BYOD and the hidden risk of IT security

Ben Franklin made the point, although with more commas than the AP stylebook would endorse: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

Over 250 years old, this epigram may still be germane to our ongoing discussion of BYOD (bring your own device): how IT should balance the “liberty” of the BYOD school of thought with the “safety” of needing to minimize corporate exposure to security threats.

[ Find out the 10 business skills every IT pro must master. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s 29-page “Mobile and BYOD Deep Dive” PDF special report. | For more of Bob Lewis’ continuing IT management wisdom, check out his Advice Line blog and newsletter. ]

The difference here is that our challenges are more prosaic than Franklin’s. What matters to us isn’t the moral aspect of liberty, only how to maximize the effectiveness of the organization and those who do its work. Passwords hold the key to understanding something fundamental about information security: Push any attempt to improve security too far and security will get worse, not better.

Passwords: A lesson in obscuring security

Here’s what we know about passwords: To make them more secure, they must be long and contain a mix of uppercase and lowercase letters, plus numbers, plus punctuation marks. If Blwx34$_beItly%(_nzqTB@!_phomc is your password, you’ve passed the test.

Here’s something else we know about passwords: The solitary instance a single password will do is for internal systems, but only if IT has implemented single sign-in technology. Otherwise, to be properly secure, users must have a different password for every system and website that requires one.

We also know that writing down passwords is, from an information security perspective, a serious no-no.

Another piece of hard-won knowledge on the subject: Try to enforce the first two requirements and what you’ll get are users who write their passwords on Post-it notes. The more security-conscious among them will put it in their front desk drawer, away from prying eyes. The rest stick them to their computer monitors.

Try to enforce the third requirement too and the help desk will be eaten alive in password reset requests, and that’s pretending information security will have anything to say about the passwords users establish for external websites. The broader principle this exemplifies is why I usually don’t accept security and compliance requirements as a reason to restrict the availability of potentially useful technologies.

You can try. You might even succeed, and it’s even possible doing so will create more benefit than it costs in lost opportunities, but only if your company mostly employs obedient schleps.

Information security: Least resistance and perdition

What brought this to mind were some of the comments and correspondence I received in response to last week’s column, which contended that for the most part, BYOD happened in spite of IT when we should have been actively sponsoring it instead — a detail most companies can still fix.

Some of the less enthusiastic and approving comments expressed concerns about the consequences of both data theft and any failure to comply with the various regulatory regimes that require strong security. Far be it from me to come out in favor of data theft or regulatory noncompliance. No, no, no — you definitely want to protect your data and comply with the relevant regulations.

You just need to be smart about how you do so; when the subjects are information security and compliance, the path of least resistance and the road to perdition are one and the same. It’s how you join the Value Prevention Society — as pointed out last week, the easiest way to achieve information security perfection is to disconnect from the Internet, disable the USB ports, and otherwise do everything possible to make any transfer of bits from one computer to another impossible.

When it comes to bits, information security understands that every single one is a potential threat. In this respect, information security isn’t wrong, just as it’s true that from the perspective of personal safety, every human contact you make is a potential threat.

Most of us respond by trying to maintain a sane balance between prudent caution and an enjoyable social life. Those in the forefront of information security have started to take an equivalent approach. In particular, as an increasing amount of system access comes from outside corporate facilities — from teleworkers, business partners, and customers — the trend toward focusing on asset protection far more than hardening the perimeter is immensely important. That is, companies get a lot more security from encrypting database columns and laptop hard drives than from upgrading the firewall yet again.

Offline VDI: Liberty and safety

From a BYOD perspective, there’s another technology, now mature enough for prime time, that deserves your close attention: VDI, especially “offline VDI.”

In case you aren’t familiar with the term, offline VDI is just what it sounds like. It maintains a central image of each user’s virtual machine, but that image is downloaded to the user’s personal computer and executes there. Whenever the user reconnects to the corporate network, the server resynchronizes with it, uploading any changes (including data edits) made by the user while downloading any centrally administered alterations, such as software patches and antimalware updates.

Even without BYOD, most companies that plan to deploy VDI ought to make this their default approach, for a very simple reason: Offline VDI takes a fraction of the server capacity required by traditional VDI because you’re using the server to only administer the virtual machine image, not to run it. That means buying smaller servers and using less electricity.

Even if you don’t care about having a green data center, saving cold hard cash (the other green) with few or no trade-offs is something every CIO should want.

Add BYOD to the discussion and offline VDI becomes even more compelling because it eliminates the biggest concern information security has about employees using their personal device for business purposes. That way, you can erect a clean, high wall to separate the personal environment, which runs directly on the hardware, from the corporate environment, which runs on the virtual machine.

In turn, this leaves employees able to innovate and experiment to their hearts’ content in their own environment, while you’re able to control the extent to which their experiments make use of corporate information assets. And when they travel, they can bring a single physical machine, on which they can answer both their personal and business email, with no commingling. If they’re dedicated or on deadline, they can even work in flight, without having to pay for in-air Wi-Fi.

The risk to revenue

The larger point is this: Risk comes in two forms. Some risks are possibilities of increased costs; the remainder are risks of decreased revenue. The former gets the most attention because those are the ones that happen in big bites — and are the most visible.

But risks that lead to less revenue are arguably more important. They come in such forms as customer dissatisfaction, reduced innovation, poor collaboration among employees and with business partners and customers, and employee apathy.

Information security has, for the most part, focused its attention on the pitfalls of increased cost, which has led to its being one of the biggest sources of revenue risk. It doesn’t have to be that way, but it will be unless and until business leaders insist on alternatives to the traditional lock-’em-down-and tie-’em-up so-called best practices — and the standards bodies that have until now taken such one-dimensional stances on what constitutes a best practice start to recognize the need for more balance.

They need, that is, to insist on inserting at least some liberty into the liberty/safety balance. As Ben Franklin recognized more than 250 years ago, it’s an uphill battle, and one that has to be fought every day.

This story, “BYOD and the hidden risk of IT security,” was originally published at InfoWorld.com. Read more of Bob Lewis’ Advice Line blog on InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.