Enterprise Services Blog
Get the latest thought leadership and information about the role of Enterprise Services in an increasingly interconnected world at HP Communities.

BYOD Policy: Data is the danger, not the device

By Mike Sarokin, HP Fellow, HP Enterprise Services


Bring Your Own Device (BYOD) policy is a large enterprise security debate. As employees embrace innovative tablets and smartphones that allow them to work from any location, BYOD  is causing concern for many enterprises. One of the fundamental responsibilities of Enterprise IT is to protect the company assets, and data on employees’ personal devices extends the enterprise risk into areas of concern.


About 61 percent of business leaders in the U.K.—and 58 percent in the U.S.—believe BYOD poses a much greater enterprise security risk than company-issued devices, according to a study by ISACA (formerly the Information Systems Audit and Control Association). However, John Pironti, an advisor with ISACA and president of IP Architects, suggests that the devices are being given too much credit.


“The data is where the focus needs to be, not the device,” he says. “It’s the same conversation we’re having about the cloud. The real questions for the enterprise are: Do we want to allow these devices to touch everything? And we don’t have control over where it’s stored? Probably not.”

 two people.JPG

BYOD policy isn’t entirely new

Although the proliferation of personal mobile devices blurring the lines with work life is relatively new, the conversation about what will be allowed on employee-owned devices is not. It began in the 1990s with laptops, and has merely evolved with technology—and seemingly without resolution.


“If focusing on the device was the answer, we would have solved this problem years ago,” Pironti notes. “Everyone wants to talk about the widget, but they need to focus on the data first and the technology second. The device is just a vessel; the value is in the data. You have to decide what environments that data will be allowed to operate in, according to your individual risk appetite.”


To do that, Pironti says the enterprise must classify its data and establish criteria for what will—and won’t—be allowed on employee-owned devices. When data reaches a certain level of sensitivity, it would be prohibited, which means high-level executives would probably not be candidates for using their own devices to store and transport company information.


Other enterprise BYOD policies could include:

  • Restricting data on certain platforms. For example, enterprise IT may be much more comfortable with one smartphone operating system vs. another deemed more vulnerable.
  • A tailored BYOD policy. Each enterprise will have to implement a policy that addresses specific concerns and risk tolerance.
  • Data storage in the cloud.  Requiring data to be stored on a company approved server rather than on the device.


Safeguarding enterprise devices

“Mobile device usage is like ants marching. You can’t stop it. But it’s time to think about the problem differently,” Pironti says. “We need to stop fighting with BYOD, we need to embrace this immediately and educate users on our expectations.”


Increased education will result in a more security-aware user.  However, security audits will be needed to reinforce the corporate policy.


“Users can become our greatest asset,” Pironti says. “Because as we educate them about the threats and vulnerabilities on their devices, and educate them as to why they might want to use them more carefully, they are going to work with us to keep that information secure.”


Security in the cloud is also high on the list of challenges for today’s enterprise. Join HP Fellow Ed Reynolds in his Innovation INSIGHT webcast, It’s About Securing Your Enterprise, Not Your Cloud.

telemedik8 | ‎02-23-2012 04:32 PM

I liked the quote "Mobile device usage is like ants marching. you can't stop it." So true.


This is a big issue in the healthcare industry, where HIPAA and patient data confidentiality can lead to major law suits for loss or unsecured use of data by mobile devices.


The problem is that the data is on the BYOD device, and if it is lost or stolen, then the data can be accessed.


The problem is that the large centrailzed BYOD systems are expensive and very restricting for the users.


Like ants, we can't stop doctors and nurse from emailling or texting confidential patient data from thier smart phones and iPads.


Instead, we try to provide them with tools to help them keep the data secure.


Example, for text messaging we got all the doctors to use Tigertext, which is HIPAA complient since it is a secure closed network that works on most smartphones, and deletes the text message after a period of time. At $10 a user it is very cost effective and saving the hospital from millions in law suits.


I think BYOD policy and technologies are going to be the major focus of IT departments for sometime to come, and cost effective and easy to use and impliment solutions that work on personal devices will be key to solving the security issues related to BYOD.





wodisch | ‎02-23-2012 09:27 PM

Hello Mike,


you are right with the first part of your headline, of course.


But I cannot agree to the second half of it - not only the device itself is in danger, but it is dangerous, either!

For it usually is whitelisted for wireless communication by your enterprise.

So, if someone gets the device, they get the IDs, the MAC-addresses(s), and almost certainly the keys to connect to your enterprise's WLAN (and possibly BlueTooth-devices, think about these meeting-room BlueTooth "hands-free" microphone/loudspeaker thingies) - without being detected (since they are officially permitted to do that).


And to get these little pieces of configuration data, properly equipped/trained intruders will only need to get their hands on such a device for a very short amount of time, like when one leaves the phone/tablet on a desk in the office, or on a table in a train or a restaurant (or a Bar, if it is an iPhone ;-)


Does anybody/any enterprise have a correlation rule active, to "map" the presence of an employee to the presence of his/her devices?

All legal problems aside, that would need a centralized time recording of the employees, and a real-time connection from there to networking and security (and who is charge of controlling the BlueTooth thingies?).


We are just starting to get the "whole" picture, I am afraid...




Mike Sarokin | ‎02-24-2012 04:50 PM

The points that each of you have made in this thread are right on.  BYOD is moving faster than the ability to secure the devices.  The momentum toward BYOD is accelerating.  The blur between consumer and professional (sometimes called "prosumer") is happening now.


Vendors are aggressively working on providing BYOD solutions.  What are some of key requirements that you would advice vendors to concentrate on first?


Mike Sarokin

Data Center Security | ‎04-28-2014 04:46 PM

Great post! Been reading a lot about data center securities recently. Thanks for the info here!

Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.