Recently, I had an email conversation with Brian Tokuyoshi, senior product marketing manager for Palo Alto Networks, about BYOD security in general and about the challenges of using a multi-layered security approach in specific.
BYOD security is a much-discussed topic, but I also believe it is a constantly evolving issue. Regularly, new technologies enter the market that access the company network or store corporate data. Operating systems are regularly upgraded. Even the number of devices used for business purposes is constantly in flux.
So it isn’t surprising that Tokuyoshi said the hallmark of a good BYOD security plan is its flexibility:
Any solution that requires all-or-nothing approach to either what the business needs or what the user wants is doomed to fail. Neither is likely to deliver a BYOD policy that everyone can live with. You’re either telling everyone what they can do with their own personal mobile device (great for the company’s needs, but not great for the employee) or you’re letting the employee do whatever they want with company applications and data (great for the employee’s freedom of choice, but not good for the company's ability to control risk). The challenge comes from deciding just how to balance the scale between security and employee freedom on a device the company doesn't own.
This balance may be found by providing choices for BYOD participation, but, Tokuyoshi pointed out, these choices have to present a fair exchange.
At one end of the spectrum, yes I can understand why I can't access an application if the company doesn't know how safe my device is. So in order to participate and get greater access, I have to accept that I need to accept the security the organization needs. Employees, when presented with a fair choice, feel empowered to get the access they want rather than prevented from doing their job. I believe a lot of BYOD programs fail on this point. Companies that try to force their will upon the user end up with unhappy users that still have unmet needs—they still want to use mobile devices, and they'll often find very creative ways to do it.
Tokuyoshi added that some of the biggest challenges that organizations face with security involve applying granular security using contextual information about specific applications, users, content and devices. This can be tough to do because many of the security products on the market and in the network don’t speak this language. For example, policy engines can’t make a decision on criteria they can’t evaluate.
In a future post, I will continue my coverage of the conversation with Tokuyoshi and discuss his opinions on the need for and challenges involved with developing the multi-layered approach to BYOD security.