if a device goes missing, it is a relatively simple matter to delete the email from the device (although in most cases, the device will be subject to a factory reset, wiping all personal data from the device as well). That is a significant difference from other portable storage devices. For organizations with a much lower risk tolerance relative to theft of data, they will likely ban cell phones and tablets, as well as other storage devices.

Our focus right now is on risks associated with malware. As the hackers out there seek softer targets, they will write more malware designed for cell phones and tablets. The risks here are several-fold: 1) loss of credentials -- loss of your login ID and passphrases that would enable a hacker to get access to your accounts; 2) eavesdropping -- the concern here being the ability for a hacker to listen in on phone conversations or use the phone as an eavesdropping device (while the average employee is not likely to be a target, executives are the biggest concern); 3) leveraging a trusted account -- an attacker taking control of a cell phone or tablet could use the email accounts, IM, or other communications to contact other employees and pass along malicious links or malware-infected attachments that look authentic.

At the same time, I'm not real keen on nuking an employee's phone when they leave, regardless of what the employee agreed to when they signed up for BYO. It seems a little excessive to be that disruptive when all we want to do is kill off the email account. That said, software that creates separate "containers" for corporate and personal data is not inexpensive, and given many competing priorities, is it worthwhile to invest in this software simply to not tick off a former employee? Certainly one argument would be that if the employee is saving the company the cost of the device and service, perhaps the company could deploy some software to preserve the employee's data.

Clearly, every organization has different risk tolerances. Many organizations will find it inconceivable to consider ever allowing a personally-owned device to hold corporate information, regardless of protections, software implementations, policies, and agreements. That's understandable. Certain geographies with restrictive data privacy laws will also find use of personal devices to access corporate data problematic. But I would expect that many organizations will move quickly down this path, with some less thoughtful than others. Point being, of course, that the organization needs to think the issue through and consider their risk tolerance thoroughly.

In my case, I've moved the email container (Touchdown) to my personal phone, along with my RSA soft token. I understand the risks personally, but I'm ok with them. That may change. But the Droid will get nuked in the next few days. And I'll let my forensic guys see what they can do with a nuked cell phone.

More thinking on this topic to follow.