BYOD Policy Has Produced Security Problems Nobody Wants to Own

Bring Your Own Device policies were adopted by enterprise IT organizations under pressure from employees and leadership who wanted to use their personal devices for work and did not want to carry two phones. The policies were designed hastily, implemented with tools that were not ready for the management requirements they needed to meet, and left in place with minimal review as the security landscape changed around them. The result is a policy category that most IT security professionals acknowledge as a significant exposure and most organizations decline to address because addressing it requires telling employees they cannot use their personal devices for work.

The BYOD security problem is not a single problem. It is several distinct security exposures that share the property of being difficult to remediate without organizational changes that create friction with employees who are accustomed to current arrangements.

The Personal Device Management Gap

Mobile Device Management solutions deployed for BYOD typically operate in a work profile or containerized mode that manages only the organizational applications and data on the personal device, leaving the personal portion of the device unmanaged. This architecture is the correct one from a privacy standpoint — employees should not accept an MDM enrollment that gives the employer visibility into their personal communications and applications. The privacy-preserving architecture creates the security gap.

A personal device that is partially managed is a device where the organizational data is nominally protected by the work profile and the personal portion of the device may be running outdated iOS or Android, have no security software, be connected to personal cloud backups that are not covered by organizational data handling requirements, and be shared with family members who have access to the device without organizational credentials.

The work profile’s protection of organizational data is contingent on the underlying device being trustworthy. An Android device running a version that has not received security patches in two years, with a compromised personal application that has root access to the device, does not provide the isolation that the work profile architecture assumes. The organization cannot enforce patch requirements on the personal portion of the device without overstepping the employee privacy boundary that made BYOD acceptable.

The Data Residency Problem

Employees who use personal devices for work-related activities create data residency ambiguities that become significant during litigation, regulatory investigations, and data breach responses. Work-related communications in a personal messaging application, documents created on a personal device and stored in a personal cloud service, and email accessed through the device’s native mail client outside the work profile all represent organizational data that exists outside the organizational data control environment.

During an e-discovery request, this data may be legally required to be produced. The mechanics of producing personal device data without also producing personal data raises legal complexity that organizations have generally not worked through in advance. The BYOD policy that was implemented without legal review of the data residency and litigation hold implications is a policy that contains obligations the organization may not be able to meet.

The Offboarding Problem

Employee offboarding on BYOD devices requires the organization to remote wipe the work profile — removing organizational applications and data from the personal device — without wiping the personal portion. When this works correctly, it is the intended architecture. The failure modes are significant: the offboarding process that is not executed promptly allows the departing employee to retain access to organizational data and systems for longer than the termination decision intended, and the remote wipe process that fails silently leaves organizational data on the device indefinitely.

The offboarding process reliability for BYOD is lower than for organization-owned devices because MDM enrollment is voluntary and can be removed by the employee at any time. An employee who unenrolls their personal device from MDM before the offboarding process can be executed removes the mechanism for remote wipe. The organization has no recourse for removing its data from a device it does not own.

The Honest Policy Review

BYOD policies deserve the same periodic review as any security control. The policy that was adopted five years ago under different security requirements, with different MDM capability, and with different threat actor sophistication deserves reassessment against current conditions. Many organizations would reach different conclusions today about the acceptable scope of BYOD if they conducted that assessment with current information.

The organizations that have moved to Corporate Owned Personally Enabled models — where the employer provides the device and employees use it for both work and personal purposes under clear policies — have eliminated the core BYOD security exposures while maintaining the user experience benefit of a single device. The capital cost of providing devices is partially offset by the simplified management and the elimination of the security overhead that BYOD management requires. The honest accounting of BYOD’s total cost — management complexity, security exposure, and legal risk — frequently makes COPE more cost-effective than the device cost premium suggests.

• BYOD
• security
• mobile
• policy
• endpoints
• hardware