Executive Q&A
The Road To Secure, Mobile Enablement

July 19, 2017: Mobile, smart device and BYOD strategies are increasing the pressure on today's security officers. BYOD is high risk, as 85% of the device is out of enterprise control. Traditional security fails as vendors push workstation-solutions to mobile, while other 'mobile security' solutions alter the mobile user experience causing other issues, including users finding a workaround. We caught up with Sam Stover, Head of Applied Research at Cyber adAPT to gain some insight on secure, mobile enablement.

1. Mobile, smart device and BYOD strategies are increasing the pressure on today's companies and security officers. As vendors push workstation-solutions to mobile, where do traditional security measures fail?

I believe there has to be a balance between leveraging “tried and true” methods/products and allowing for the differences between workstation and mobile technologies.  Platforms are converging from a hardware/capabilities perspective, but users have different expectations between the two.  VPNs are a pretty good example of this:  People get annoyed when the “always-on” VPN on their laptop stops working, but for the same to happen to their phone is completely unacceptable.  Data privacy is another area of concern – even if it’s a company issued device, users feel like the data on the other side of their Facebook/Instagram/Twitter/Snapchat apps are THEIRS.

Also, I’d like to emphasize the word “converging” in my previous paragraph, not “converged”.  Mobiles are amazing devices compared to the laptops of ten years ago, but this isn’t ten years ago.  My point here is that putting a resource intensive agent on a laptop is one thing, but putting a similar agent on a mobile is another.

2. What issues can this create?

On the “always-on” VPN side, if the VPN doesn’t work, users will bypass it.  They may respect the security risk for their laptop (but even that is up for debate; everyone has had that email that ABSOLUTELY had to go out right now!), but not for the phone.  The same on the performance side – if an agent is interfering with the user experience, they will find out a way to get rid of it – BYOD makes this even easier for them.

The simple fact is that the difference in user expectation regarding the user experience is the crux of the problem.

3. User experience on a mobile device is extremely important. How can mobile security be implemented without altering the user experience?

One way Cyber adAPT do this is to offload the processing of threat detection from the device.  We recognize there is a valid need for on-device detection, but we accomplish much by moving all that processing off the device.  Since we have control of the traffic streams (i.e. we are inline) we have the ability to enact some level of remediation without requiring a resource-intensive agent.

Another aspect of our platform is that our VPN was developed from the ground up to minimize impact on the user-experience.  This is a different approach from vendors who have taken workstation clients/agents and modified them to run on a mobile platform.  There are some very significant differences in how we handle switching cells in a cellular environment, going from cellular to WiFi, etc. 

4. What advice would you give to companies and executives looking to increase BYOD strategies?

You have to go into this understanding the risks that you are assuming.  BYOD “can” make sense, but that’s not the same as saying “it does” make sense.  There are a lot of cost-saving strategies (e.g. Offshore Development) that save money on the short term, but cost more in the long-term when your IP has been sold to your competitor, stolen, etc.  BYOD is no different – know the risks, employ good policies, enforce them where you can and educate your employees.

5. Your session at CAMSS Canada East 2017 will focus on this very topic. What are the key components you want the attendees to take away with them?

  • Just because BYOD “can” make sense, doesn’t mean that it does for your organization. 
  • A deep analysis of the pros and cons is a must. 
  • The more you know about what you are walking into, the better prepared you will be when something goes wrong.