Legal Considerations of BYOD for the IT Pro

Take My Wife . . . Please! Okay, so it’s an old joke.  And, I’d venture that many of you reading this may not understand my reference to Henny Youngman, dubbed “the king of the one-liner” by Walter Winchell.  In fact, my own CTO admitted that he had to google the phrase to understand it. But, I digress.

So, why did I pull this out of the “old joke archive” to introduce a blog about the legal aspects of BYOD?  It simple, really.  It’s because in the world of BYOD, there is a lot of FUD being spread around about what enterprise IT can or will do with your personal data, all in the interest, of course, of selling you software that protects you from this problem . . . oh, wait, um protecting your privacy and making sure you don’t lose that photo of Sally’s last lacrosse goal or that video of Johnny’s recent piano recital. So, I’ve stepped back up on my soapbox to say, “stop with the FUD about how your personal data is going to be “owned” by your employer and let’s talk about an aspect of BYOD that doesn’t get enough attention – legal liability.

Before I go any further, my legal advisor (aka, me) requires that I provide the following disclaimer “I am not a lawyer and my comments are NOT intended to give legal advice or to replace the advice of your legal counsel”. That said, here are some thoughts on the legal aspects of BYOD.

To begin, BYOD is here already and it’s here to stay – whether you want to admit it or not. So, if you’re a corporate IT/security professional and you’re not proactively dealing with employee-owned devices as part of your day-to-day responsibilities, you’re needlessly exposing your company to increased risks with legal ramifications.

Don’t believe me?

Following is a partial list of Federal laws and regulations which directly impact BYOD – The Health Information Portability & Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), Graham-Leach-Bilely Act (GLBA), North American Electric Reliability Corporation and the Federal Energy Regulation Commission.  A number of state enacted laws and regulations have similar requirements.

So, what’s a corporate IT security professional to do?  Well, there are a number of things:

  1. Set policies and standards around what comprise acceptable devices, networks and service plans, how to configure and enroll acceptable devices, and the support parameters. This should happen BEFORE allowing BYOD to the extent possible (or, you may find yourself with the same problem IBM had a few months ago when, after they OK’d BYOD, subsequently discovered that 100,000 employees were using DropBox to store company data).
  2. Define security standards such as the minimum security required to access corporate networks, authentication parameters, how to deal with (and report) lost passwords and lost devices and what to do when an employee leaves the company.
  3. Define privacy standards.  Specifically, make it clear that, by policy, corporate data (what’s important to corporate IT) is segregated from personal data.
  4. Monitor compliance with established policies and standards.

BYOD does not have to expose the corporation to unacceptable risks if corporate IT/security administrators take straight-forward actions to minimize them.  These actions include, among other things, an assessment of how BYOD users will use their devices and identifying the possible risks associated the individual use cases; implementing security policies, keeping them up-to-date, and making employees aware of such policies; using easy to comply with and easy to administer security technologies; and monitoring compliance with policies with appropriate remedial actions taken when non-compliance is discovered.

Oh, and just to re-emphasize my early premise. I don’t want to see the photos of your family vacation, videos of your kids doing the Harlem shake or, God forbid, “cute” pictures of your cat.  Your enterprise IT security professional doesn’t want to either.




Why SpydrSafe?

enterprise_policyThe following excerpts were taken from an interview with SpydrSafe co-founder and CTO, Kevin Sapp, discussing mobile security and app control. He was asked to answer a few questions about how SpydrSafe is addressing some of the big security issues surrounding the use of BYOD/Corporate-Owned smartphones and tablets in the enterprise.

Interviewer: A lot MDM companies are talking about how MDM solutions can securely enable BYOD/the use of corporate-owned smartphone and tablets in the enterprise. Would you care to comment?

Mr. Sapp: I view MDM solutions as mobile-oriented versions of traditional end-point management systems – that’s what MDM was intended to do and that’s what it does well. Remember, I built an MDM solution that was sold to McAfee/Intel in 2010, so I understand the problem space and the technology. The issue with MDM is that it does little to address application and data security. It doesn’t separate personal and corporate apps and data. Enterprise mobility isn’t really about devices per se. It’s about mobilizing applications and data to make employees more productive.

Interviewer: So, given the risk to the enterprise, how have these devices been “allowed” (for lack of a better term) to gain access to sensitive corporate information with no (apparent) security controls?

Mr. Sapp: That’s an interesting question – I think it’s related to a phenomenon I call “app creep”. In the early days of enterprise mobility there were only a handful of smartphones available and a handful of people using them. To the enterprise IT department, the issue was one of managing devices and enabling them connect to basically only one enterprise app – email. For a while, people were only lighting up email. But, a couple of things happened pretty quickly and at about the same time which changed the playing field – there was a rapid proliferation of enterprise-oriented apps and many of the data services to which these apps connected were no longer in the enterprise datacenter – they were in the cloud. Probably the two best known of these cloud-based enterprise apps are Salesforce for CRM and Box (or DropBox) for content management. Add into the mix the substantial penalties associated with violations of Sarbanes-Oxley rules and the increased enforcement by the U.S. Health and Human Services of the Health Information Privacy rules under the HIPAA regulations, and what resulted was a “perfect storm” vis-à-vis the problems being created for enterprise IT, whose responsibility was to safeguard the corporate and other information. It is these security issues that SpydrSafe’s mobile app security solution addresses – issues that are not and cannot be addressed through simple MDM solutions.

Interviewer: Can you give me an example of how you address these security issues – a practical one?

Mr. Sapp: Sure. Here’s a simple example of a data breach that SpydrSafe deals with – breaches that occur across corporate America all the time. I have a smartphone that has a native email client on it which is connected to my corporate exchange server. I receive an email with a sensitive document attached, like a patent drawing, or an HR related file, or a patient chart – a document that shouldn’t leak outside of corporate control. When I open this document on the device, it’s very easy to “share it” to another application. I can even share it via Bluetooth in some cases, or save it to an SD card. In this example, however, I share it to a consumer app like Evernote. Once I do this, Evernote automatically backs it up to the cloud! The enterprise data has left the building, so to speak, and that, under Sarbanes-Oxley or HIPAA or most any well-structured enterprise security policy, is a data breach – a reportable breach as well. I’m not picking on Evernote, this problem holds true for many apps – Sugar Sync, Dropbox, Twitter, you name it.

Interviewer: So, how does SpydrSafe solve this problem and why aren’t MDM players doing enough to solve this problem in your opinion?

Mr. Sapp: Let me answer the easy question first – MDM companies don’t solve this problem because their function is essentially to configure mobile devices. They do little to secure the data or the apps on these devices. What SpydrSafe does to solve the problem is to control the behavior of the apps that operate on the devices – what apps can and cannot do, whether apps can or cannot share information, and so on. Since we control the behavior of the apps, we control the data to which the apps have access. That’s the fundamental differentiating factor that makes SpydrSafe a unique capability.

Interviewer: Can you be specific? For example, in the “breach example” you just explained, what does SpydrSafe do?

Mr. Sapp: Of course – in the case of a sensitive document attached to an email, we would specify in the policy that manages the email apps on the device that email is a “protected app”. Therefore, a user would not be able to share data out of email to an unprotect app, like the consumer app. If they attempt to do so, we block that action locally (on the device) and present a training message to the user that this action is prohibited by IT policy.

Interviewer: Okay, so what’s to stop a user from just forwarding the email to an “unauthorized user” or location? How does SpydrSafe prevent that?

Mr. Sapp: That’s a simple answer – we don’t prevent that because that’s not our job. There are a number of well-known companies who sell Network DLP solutions and that is what Network DLP does. It monitors documents moving around in the enterprise, and Network DLP controls that. Where the problem lies is at the mobile end-point. If you have applications on devices and they are sharing among each other locally or via personal networks, like Bluetooth, NFC, etc., that doesn’t traverse the enterprise network, then the network DLP does not see that action. That’s where SpydrSafe comes in – we are complimentary to Network DLP solutions.

Interviewer: There are several well-known companies offering so-called “secure container” solutions who say that they handle “mobile DLP”. Would you agree with their self-assessments?

Mr. Sapp: There are a number of companies that describe themselves as mobile DLP companies trying to solve this problem with containers or “sandboxes”. These products provide varying levels of data security. However, this approach is not a good general-purpose solution to securing the wide, and rapidly expanding, variety of apps being used in the enterprise. They have a fundamental scaling challenge in that it is not feasible for them to provide secure versions of all possible enterprise apps

Interviewer: Okay, so how about so-called, “app wrappers”? They seem to have solved this problem in a different way. But, something tells me you will have some thoughts on ‘app-wrappers’ as well.

Mr. Sapp: Now, why would you think that? (smiling) To provide context, ‘app-wrappers’ take a custom app that has been developed by IT for internal use, and “wrap” them with security controls to provide similar types of data leakage and app control features one might find in container solutions. The problem with app-wrappers is that they are limited to applications that are developed “in-house”. But, they don’t work with native apps (apps on the device when you buy it) or apps downloaded from the commercial app stores. A huge limiting factor unless you want to build every app you ever use on a mobile device.

Interviewer: Thanks Kevin. It has been interesting and informative. Any final thoughts?

Mr. Sapp: Thanks – I appreciate your time. I hope I was able to clarify what can be a confusing market given all of the claims that are being made by the various vendors. So, let me close with this:

Our core value and fundamental differentiating factor versus other solutions in the market is that Spydrsafe manages the behavior of apps on smartphones and tablets – any app on those devices regardless if it’s baked into the phone, downloaded from an app store, of developed in house. The solution has applicability to both BYOD and corporate owned devices in the workplace. The technology provides data leakage prevention, app white listing, black listing, malware prevention/avoidance, etc. SpydrSafe’s mobile app control platform is powerful and far surpasses the capabilities of containers, virtual desktop infrastructure solutions, mobile device management, mobile application management and app wrapping solutions. Thank you.


Malware, Schmalware!

For those Shakespeare aficionado’s out there, the quotation “The lady doth protest too much, methinks” comes from Hamlet.  The phrase has come to mean that when someone insists so passionately about something being “true”, people suspect exactly the opposite.  As an aside (something Shakespeare loved to do in his writings – and, before some wise guy tries to invoke the Lloyd Bentsen “gotcha” as in the VP debates of 1988, no, I am NOT likening myself or my writing to Shakespeare), the word “protest” in Shakespearean days did not have its current day meaning but, rather, meant “affirm” or “avow”.  Substituting either of those words into Shakespeare’s famous quotation actually makes its current day interpretation more understandable, doth it not?

Fast forward from Shakespearean days to the present where ‘doom and gloom’ pundits feed us with a constant, overwhelming stream of warnings about how corporate America or our national security system or, heaven forbid, “the internet” will be brought to their respective knees by a massive attack of malware from Android devices.  The FBI and the National White Collar Crime Center, in the form of the Internet Crime Complaint Center, have now gotten into the act with their (poorly written) “Intelligence Note” issued on October 12th that warns against Loozfon and FinFisher malware which “are attacking Android operating systems for mobile devices [sic]”.  To those ‘chicken little’s” I say “Thou doth protest too much, methinks” or, as I like to put it, “Malware, Schmalware”.

If one digs into what IC3 reported, we find that Symantec has documented less than 50 instances of the Loozfon program, and FinFisher has been ported to all the major mobile devices, including Android, Blackberry, and the iPhone.  So why is IC3 characterizing Loozfon, with less than 50 reported instances, as an Android problem and FinFisher as an Android-ONLY problem?  Because Android malware is “in the news”, and both the media and companies that sell ‘anti-malware’ software, like to sensationalize issues that either generate readers of their media or buyers of their software (I know, I can hear you now saying “media companies and marketing execs who sensationalize issues that benefit their agenda, go on!”).

I note with some degree of amusement that one of IC3’s “Safety Tips” suggests that If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.  The problem is, factory reset doesn’t erase the SD card and that’s where most of the data is stored on an Android device.

So, why am I, the CEO of a mobile DLP and app control company, blogging about malware being a totally over-hyped problem?  Doesn’t this add to the FUD in the marketplace, thus making it easier to sell our mobile DLP solution?  In a word, “no”.  What the hype and FUD does do, however, is to create a huge distraction from the important things that an enterprise IT security person should worry about.  As Joshua Corman, director of security intelligence at Akamai, said: “I do think the hype is a huge distraction. It’s hard enough to spot the right priorities.  Just because something is sensational and headline grabbing doesn’t mean it’s the most important thing for you.”

I couldn’t agree more.  According to a Symantec study, the average organizational cost of a data breach is $5.5 million (or $194 per compromised ‘record’).  The study also shows that ‘negligent insiders’ remain the number one cause of enterprise data breaches.  To be fair, the study also ranks malicious attacks as the 2nd leading cause, and malware is one of the many ways (in addition to viruses, Trojans, worms, malicious insiders, device theft, phishing, SQL injection, web based attacks, and social engineering) that malicious attacks are orchestrated against the enterprise but, again, the preponderance of the evidence shows that malware instances on mobile devices is simply not currently a significant issue.

Or, put differently, Malware, Schmalware!


Time for some Fact Checking in the Mobile Security Space

One can’t have watched (suffered through?) the Republican and Democratic National conventions without having heard the term “fact check” used over and over and over again by every television, radio and print journalist reporting on what was being said by members of both parties.

The Daily Show, Jon Stewart’s fake news program, had a regular spot during the conventions on what facts had been checked each day.   And, during Tom Brokaw’s guest spot, Stewart (FINALLY!) made the inciteful comment “didn’t we used to call these people (fact checkers) ‘journalists’?”, correctly pointing out that the job of an investigative journalist is (or used to be) to get to the facts – NOT to simply report what someone had said and then delegate the pursuit of truth to “fact checkers”.

It is against this backdrop that I concluded that it’s about time to do some “fact checking” on claims being made by companies in the mobile security space related to their products’ DLP capabilities.  As the CEO of a company with the ONLY true mobile DLP solution in the market, it is with much interest that I continue to see marketing press from companies who claim to solve the mobile DLP problem.

So, let me steal a line from Dragnet’s Sergeant Friday (Jack Webb, one of my favorite character actors of all time), and say that when it comes to Mobile DLP claims I’d like “Just the facts, ma’am, just the facts”.

CLAIM – Mobile Device Management (MDM) companies say “We do DLP” (data loss prevention – the ability to protect corporate data on smartphones and tablets).



       MDM companies do exactly what their name suggests – they manage devices, not the data on those devices.

CLAIM – MDM protects corporate data on smartphones by sending a remote wipe command to the phone in the event it is lost or stolen.


     Remote wipe (actually, a factory reset command sent over the air to the phone) will erase the data stored in the device’s memory. However, in the case of Android devices, most data is stored on the phone’s SD card, and the SD card is not erased by the factory   reset command.

CLAIM – So called “app wrapping” companies protect corporate data on smartphones.


    This is true ONLY if the corporate data you want to protect just happens to be on those apps that are “wrapped”.  Otherwise, it’s not protected.  And, app wrapping has inherent limitations – for example, app wrapping doesn’t work for pre-loaded apps, like native email, or third party apps downloaded from commercial app stores and, you run into problems upgrading wrapped apps (to be clear, you CAN’T upgrade them without re-wrapping).  Besides, we at SpydrSafe are “ROCKERS”, not “WRAPPERS”.

There are a number of other claims out there – and like much of what we heard during the National Conventions, many are downright false or at best partially true.  So, what needs to be done is to look at all the available solutions on the market and choose the one or ones that provide the security you’re looking for.

FINAL CLAIM – SpydrSafe Mobile Security’s Mobile DLP solution protects sensitive data on smartphones and tablets by controlling the apps on that device – any app, whether pre-loaded, commercial or developed “in-house”, with no app or OS modifications and with no OEM or ISV relationships required.


      Of course, don’t just take my word for it, check the facts.





I’ll take Sully every time

This is my first official blog as “Adult Supervision Guy”.  Given the importance of getting off to a good start, perhaps I should have chosen a different topic.  But, given my moniker, I couldn’t let recent comments by a well known venture capitalist on the age of entrepreneurs pass by without offering a “second opinion” (as in “you want a second opinion? okay, you’re ugly too”).

I’ve been involved in the world of venture capital backed start-ups for over 16 years.  I’ve worked with a multitude of very smart and, for the most part, very young entrepreneurs. To paraphrase one of my favorite past presidents (well, I liked Bedtime for Bonzo anyway), I tried not to hold their youth and inexperience against them . . . but sometimes, it was, um, difficult.

A company run by an smart and enthusiastic but inexperienced entrepreneur is like a commercial airliner being flown by a smart and enthusiastic but inexperienced pilot.  As long as the aircraft is on “autopilot” things will probably be okay, but if we hit a flight of geese on take off (let’s not, shall we?), I’ll take Sully every time.

What’s important in an entrepreneur is not her age, but her passion for what she’s doing combined with a healthy dose of “I am not the smartest person in the room”. Just as the African adage says “it takes a village” to raise a child, I believe it also “takes a village” to raise a company. So, the bright, young entrepreneur who enlists the help of experienced entrepreneurs (who might also just happen to be north of their twenty-ninth or thirty-ninth or forty-ninth or even fifty-ninth birthdays), is likely to be much more successful than one who thinks that “Founder Knows Best”. After all, why do you think they call it “founder”?

May all of your flights have Sully in the cockpit.