BYOD: How Stickers On Smartphones (Do Not) Secure Intellectual Property.

Forrester Research sent out a press release a couple of weeks back, noting how MDM is a “heavy-handed approach” to BYOD security.  They also noted that IT professionals will move away from MDM because “they don’t want to manage employee-owned devices” and will be looking to mobile virtualization.

I have a different opinion on this.

Security Stickers to the Rescue?

I was talking to a buddy of mine who works for a semiconductor firm (which will go unnamed).  He showed me a sticker that was covering his smartphone’s camera and mentioned how BYOD was making inroads into the workplace.  Overall, he was happy about using his personal device at his job, but also noted how the security in place was for show only.

I inquired whether they were using a mobile device management solution or something along those lines.  He said that they weren’t (he’s not with IT, so there’s always the possibility that there is a data loss prevention solution in the backend coordinating information security).  The only things that this particular company was using as “protection,” he said, were stickers that were placed over the smartphone’s camera to prevent information from leaking via snapshots.

Now, the thing about these stickers is that they can only be used once.  They’re relatively hard to peel off and, once off, they won’t stick to anything else.  The way it works: before he goes into a zone where cameras are forbidden, a guard physically checks to make sure there is a sticker over the camera; if there isn’t one, a sticker is affixed.  The guard also checks cameras when people are leaving.  It’s up to the employee to peel off the sticker; some keep it in place until they need to use the camera.

Why this fails as a security measure:

(1) Peel off the stickers enough times and you’ll have enough gluey residue that remains behind on the smartphone that allows one to re-use a sticker (or stick any other thin material like paper) at will.  Since guards only make sure that the sticker is in place (and don’t pull on it to test its strength), it’s not as effective as it looks.  

(2) My particular friend uses one of those smartphone cases that come with a flap (like a book).  The guards always check the rear-facing camera but don’t seem to realize that there is a front-facing camera underneath the cover.  There is nothing that prevents him from using this camera.

Virtualization/Containerization Good but Something Needs to Back It

And this is why I don’t think that MDM will be pushed aside even as companies opt for mobile virtualization or containerization.  Containerization has its share of problems, certainly.  I’ve heard plenty of stories of a particular containerization solution that’s not Bad.  From a purely logical standpoint, containerization is an elegant solution to the problem of mixing personal and corporate information on a person’s device.

However, the truth of the matter is that, no matter how elegant the solution, at one point hands will have to get dirty.  Even if virtualization or containerization is used, how does one prevent data leaks like the one at my friend’s company?  The only way is to go in there and disable the employee’s camera, at least while on the job.

Related Articles and Sites:

Comments (0)

Let us know what you think