[Dapper37]

With issues like the one linked here, where companies are stealing private information off personal and corporate iphones and androids predominatly. BB not so much. My question is, who's liable for the loss or theft of someone elses information? After the world has gone to "Bring Your Own Device" You can see the issues that could arise. Like if corprate info is lost or stollen from someones personal phone, could that person be fired, or worse?
When you think about it, whats the interest in bring your own device anyway? Who wants to pay for their own company device and take on the liablity?

Path discovered phoning home with your address book

| http://www.zdnet.com/blog/apple/path...;siu-container

[JubJubJub]

There needs to be a way to segregate business and personal information on smart phones. News like this is good for RIM and I am sure we are going to hear about massive data breaches from phones sooner than later. Even from iPhones in their 'protected' environment.

[trucky]

BYOD and BYOT (bring your own technology) are both gaining a lot of traction. Whether it be corporate, educational or just plain old business, this is going to prove to be a huge issue of enormous proportions. Many of the ramifications have not even been considered yet but those who are pushing it see it as some sort of device nirvana. Can you imagine trying to maintain security on any network without knowing what's trying to connect?

[daveycrocket]

In the uk and europe any loss of data would be the resonsibility of the data holder therefore the in this case the device owner would be liable for not protecting and gaining permission for the data to be shared whether stolen or not. Europe Data protection Act.
PS an excellent reason to ensure that data whether sensitive or not is not stored in the cloud.

[Tre Lawrence]

In the USA the employee might be fired but nothing else is likely to happen to that person. Of course they could, and should argue it is IT's fault. The company might be sued depending on what information is stolen. I would think the IT security director would be on the hot seat to say the least. Of course if he/she is smart they would force upper management to state in writing that non-corporate assets are permitted to access corporate information. If I was corporate/government IT director responsible for information assets, I would not permit anything except BlackBerry phones and tablets for non-computer mobile devices unless my manager accepts responsibility. For now, other mobile phones and tabs are just not proven to be secure.

So you wouldn't allow a device from another manufacturer even if it was FIPS-certified?

Mobile post via Tapatalk

[Dapper37]

When you concider all the vital information on all these mobile devices nowadays, even more in the future. You can imagine this type of thing coming up! Could end up a convenient way to get rid of employees a company doesn't like. Again I wonder why people bother. Let the company pay.

[Economist101]

Again I wonder why people bother. Let the company pay.

Well, it isn't always an employee choice, but when it is they bother because they don't care for the device their employer gives them.

[Tre Lawrence]

As a government manager FIPS is good enough and if the device+software combo is FIPS, it is allowed. In the corporate world, federal standards are of no interest except as products to sell to government. The devices need to be proven to a higher standard than FIPS. Again, this is all based on upper management wishes, as always.

Makes sense.

Mobile post via Tapatalk

[Dapper37]

Well, it isn't always an employee choice, but when it is they bother because they don't care for the device their employer gives them.

Seems to me that the farther each device/OS goes down the path of development the more they all have the same features.
BB10 bringing the app mass to BlackBerry. Sounds like the need for BYOD might fizzel out in the end.
Perhaps even swing back the other way? For security reasons of course.

[qbnkelt]

Well, it isn't always an employee choice, but when it is they bother because they don't care for the device their employer gives them.

If someone I hire balks at the equipment I choose to give him/her as a tool to do his/her job, he/she has lost points and a certain amount of credibility.
As the employer I choose who gets the device when relevant to his/her work. It is my device to give as a representative of my agency. It is my agency's choice to support. And that is relative to the set of requirements for the agency.
What the employee likes or doesn't like is irrelevant to the job he/she has been hired to perform. Unless he/she has been hired to be a tech critic.

[qbnkelt]

So you wouldn't allow a device from another manufacturer even if it was FIPS-certified?

Mobile post via Tapatalk

For certain agencies FIPS is the *minimum* level of certification required.
Agencies can specify requirements that go way above FIPS.

[Dapper37]

If someone I hire balks at the equipment I choose to give him/her as a tool to do his/her job, he/she has lost points and a certain amount of credibility.
As the employer I choose who gets the device when relevant to his/her work. It is my device to give as a representative of my agency. It is my agency's choice to support. And that is relative to the set of requirements for the agency.
What the employee likes or doesn't like is irrelevant to the job he/she has been hired to perform. Unless he/she has been hired to be a tech critic.

Thats the way it works wherever i've been employed.
I'm interested on your thoughts on the original post, You seem like you have an understanding of the issues.

[Sith_Apprentice]

For certain agencies FIPS is the *minimum* level of certification required.
Agencies can specify requirements that go way above FIPS.

FIPS applies generally to the crypto core. It actually doesnt apply to secure configurations (usually). For instance, your personally BB is FIPS validated. However it is by no means anywhere close to as secure as a BES BB device.

In this case, the responsibility falls on both the company and the individual. It is in fact an individual device. The owner of the device *IS* responsible for what happens on their device. It is no different than if illegal material is passed through your company PC. If you download illegal files, your company is responsible if its over their network. However, since YOU are the one downloading, you are also responsible. Does that make sense?

In an IT security point of view, BYOD/BYOT is a terrible idea. From a financial and management point of view it is great. It is amazing on the bottom line as you remove all device cost, replacement cost, support for devices, etc. However you are taking a shotgun to your corporate security policy and blowing holes into it.

[CrackedBarry]

As hard as Dapper is hoping for a data-stealing disaster, leading to a dramatic end of the BYOD trend, and forcing companies to kneel before the altar or BlackBerry, crying and repenting and begging to be taken back, neither is likely to happen.

BYOD is just one reason, a relatively minor one at that, why BBs are being displaced from the corporate world, but most importantly: Dapper, did you even READ about the whole Path issue, or are you just trying to overdramatize a minor issue, knowing that there really isn't much to the story?

Path didn't maliciously "steal" anybody's data.. They just tried improving their app/service by implementing a feature (namely sharing with people in your addressbook) and didn't inform their users as thoroughly as some people would like. As soon as it was brought it up, they apologized and patched the app.

Now Dapper, you might keep nuclear launch codes in your addressbook, but I dont, and neither do most people I know... And finally, if a company is really worried about something like this, they can just lock down their employees iPhone, so they don't download any unauthorized app. Something they're likely to do before ending their BYOD practice. Problem solved...

[Economist101]

They don't like what the company gave them? I guess if they don't like the location of their desk they can just move it. Or they can move to another employer.

I wasn't aware of a "locate your own desk" program. Obviously, BYOD exists because employers allow it, so to compare it to something employers don't allow demonstrates a lack of, well, "discernment."

If someone I hire balks at the equipment I choose to give him/her as a tool to do his/her job, he/she has lost points and a certain amount of credibility.
As the employer I choose who gets the device when relevant to his/her work. It is my device to give as a representative of my agency. It is my agency's choice to support. And that is relative to the set of requirements for the agency.
What the employee likes or doesn't like is irrelevant to the job he/she has been hired to perform. Unless he/she has been hired to be a tech critic.

That's fine, but the thread is about BYOD and its dangers, not whether you or I wouldn't support BYOD. To be clear, I'm not advocating BYOD; I merely answered a question why, when given the option, an employee might elect to bring their own device.

[undone]

In an IT security point of view, BYOD/BYOT is a terrible idea. From a financial and management point of view it is great. It is amazing on the bottom line as you remove all device cost, replacement cost, support for devices, etc. However you are taking a shotgun to your corporate security policy and blowing holes into it.

To add to that if your going to allow BYOD/BYOT, as part of your risk assessment you need to work out what it is that it will or will not have access to. The risk assessment is key to 'working' with people (cause IT people are seen as a road block for some reason...I hate that) and there BYOD/BYOT. If the senior management signs off on the risk, you have CYA'ed yourself as best as you can. Document and get sign off. And remember its not an IF its a WHEN, better to assume the device will get compromised then being bullet proof.

[CrackedBarry]

Or of course you can use something like Good Technology, and have it locked down as securely as any BB given to you by the IT department..

[qbnkelt]

As hard as Dapper is hoping for a data-stealing disaster, leading to a dramatic end of the BYOD trend, and forcing companies to kneel before the altar or BlackBerry, crying and repenting and begging to be taken back, neither is likely to happen.

BYOD is just one reason, a relatively minor one at that, why BBs are being displaced from the corporate world, but most importantly: Dapper, did you even READ about the whole Path issue, or are you just trying to overdramatize a minor issue, knowing that there really isn't much to the story?

