MY TAKE: The death of BYOD; how mobile security has impacted enterprise security

By Byron V. Acohido

Just five years ago, BYOD – Bring Your Own Device – was a rising security concern attracting an inordinate amount of attention.

Fast forward to today and BYOD has faded as a buzzword. However, employees’ use of mobile devices and web apps remains as big a security concern as ever.

Related article: Converting logs into actionable intel

Acohido and Smith

Companies and government agencies are addressing this exposure by taking advantage of technical innovations and by embracing practices that might surprise you.

I had the chance to visit with Gregg Smith, CEO of Silent Circle, at Black Hat 2017 in Las Vegas. Co-founded by a former Navy SEAL and a couple of networking technology pioneers, Silent Circle launched in 2012 to introduce the “Blackphone,” a highly locked-down smart phone and  supporting platform.

The company has since extended that platform to work with Android and Apple smartphones. Here are a few takeaways from our discussion:

Blackberry redux

Concerns about BYOD jumped to the fore in 2010 as workers took to bringing their personal smartphones to work, eager to tap into the explosion of web apps – for social-networking and entertainment, but also to collaborate and become more efficient at their jobs.

Companies really didn’t know what to do with employees connecting their personal devices to the enterprise network. There was a movement to implement Mobile Device Management systems; MDM enabled administrators to oversee mobile devices much like desktop PCs.

More recently, companies have been steadily transitioning to issuing and requiring use of company owned devices, Smith told me. “Essentially, they’ll buy a device, give it to the employee, and then ensure that any enterprise applications that the employee uses is locked down to a certain extent,” Smith says.

If that sounds familiar, you might be recalling how the federal government, at one point, moved to address BYOD by issuing locked-down Blackberries to key officials, including President Obama. The difference today  is that companies typically allow employees to pick between a company-issued Android phone or iPhone, within certain parameters.

A common pattern with Android, for instance, is that companies will provision only certain models. Samsung’s Galaxy models, using Knox security technology, is a popular choice. “Knox does a decent job of creating security on the Samsung devices,” Smith says, adding that the Korean electronics giant has done a “decent job” emulating the iPhone’s approach to security.

Android vs. iPhone

A concurrent development over the past half decade: Google’s Android OS has become the global market leader, far surpassing Apple’s iOS, though the iPhone remains very strong in the U.S. Combine Android’s ubiquity with its open platform approach, and what you get is the full attention of hackers.

“It’s much easier to get into an Android device than an iPhone itself,” Smith says. “There are many, many variations of Android, as opposed to the iPhone which is built by one company only, and they build the device from the ground up.”

Blackphone2

Smith is quick to add that the iPhone is far from immune to hacking, and has, in fact, been hacked many times. “But there are so many flavors of Android out there with so many device manufacturers that it just creates a much larger threat surface than what you see with the iPhone,” he says.

Like desktop and server PC operating systems, mobile device OSs are intrinsically full of vulnerabilities, making regular security updates imperative. However, because of the nature of the nature of mobile devices, implementing patches has become problematic for Android and iOS.

There is the fundamental question of who should bear the primary responsibility for issuing – and installing —  patches in a comprehensive manner. Should it be Google and Apple, or the handset manufacturers or the ISPs? Staying current on security patches, for older phones and new ones, is not a simple thing. And unpatched devices are ripe targets.

“Unequivocally it is a very difficult task for an enterprise, or even for you as a consumer, to stay current on patches, ” Smith says. That partly explains why companies have become more willing to absorb the expense of issuing company-controlled devices to workers, he says.

Innovation factors in

Another factor nudging companies to exert control over mobile devices has to do with security innovation. Firewalls, antivirus suites and intrusion detection systems have all been advancing and there has been a push, led by the likes of Cisco, Palo Alto Networks and numerous other security vendors for enterprises to take a platform approach to security. This typically includes adding a layer of machine learning-based “threat intelligence” to the mix.

In parallel to this trend,  a cottage industry of innovative mobile security start-ups has cropped up, Silent Circle being a prime example. While Silent Circle’s legacy product, the Blackphone, has attracted a loyal clientele among parties desiring ultra-secure devices, the company has also moved to essentially replicate the Blackphone’s core functions on consumer-grade devices. (Here’s a 2013 video I did with co-founder Phil Zimmermann for USA TODAY:)

 

“For the average enterprise that already has an installed base of iPhones or Androids, instead of having to go out and buy Blackphones, we can provide them with just the application at a much lower price point and they can secure their communications across their entire corporate- owned devices,” Smith says.

Silent Circle has won business in the energy, financial services, manufacturing, pharma and government sectors; and even from individual customers “who are very concerned about their privacy especially with things happening today,” Smith says.

The potential, going forward,  for leading-edge mobile security systems built around company-provisioned devices, to strengthen emerging threat intelligence platforms appears to be strong. For a deeper drill down on this, please listen to the accompanying podcast. Meanwhile, stay prepared to say goodbye, once and for all, to BYOD.

(Editor’s note: Last Watchdog has supplied consulting services to Silent Circle.)

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone