BYOD means users want a 'Goldilocks' answer for device security

Locked down is too much security, but unlocked may be too little

When it comes to securing mobile devices in a bring-your-own-device (BYOD) world, users are increasingly looking for what could be called the "Goldilocks" solution -- neither too much security, nor too little.

That's the sentiment found by researchers at Carnegie Mellon University, who asked a small group of mobile devices users -- those with smartphones and tablets -- about how locked down their devices should be.

Until now, it's been an either/or world, with users often allowed only one of two options for application access: locked or unlocked. But all 20 participants in the Carnegie Mellon research who had both a smartphone and a tablet indicated that "all-or-nothing device access control (is) a remarkably poor fit with users' preferences."

Locked is "too hard," while unlocked is "too soft," the researchers found. The just-right solution? Setting up their devices so that "roughly half their applications [are] available, even when their device was locked and half protected by authentication."

That desire for a security middle-ground comes as no surprised to mobile experts like James Arlen, a senior consultant with Taos, who says users are now accustomed to mixing business and personal lives on their devices. "Consider the mobile device as an 'exocortex' -- the place where you store your thoughts and ideas outside of your mind," he said. "There is no firewalling between the moment when you're planning a Friday night date and planning the next quarter's budget."

The findings of the Carnegie Mellon researchers are detailed in a white paper, "Goldilocks and the Two Mobile Devices: Going beyond all-or-nothing access to a device's application."

[ See also: BYOD: IT Claims Security Fears but Blocks Angry Birds Instead. ]

Not surprisingly, one of the issues for those looking to keep some information secure while allowing easy access to other data is convenience. Having layers of access could also encourage collaboration, if the owner of a device could open up certain apps to colleagues, friends or family members while keeping others locked, the researchers found.

"Since tablets are more likely to be shared by many users, all-or-nothing locks seem an even worse fit for these devices than they are for phones," the study concluded. "Our participants' preferences suggest that some form of user or group accounts is overdue, especially for tablets."

The study was done in concert with Microsoft Research.

Arlen said "notional" access control is already available with RIM's BlackBerry Balance. "The technology to build something workable is certainly there," he said. "It's a question of willpower and implementation-level details."

Gary Long, CSO of ITWorks Operations at Cerner, pointed to "a realistic expectation to have multi-level access to the device - for instance, an iPad shared between parents and children would be configured so that the children would have limited access while the parents retain full control."

But Long said users should understand that more flexibility means more user responsibility for security. "I don't think we should encumber the device manufacturers to protect personal information - they should provide the capability," he said.

Long said many users may still underestimate the threat of data loss if they leave some applications available while others are locked. "I can easily hack an iPhone (using various methods such as social engineering) if Siri is left enabled while the device is locked," he said.

For enterprises, Long said multiple access options could make things more challenging, not less. BYOD is "a luxury for the user, but also a money-saver for the enterprise," Long said. Even so, a company needs to build its own unique infrastructure to facilitate BYOD policies that track and control data and, "eliminate any requirement to push [a mobile device management] agent or equivalent to the user's device.

"Additionally, any company-specific applications with high sensitivity should be accompanied by a purpose-built application developed internally to facilitate the necessary controls," he said.

Arlen agrees that the burden of security is on companies more than users. "One of the hardest lessons to learn in infosec is that people can only be coaxed and cajoled into behaviors, they cannot be controlled," he said. "Flexible access control or partitioning is really the only option, in much the same way that we've come to accept the partition of running sandboxed/virtualized applications - VMWare ACE applications come to mind - when we cannot be assured of the safety/security of the actual end-user computing device."

Finally, Long said he thinks the idea of a group PIN is, "a really bad idea." Instead, he said, "the company should provide an internal file-sharing solution, similar to DropBox, to meet the demand of data sharing among users."

But he believes expanded control mechanisms are on the way. "We are just at the forefront of this revelation," he said.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)