Kevin O. Woghiren

Security comes with a new face every year. The acceptance of security as a dynamic state is crucial for the protection of any enterprise and its assets. A famous philosopher once quipped, “It is in the nature of things that when one tries to avoid one danger, another is always encountered”. Let’s take a look at the infamous Stuxnet malware, for example; the malware was able to infiltrate Iran’s nuclear program within a network requiring rigorous security screenings including biometrics ID and no internet access. This begs the question: Is IT security better off by treating security as a game of perfect information where strategists should be valued and emphasized more over tools and skills, which the opposition is most likely equally matched with (think chess)? Threats to a company, after all, can both be internal and external.

With increasing popularity in initiatives like BYOD and BYID, IT departments are constantly trying to find the balance between openness and security. Bring Your Own Device (BYOD) seems to sit at one end of the spectrum and Bring Your own ID (BYID), on the other end. Both initiatives are part of a larger consumerization of IT trend that has been gripping the corporate environment since the advent of smart personal devices and cloud services. BYID may seem to pose a security threat, at face value, but it’s actually both convenient and provides a stronger security environment than a one tier authentication method. With the continued growth of cloud services, identity needs to be taken off of users’ plates via delegated authentication using such standards like OAuth and OpenID. Imagine a use case where you provide a service online to users either on a trial basis and/or full subscription. If a user only wants to use your service on a trial basis, he or she does not have to create a login to temporarily access your service but should be able to instead use a social network account, for example, to access a trial account. When it comes time to upgrade to a full subscription, the user will then have the option to create a login specific to your site unless you choose to continuously leverage a 3rd party vendor for authentication purposes. This type of authentication brokering should be embraced more by companies of all sizes and is even more applicable for business partnerships. It becomes a true partnership when two different businesses can use their respective credentials to access non-sensitive data on each other’s sites.

At the other end, BYOD seems like a good idea at face value but the openness that is achieved comes at a high cost to personal privacy and enables personal devices as easier entry points into a company. With BYOD, one of the biggest threats is phishing within an application with a good install base. It’s important to remember that when it comes to choosing mobile applications, there is no central vetting service and users have to rely on reviews and the “reputation” of developers. This is a serious threat to corporate networks. Although there are methods such as network access control (NAC) or virtualization that can help in protecting a company’s network from intrusion via personal devices, one big disadvantage is in the remote capabilities arena. For example, company-owned devices can be easily encrypted or wiped clean in the event of a lost or stolen device; but, with employee-owned devices, this policy poses a challenge and has far reaching ramifications into privacy. The language in many corporate end user agreements, regarding personal mobile devices, spells it out clear that personal data is indistinguishable from company data and can be audited or remotely deleted if there is ever a perceived or realized compromise to the company. Although storage is guaranteed in the event of a remote swipe, avoidance of personal data compromise does not seem to be.

Unlike other IT trends of the past such as outsourcing work to foreign countries, that can be more easily reversed, BYOD would be much harder to reverse if the initiative proves to be too expensive (i.e. storage costs of virtualization) or unsustainable. Is BYOD really worth the risk it poses to both employees and employers? As an employee, if you were to misplace your company-registered personal device, would you report it to Security immediately or wait until it turned up because you are trying to protect your personal data first?

By Guest Blogger: Max Woghiren, Google

When I first heard about OpenLabel’s idea for an app, I initially thought out loud in solitude, “Not another soon-to-be-defunct barcode scanning app!” But as I read more, I realized that OpenLabel’s new app was a crowd-sourced solution designed to provide more transparency on products and brands. For example, not only would a barcode contain price information, but it would contain other data such as the environmental impact of the product and whatever other information that consumers wanted to share with society.

The idea isn’t original but the timing seems to be right as crowd-sourcing is becoming more commonplace. However, since OpenLabel will not be monitoring any of the user input, the potential defamation of brands is increased and could result in lawsuits against both the start-up and its user base. In addition, even if this app becomes successful and profitable, I do not think brand loyalty would succumb to its effects.