Tuesday, March 06, 2012

In BYOD We Trust?

Brian Katz argues that, if you are focused on protecting enterprise data rather than the devices that that that data might be sitting on, then BYOD isn't such a big deal - because the device itself fades into the background and so whether the employee bought it or the enterprise did doesn't matter.

Feels similar to the enterprise not stipulating that employees MUST install a home security alarm system if they are bringing corporate data home on weekends.

Things are alot simpler with a shift in focus to the data rather than the device. Here's my list of security requirements
  1. Ensure that mobile apps can access only enterprise data appropriate to the employee using it
  2. Protect data in transit
  3. Protect data at rest
  4. Delete data when necessary
Things are even simpler if you don't allow the apps to store data on the device - #3 and #4 go away (and the MDMish implications). Trade-off is not allowing your CEO to adjust fonts on PPTs while in the air.

(Of course, 'not allowing apps to store data on the device' probably means tinkering with the binary.....)

#2 is easy.

#1 implies that the app, in requesting data from enterprise or cloud servers, can somehow indicate to the server the employee in question. More and more, OAuth 2 is the default choice for achieving this. The native application gets an OAuth token that reflects the employee's identity & roles, and presents that token on a RESTful API call to get data.

Consequently, #1 is really about ensuring that
  1. the application can securely obtain a token that reflects the employee's identity 
  2. the API can make the right authorization decision when it sees that token included on API calls
Consequently, as much as I love the BYOD acronym, I agree with Brian that it likely has a short lifetime.

No comments: