I swear I could write about BYOD and the potential security problems every day until the foreseeable future. But I have to wonder if we are approaching the risks in the wrong way.
A new study by managed cloud services provider NaviSite found that while 80 percent of 700 IT decision makers agree that BYOD is the “new normal,” only 45 percent have a formal BYOD policy in their workplace.
That number is awfully low when you consider that even though BYOD is being thought of as the “new normal,” it isn’t exactly a new concept. After all, employees having been using personal computers and laptops for business purposes long before there were mobile devices. And mobile devices have now been around in the workspace for several years.
The NaviSite survey also looked at the acceptance of Desktop-as-a-Service (DaaS) and discovered only 51 percent were considering DaaS as a solution to access data from their mobile devices, even though DaaS could be a solution to BYOD risks. As eWeek pointed out:
According to the survey, 68 percent of respondents said they were very concerned or extremely concerned when thinking about securing enterprise data on employee mobile devices-- one of the biggest concerns facing IT executives with BYOD policies is securing company data. Despite an extreme concern over security, only 18 percent of respondents said they had considered BYOD a motivator for implementing DaaS.
If enterprise is going to be slow to implement policies and technology that could improve BYOD security, we may have to look to the devices themselves to step up the security efforts. Apple – not exactly known for its security innovations – may be doing just that. The next version of the iPhone is expected to include a fingerprint sensor. Brendon Wilson, director of product management at Nok Nok Labs, explained in an email note how this could help improve security on the phones and, in turn, help BYOD security:
It's an improvement because it combats a major source of security risk associated with passwords, namely password re-use. Users routinely re-use passwords across multiple sites, which places them at increased risk when their password is compromised - immediately every account at other sites where they used that password is essentially compromised. Fingerprint authentication eliminates this risk - you authenticate to the device, and the device authenticates you to the service using a cryptographic key (assuming you use something like the FIDO Alliance's forthcoming protocol proposals).
It won’t be the perfect solution, Wilson added, saying that when you add the biometric sensors, attackers will attempt to figure out how to steal fingerprints off surfaces, off devices, or how to have malware attack the underlying hardware to steal credentials. He also stated:
It would be a mistake to think fingerprint scanning is the final word in authentication. What's really required is an authentication solution that can shift as devices incorporate new capabilities and "just work" with your applications seamlessly. That's the one advantage passwords have right now - everywhere you go, every device you use, there is some way to enter a password.
It won’t solve everything, but it is a start, especially in an atmosphere when enterprise is slow to act to implement better security practices. Anything is better than nothing.