Path didn't maliciously "steal" anybody's data.. They just tried improving their app/service by implementing a feature (namely sharing with people in your addressbook) and didn't inform their users as thoroughly as some people would like. As soon as it was brought it up, they apologized and patched the app.

Now Dapper, you might keep nuclear launch codes in your addressbook, but I dont, and neither do most people I know... And finally, if a company is really worried about something like this, they can just lock down their employees iPhone, so they don't download any unauthorized app. Something they're likely to do before ending their BYOD practice. Problem solved...

Intent matters not one iota where there is a breach in security such as one might find if internal numbers are taken from a device and shared with app developers or users who do not have a need to know.

As far as the Dapper, no, he does not have any nuclear codes, I'm sure. But step back a bit, if you can manage an intellectual exercise, to see that the possibility of having internal numbers leaked would be catastrophic for secure agencies.

As far as locking down the iPhone, that is precisely what is needed. And then you have an iPhone that cannot load apps from the App Store, which cannot upload information to the cloud, that cannot sync with iTunes depending on the security requirements of the organisation.

How popular do you think that iPhone would be, do you think, when the owner of the BYOD comes in and learns that they are not authorised Angry Birds?

[CrackedBarry]

I really don't think that you, and the other resident "security experts" at Crackberry gives as much credit to corporate Americas CIO's as they deserve...

They would have reviewed the potential pitfalls and beenefits of a change to a BYOD policy, if necessary implemented different security levels for different users, and concluded that the change was worth it, before they proceeded.

[CrackedBarry]

As far as locking down the iPhone, that is precisely what is needed. And then you have an iPhone that cannot load apps from the App Store, which cannot upload information to the cloud, that cannot sync with iTunes depending on the security requirements of the organisation.

In some though rare cases, yes, this would have been necessary. And apparently the financial savings and increased user satisfaction would have made it worth it, since they went through with it...

[Economist101]

How popular do you think that iPhone would be, do you think, when the owner of the BYOD comes in and learns that they are not authorised Angry Birds?

Less so, probably. But as you indicated earlier (where you indicated if you were choosing employees would use whatever you ordered), individual employee satisfaction isn't all that high on your personal list.

[qbnkelt]

I really don't think that you, and the other resident "security experts" at Crackberry gives as much credit to corporate Americas CIO's as they deserve...

They would have reviewed the potential pitfalls and beenefits of a change to a BYOD policy, if necessary implemented different security levels for different users, and concluded that the change was worth it, before they proceeded.

Where security is concerned, trust is an enemy. You protect against and you minimise risks.
Undeniably there are different levels of security. The highest levels does not rely in trust, they rely in protection against threat.

[qbnkelt]

Less so, probably. But as you indicated earlier (where you indicated if you were choosing employees would use whatever you ordered), individual employee satisfaction isn't all that high on your personal list.

Nowhere on my personal list, actually. I am tasked with safeguarding systems, connections, firewalls, data, contracts. Individual employee personal satisfaction with a tool is not a concern. I leave that to the morale, welfare and recreation branch.
Cold? Yup. Hard nosed? Yup. B1tchy? Yup. My personal opinions have nothing to do with my employees. I deal with everyone who works for me on a professional level.
And that is the reality of an IT and contracts manager in a secure agency. Other division managers have other responsibilities.

[OniBerry]

I really don't think that you, and the other resident "security experts" at Crackberry gives as much credit to corporate Americas CIO's as they deserve...

They would have reviewed the potential pitfalls and beenefits of a change to a BYOD policy, if necessary implemented different security levels for different users, and concluded that the change was worth it, before they proceeded.

I'll listen to any CTO/CIO with PSP, CPP, or a PCI (maybe even a CPO or CPOi) after his/her name. Last year a North American study(my company and a few subs) was conducted, and cloud computing was a higher priority (on the average) than security. But you think they are not given the credit that they deserve.

I have employees who lose their pass card once a week, but want me to load up their credentials on their new devices. Staff who do not believe they should report a lost/stolen passcard until they need access. Staff who want their work address printed on their access cards. BYOD? Not at this company, we have over 250,000 BBs in use. BOYD is a result of financial pressures, and not security measures.

[kbz1960]

I have been wondering if iphones and androids get as locked down as a bb. If they do are these people still going to love their phone they can not do what they wish with? Does that just make it a bb then?