BYOD means users want a 'Goldilocks' answer for device security
Locked down is too much security, but unlocked may be too little
August 01, 2012 — CSO — When it comes to securing mobile devices in a bring-your-own-device (BYOD) world, users are increasingly looking for what could be called the "Goldilocks" solution -- neither too much security, nor too little.
That's the sentiment found by researchers at Carnegie Mellon University, who asked a small group of mobile devices users -- those with smartphones and tablets -- about how locked down their devices should be.
Until now, it's been an either/or world, with users often allowed only one of two options for application access: locked or unlocked. But all 20 participants in the Carnegie Mellon research who had both a smartphone and a tablet indicated that "all-or-nothing device access control (is) a remarkably poor fit with users' preferences."
Locked is "too hard," while unlocked is "too soft," the researchers found. The just-right solution? Setting up their devices so that "roughly half their applications [are] available, even when their device was locked and half protected by authentication."
That desire for a security middle-ground comes as no surprised to mobile experts like James Arlen, a senior consultant with Taos, who says users are now accustomed to mixing business and personal lives on their devices. "Consider the mobile device as an 'exocortex' -- the place where you store your thoughts and ideas outside of your mind," he said. "There is no firewalling between the moment when you're planning a Friday night date and planning the next quarter's budget."
The findings of the Carnegie Mellon researchers are detailed in a white paper, "Goldilocks and the Two Mobile Devices: Going beyond all-or-nothing access to a device's application."
Not surprisingly, one of the issues for those looking to keep some information secure while allowing easy access to other data is convenience. Having layers of access could also encourage collaboration, if the owner of a device could open up certain apps to colleagues, friends or family members while keeping others locked, the researchers found.
"Since tablets are more likely to be shared by many users, all-or-nothing locks seem an even worse fit for these devices than they are for phones," the study concluded. "Our participants' preferences suggest that some form of user or group accounts is overdue, especially for tablets."
The study was done in concert with Microsoft Research.
Arlen said "notional" access control is already available with RIM's BlackBerry Balance. "The technology to build something workable is certainly there," he said. "It's a question of willpower and implementation-level details."