Platt Perspective on Business and Technology

Navigating bring your own cloud as an emerging trend 3: thinking through the parameters for more effective resolutions to this 2

Posted in business and convergent technologies by Timothy Platt on November 19, 2013

This is my third installment in a series on an emerging face to the Bring Your Own Device, or BYOD phenomenon in which employees use their own personal computer and communications devices for their work (see Part 1: identifying and thinking through the basic challenge and Part 2: thinking through the parameters for more effective resolutions to this 1.)

I began this series with a more general discussion of information security and ended Part 2 by stating that I would focus more specifically on business practices in this installment. And that is my goal here:

• Generally stated information security goals and principles, and overall intent to protect data confidentiality can only offer real value, or hold real meaning to the extent that they are translated into actionable business processes and practices that are monitored and enforced for compliance.

This posting is about taking the basic, general principles that I noted in Parts 1 and 2, and making them sources of realized value and due diligence strength for the business organization. And to bring this entire series discussion into sharper focus here:

• Concerns about bring your own technology, or bring your own devices as this phenomenon is also called are actually essentially entirely concerns over data access and control – always.

The most expensive high end laptop computer might cost a business on the order of a thousand dollars or so, or even up to several thousand US dollars depending on what software and hardware add-ons are included. The hard drive storage on even a modest or low-end laptop computer is quite capable of holding types and volumes of confidential and proprietary information held by that business that if misdirected or misused could cost the business millions or even put it out of business entirely.

I could cite any of a discouragingly large number of instances where private sector employees have lost laptop computers and other devices that they had loaded large numbers of personnel record files onto, or customer data files with information an all of those people that could be used for identity theft purposes. This has been a commonly recurring theme in the news and both in the United States and elsewhere. Instead, I will make special note of a public sector breech of information security of this type, with the now well established story of John M. Deutch and his practice of bringing highly classified documents home with him on his personal laptop computers while Director of the US Central Intelligence Agency (DCI).

Deutch was and is very intelligent and very experienced; he served as a Deputy Secretary of Defense from 1994 to 1995, and was then advanced to hold the top leadership position with the Central Intelligence Agency. Why would he do this? Why would someone with the knowledge and experience that he had, systematically and repeatedly perpetrate a significant and serious breach of national security in this way? I would argue that the basic underlying reason for his actions go to the heart of the policy and practice issues that I would write of here.

• Bring your own cloud simply enables employees to take business information and even highly sensitive information with them, for use on their own devices and without having to even bring their own hardware to work with them in the first place. This simplifies and streamlines the process of alternative access and use that for Deutch could only be realized by literally bringing his own hardware in through security.
• And ultimately, the only real justification that Deutch gave, which I am essentially positive was his real reason for doing this, was that the computer hardware and software that he was provided with on the job for doing his work was so limited and out of date that the only way he could perform effectively and meet his job responsibilities was to bring his work home with him and do it on his own equipment.

I have written elsewhere and at other times about the technology acquisition and due diligence security vetting process in place in the US national security establishment, and how vetted and accepted technology can be so out of date by the time it is allowed in that it creates more barriers to productivity and effectiveness than it does solutions to them.

For purposes of this posting and this series, I could start a discussion of bring your own cloud or any potential source of information security breach from either of two directions: the information and who can access it and for what, or the hardware and software and the work schedules that employees would access and work with this data on. Most of the time this type of discussion starts with a focus on the technology, but from the perspective of adding in data encryption layers and other technical fix solutions. I take a completely different approach here and begin by noting that:

• The most important tool or approach that a business or organization can take in limiting due diligence risk from loss of control over critical data, is to develop business model approaches and implementations, and to offer employees the tools they need to comfortably, effectively do their work at work, and at the very least with business-owned and maintained equipment.
• You can, in the specific instances of this series discussion, best reduce risk of loss of control over your critical information by limiting the likelihood that an employee would even want to put business-owned information resources in their personal cloud storage.
• Then add in carefully designed password access protection, and if appropriate biometrical identification as an added access control layer. And add in those hard drive and individual file encryption protocols and tools to cover for possible consequences from the loss of a business-owned laptop or other more portable hardware platform – or from illicit downloading and data use by an unauthorized employee with a personal agenda and even when seeking this unauthorized data access while physically at their employer’s place of business. Then add in tracking software if you see need to take a technical solutions component to your overall due diligence response to a next level, so a downloaded sensitive file will try to “phone home” and notify the owning business of its IP or its physical location if it is opened or an attempt is made to do so in ways that do not meet specific approved guidelines for access and use.
• But at least begin this risk remediation process by systematically reducing perceived employee need and incentive to bring their work home with them, or their access to sensitive business information into their personal equipment or their personal online storage space.

I fully expect to come back to the issues that I have touched upon in this discussion and repeatedly, as new technologies and new applications for them make the barriers to business control and oversight of its critical information, more and more porous. Meanwhile, you can find this and related postings and series at Ubiquitous Computing and Communications – everywhere all the time 2 and also see my first Ubiquitous Computing and Communications directory page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: