Wednesday, September 05, 2012

All BYOD threats are NOT created equal

I hold this truth to be self-evident (but I'll argue it anyway).

You can classify threats to business data on mobile devices (whether BYOD or not) depending on whether
  1. the employee initiates the process by which business data is put at risk 
  2. there is malice involved in the above process, ie an active 'attack' against the data compared to inadvertent disclosure
Below is a taxonomy, with representative threats

I will contend that the measures that IT should consider to stop/control each of the above categories may be different (though there will certainly be overlap).

For instance, to mitigate the risk of a well-meaning but naive employee moving corporate data onto a cloud service provider to help themselves 'get things done', IT need not immediately start thinking about encryption, keys, and containers. Arguably simpler would be for the enterprise to

  1. make sure employees are aware of corporate policy about such 3rd party applications or
  2. prevent employee from installing the 3rd party native app (perhaps hard to reconcile with BYOD) or
  3. actually subscribe to a cloud service storage provider (hopefully chosen based on discussions with the oh so demanding CoIT-aware employees), and so bring back this BYOC scenario into IT's domain of control. 

Similarly, while Lyle and Mary in the above may be both acting maliciously - it's clear that stopping Lyle is a different proposition (by removing him from AD, revoking any extant tokens, etc) than slowing down Mary (by turning off phone features like camera & screen shot, by making her data access dependent on roles, monitoring access and watching for patterns, etc).

You can also categorize the security protections IT might apply. At a really high-level, IT can

  1. stop business data getting onto the device (e.g. by ensuring only authorized employees can access and download, or never serving up actual data but rather only pixels, etc)
  2. once data is on device, prevent inappropriate viewing (by having a PIN on the device)
  3. once data is on device, prevent inappropriate sharing (via encryption, disabling screen shot, etc)
  4. once data is on device, prevent it from inappropriately leaving device (by preventing installation of 3rd party storage provider native apps)
These different types of protection guard against different categories of threats shown in the diagram. 

For instance, a PIN may not provide much protection against a determined and malicious attack (and not at all against Mary's dreams of sun) but it will surely help protect against the employee's daughter coming across sensitive product strategy during a chat session with her friend Brittany.