BYOD means users want a 'Goldilocks' answer for device security

When it comes to securing mobile devices in a bring-your-own-device (BYOD) world, users are increasingly looking for what could be called the "Goldilocks" solution -- neither too much security, nor too little.

That's the sentiment found by researchers at Carnegie Mellon University, who asked a small group of mobile devices users -- those with smartphones and tablets -- about how locked down their devices should be.

Until now, it's been an either/or world, with users often allowed only one of two options for application access: locked or unlocked. But all 20 participants in the Carnegie Mellon research who had both a smartphone and a tablet indicated that "all-or-nothing device access control (is) a remarkably poor fit with users' preferences."

Locked is "too hard," while unlocked is "too soft," the researchers found. The just-right solution? Setting up their devices so that "roughly half their applications [are] available, even when their device was locked and half protected by authentication."

That desire for a security middle-ground comes as no surprised to mobile experts like James Arlen, a senior consultant with Taos, who says users are now accustomed to mixing business and personal lives on their devices. "Consider the mobile device as an 'exocortex' -- the place where you store your thoughts and ideas outside of your mind," he said. "There is no firewalling between the moment when you're planning a Friday night date and planning the next quarter's budget."

The findings of the Carnegie Mellon researchers are detailed in a white paper, "Goldilocks and the Two Mobile Devices: Going beyond all-or-nothing access to a device's application."

[See also: BYOD: IT Claims Security Fears but Blocks Angry Birds Instead.]

Not surprisingly, one of the issues for those looking to keep some information secure while allowing easy access to other data is convenience. Having layers of access could also encourage collaboration, if the owner of a device could open up certain apps to colleagues, friends or family members while keeping others locked, the researchers found.

"Since tablets are more likely to be shared by many users, all-or-nothing locks seem an even worse fit for these devices than they are for phones," the study concluded. "Our participants' preferences suggest that some form of user or group accounts is overdue, especially for tablets."

The study was done in concert with Microsoft Research.

Arlen said "notional" access control is already available with RIM's BlackBerry Balance. "The technology to build something workable is certainly there," he said. "It's a question of willpower and implementation-level details."

Gary Long, CSO of ITWorks Operations at Cerner, pointed to "a realistic expectation to have multi-level access to the device - for instance, an iPad shared between parents and children would be configured so that the children would have limited access while the parents retain full control."

But Long said users should understand that more flexibility means more user responsibility for security. "I don't think we should encumber the device manufacturers to protect personal information - they should provide the capability," he said.

Long said many users may still underestimate the threat of data loss if they leave some applications available while others are locked. "I can easily hack an iPhone (using various methods such as social engineering) if Siri is left enabled while the device is locked," he said.

For enterprises, Long said multiple access options could make things more challenging, not less. BYOD is "a luxury for the user, but also a money-saver for the enterprise," Long said. Even so, a company needs to build its own unique infrastructure to facilitate BYOD policies that track and control data and, "eliminate any requirement to push [a mobile device management] agent or equivalent to the user's device.

"Additionally, any company-specific applications with high sensitivity should be accompanied by a purpose-built application developed internally to facilitate the necessary controls," he said.

Arlen agrees that the burden of security is on companies more than users. "One of the hardest lessons to learn in infosec is that people can only be coaxed and cajoled into behaviors, they cannot be controlled," he said. "Flexible access control or partitioning is really the only option, in much the same way that we've come to accept the partition of running sandboxed/virtualized applications - VMWare ACE applications come to mind - when we cannot be assured of the safety/security of the actual end-user computing device."

Finally, Long said he thinks the idea of a group PIN is, "a really bad idea." Instead, he said, "the company should provide an internal file-sharing solution, similar to DropBox, to meet the demand of data sharing among users."

But he believes expanded control mechanisms are on the way. "We are just at the forefront of this revelation," he said.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts