As part of the conference I was on a panel this morning about Defending the Device. Other panelists included people from Lookout, Okta, and Good. The panel focused on protecting consumers and protecting enterprises from BYOD.
Some key takeaways...
Good made the point that it isn't the device we are protecting, but the data on the device. While I agreed with that, I pointed out that we also need to protect functionality on the device. If a criminal gets malware on a device, they will use that malware to access data, but they also use the malware to interact with applications that are on the device. It's critical that we understand that the value of compromising a device isn't just in the data on the device but on how the device can be used for nefarious purposes.
One thing that was very interesting in the discussion was the stance of the panelists on whether or not IT departments should allow BYOD. The overwhelming response from the panelists was "absolutely". This surprised me in that these were security professionals essentially saying "go ahead and take risks".
The follow up to that comment was that the IT departments should be sure they have transparency into what is going on through the devices. I call this "trust but verify".
As we move forward with BYOD I think we will see a shift in posture. Right now there aren't a lot of threats. As attacks against BYOD increase, and get publicized, I predict BYOD will get locked down more than it is today.