The Missing Link in BYOD Security

In all the noise leading up to the release of Windows 8, one of the loudest conversations was about new management features aimed at tablets and smartphones. Not surprisingly, with employee-owned iPads and iPhones running amok in Microsoft shops where they were out of IT control, a lot of the buzz centered around mobile security in the new OS.

We all know how Microsoft responded. Surface tablets and other Windows 8 mobile devices entered the market complete with Active Directory integration, enabling IT teams to control privileges and permissions. Windows Mobile 8 offered new authentication options like picture passwords. Windows Intune, Microsoft’s cloud-based PC management service, added data loss prevention features like encryption and remote wipe. And so on.

The problem is that most of these features are designed to lock down hardware. What’s largely missing is the ability to lock down data. That’s the biggest BYOD challenge, and it’s still not solved – at least not in the Microsoft world.

It’s not just a matter of backing up files to be sure they can be recovered if someone walks off with your Surface or Samsung Series 5. Or encrypting them to foil a device thief coveting your corporate secrets. Or remotely deactivating a lost or stolen device. That’s data protection at the macro level, and it’s certainly a critical piece of the security puzzle.

But what’s also needed is data protection at the micro level. IT managers need the power to control who can access an app or a file, as well as when and where. Apple has most of this territory covered. Microsoft does not. Windows 8 was an important step forward in many areas, but notably weak in this one.

BYOD management is a three-part endeavor much like the proverbial three-legged stool. The three legs are:

  • Managing the device – including device setup, enrollment and other actual device management functions as well as authentication to grant user access to enterprise resources
  • Managing apps and data – including creating and enforcing policies on how devices can be used, controlling user access to apps, and controlling data transfer between apps
  • Managing data and device loss – including encryption, geolocation and locking lost or stolen devices

Windows Mobile 8 does a good job of the first and third legs. We have already mentioned authentication features such as Active Directory integration, support for image and biometric passwords, and Intune upgrades to address data loss prevention needs. Intune also added mass deployment capabilities, containerization features such as role-based configuration settings to simplify administration, and integration with Exchange Active Sync to manage virtually any device brought into the workplace.

But the second leg of the stool is shaky. IT managers can designate “IT-preferred” applications but have no power to control which apps can be stored on a device. They can’t block installation of apps like Dropbox if it’s against corporate policy. They can’t apply rules governing use of permissible apps – such as allowing users to open Dropbox to see files stored there but preventing them from adding their own. They can’t restrict data transfers between corporate and personal accounts by classifying apps loaded on user devices into one of the two categories and forbidding exchanges between app types.

In contrast, iOS6 delivers a robust app/data management toolset. With iOS configuration setting containers known as ‘profiles,’ for example, administrators have access to a virtualization layer that enables the sandboxing of enterprise and non-enterprise apps. This makes it possible to stop data transfers between corporate email and Box on Apple devices.

iOS6 profiles also can be used to block users from downloading certain apps or to enforce a ‘supervised mode’ that limits access to certain apps or data transfer between apps. In addition, ‘guided access’ and ‘self-destructing’ profiles enable administrators to dictate which app opens automatically on bootup and apply expiration dates to specific profiles such as those used by employees on a temporary project. With all its advantages, iOS6 still does a poor job of device enrollment and lacks Active Directory integration, which is imperative for mass deployments.

At the end of the day, Microsoft will catch up, or third-party solution vendors will offer fresh tools to secure data – not just devices. Meanwhile every organization is in the position of waiting for other shoe to drop. We’ve come a long way in BYOD security – but not far enough by a long shot.

By Jaspreet Singh, As published on

Read more:
Follow us: @Wiredinsights on Twitter | InnovationInsights on Facebook