Why your CISO hates BYOD
Feb 23, 2022
Pro tip: Stop trying to cancel BYOD.
It’s 2022, and IT and security folk have been debating the merits of BYOD since the mid-2000s. With all due respect to the previous seventeen years, it’s long past time that we wholeheartedly embraced BYOD. I’m confident that we can and must evolve, just as we did with SaaS, public cloud, and Zoom.
Sure, there were legitimate reasons to push back on BYOD in bygone times. IT teams didn’t have the capabilities to manage or administer personally owned devices effectively. Personally procured devices posed interoperability and connectivity challenges with legacy technologies. Security poured fuel on the fire ad nauseum, citing a lack of sufficient security controls, privacy issues, endpoint governance woes, and data loss risk. BYOD advocates, namely end users who simply wanted a better experience and convenience, were unlikely to overcome often hostile network administrators. In retrospect, the initial resistance was justifiable given all of the reasons above. However, IT and security practitioners continue to cling to legacy grievances with surprising discontent for BYOD even though its justification has all but vanished.
Fast forward to today. The ground truth is that BYOD isn’t going away; demand and pressure to adopt BYOD strategies are rapidly accelerating – for a good reason. Work from home is the norm. Mobility and convenience are now (thankfully) expected in the workplace. Not only do employees not want to go to offices, but they also don’t want to bring their laptops everywhere, and why should they? My favorite quote from the Covid era is from Salesforce Co-CEO Bret Taylor, who said, “Work is something you do, not somewhere you go.” We’re just beginning to realize the profound freedom from working wherever, whenever, and however you choose. It enables all of us to unlock our full potential, and BYOD plays an integral, if not central, role in this revolution.
So why now? What has materially changed to unlock the power of BYOD? Let’s begin with why BYOD hasn’t been viable until recently. In order for employee-owned devices to access enterprise applications, they often needed access to the corporate network. Hear those alarm bells? Yep, that’s your security team listing 1,001 reasons they won’t approve your phone, iPad, or laptop to join the network. Being on “the network” implies trust, meaning you can access private or otherwise sensitive, non-public data. Legacy networks rely on the network to implement trust and control boundaries. This singular reason halted BYOD for many years. That era is over.
It’s worth mentioning that BYOD is not synonymous with unmanaged, a common misconception. BYOD speaks only to the ownership of the device, not the management thereof. The distinction is essential, as control of the asset is paramount, whereas ownership isn’t. However, managing personally owned devices is a careful balancing act between flexibility, control, and transparency. Successful deployments include self-service enrollment into corporate Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions to seamlessly manage corporate data and applications to keep work data separate from personal data. Unmanaged BYOD doesn’t preclude them from enterprises, but the efficacy of available controls may not satisfy your risk tolerance, YMMV.
Accessing the corporate network is no longer a barrier. Instead of connecting BYOD to the corporate network, we simply connect named users to sanctioned applications. In a nutshell, this is zero trust network access (ZTNA). It provides secure, granular access based on a user's authorization tied to their identity. The network is nothing more than commodity transport. The user's location is irrelevant: coffee shops, home offices, airports – they’ll all work just fine and provide the same experience and security posture. Further, controls and granularity can be chained to provide conditional access based on device health, risk profile, and a growing ecosystem of telemetry to provide an infinite number of conditional access policies.
Zero trust network access can expose new threats and challenges if not designed correctly. Administrators need to enforce new requirements for data protection and protect users from threats. Solutions for these challenges include Cloud Access Security Brokers (CASB), Cloud Browser Isolation (CBI), proxied access, or a combination of these capabilities.
Sooner or later, everything old is new again – BYOD is no different. The first iteration mainly was a failure in the enterprise, but we can get it right this time with a new methodology. I’d argue we must get it right, as allowing people to use the tools they are most comfortable with is how we'll get the most transformative, positive bang for the buck. As technologists, we must find ways to leverage BYOD to empower users, improve agility, and promote enablement for the purposes of unlocking our full potential.
What to read next