With increasing popularity in initiatives like BYOD and BYID, IT departments are constantly trying to find the balance between openness and security. Bring Your Own Device (BYOD) seems to sit at one end of the spectrum and Bring Your own ID (BYID), on the other end. Both initiatives are part of a larger consumerization of IT trend that has been gripping the corporate environment since the advent of smart personal devices and cloud services. BYID may seem to pose a security threat, at face value, but it’s actually both convenient and provides a stronger security environment than a one tier authentication method. With the continued growth of cloud services, identity needs to be taken off of users’ plates via delegated authentication using such standards like OAuth and OpenID. Imagine a use case where you provide a service online to users either on a trial basis and/or full subscription. If a user only wants to use your service on a trial basis, he or she does not have to create a login to temporarily access your service but should be able to instead use a social network account, for example, to access a trial account. When it comes time to upgrade to a full subscription, the user will then have the option to create a login specific to your site unless you choose to continuously leverage a 3rd party vendor for authentication purposes. This type of authentication brokering should be embraced more by companies of all sizes and is even more applicable for business partnerships. It becomes a true partnership when two different businesses can use their respective credentials to access non-sensitive data on each other’s sites.

At the other end, BYOD seems like a good idea at face value but the openness that is achieved comes at a high cost to personal privacy and enables personal devices as easier entry points into a company. With BYOD, one of the biggest threats is phishing within an application with a good install base. It’s important to remember that when it comes to choosing mobile applications, there is no central vetting service and users have to rely on reviews and the “reputation” of developers. This is a serious threat to corporate networks. Although there are methods such as network access control (NAC) or virtualization that can help in protecting a company’s network from intrusion via personal devices, one big disadvantage is in the remote capabilities arena. For example, company-owned devices can be easily encrypted or wiped clean in the event of a lost or stolen device; but, with employee-owned devices, this policy poses a challenge and has far reaching ramifications into privacy. The language in many corporate end user agreements, regarding personal mobile devices, spells it out clear that personal data is indistinguishable from company data and can be audited or remotely deleted if there is ever a perceived or realized compromise to the company. Although storage is guaranteed in the event of a remote swipe, avoidance of personal data compromise does not seem to be.

Unlike other IT trends of the past such as outsourcing work to foreign countries, that can be more easily reversed, BYOD would be much harder to reverse if the initiative proves to be too expensive (i.e. storage costs of virtualization) or unsustainable. Is BYOD really worth the risk it poses to both employees and employers? As an employee, if you were to misplace your company-registered personal device, would you report it to Security immediately or wait until it turned up because you are trying to protect your personal data first?