InfoWorld - Security Adviser: Why BYOD scares me

/Home/Internet Security: Blogs/Internet Security: InfoWorld blog/InfoWorld: Security Adviser 2012

BYOD is an epic battle in the ongoing war of usability against security -- and usability is winning out

By Roger A. Grimes
JULY 03, 2012

This is part one in a two-part series.

Make no mistake, BYOD is a huge paradigm shift. It's an epic battle in the ongoing war of security versus usability. And usability is winning.

This battle carries major security implications. I've yet to meet the end-user who wants to be bothered by authentication, from CEOs to low-level employees to my own daughters. No one wants to fuss with a log-on of any type. They'll accept security as long as it doesn't get in their way. Every CEO I've encountered has asked me to get rid of nagging password log-ons so that they can get down to real business.

The inherent promise of BYOD is that it will have less security. Think about it. Users say they want -- no, need -- BYOD because it makes their worklife easier. What do they mean? It isn't just the form factor; we've had small-form-factor computers for a long time. It isn't usability by itself because no one can tell me how the browsing and computing experience improves once the browser is fired up in any platform. The browser on my mobile device works the same was as on my full-featured computer, albeit possibly in a less functional, slower manner.

No, what BYOD means to the average user is escape: Escape from the security enforced upon them by their organization. No more controlling what applications they run. No more controlling their browser settings. No requiring proxies, antivirus, firewalls, or anything else that can get in their way. The average new BYOD user seems miffed that they have to enter a PIN. They want instant-on and instant access at all times. Who can blame them? Freedom is great.

Security has always been about restricting freedom and/or usability in some way, no matter how small. Security wants to limit a user's choices in the name of trying to prevent easy compromise, and end-users have fought us the entire way. It doesn't help that our battle for security hasn't resulted in significantly less malicious hacking (though I shudder to think about how bad it would be without security controls).

To the average user, BYOD means "my device, my way." And that scares me.

Click the URL above to read the full article