06 May, 2012



BYOD and the security fun-sponge

Posted: 05 May 2012 01:21 PM PDT

The thinking is this: If your organization relents and lets employees use their own mobile devices for work, then there will be immediate cost savings, with the added benefit that people generally take better care of devices for which they are financially responsible.

The initiative is referred to as BYOD: Bring Your Own Device, and it has become a defining trend in the past year.

Unfortunately, despite the perceived upside, there is also considerable downside that can suck the fun right out of the approach.

That downside must be accounted for before unleashing the hordes. Allowing personnel to bring personally owned devices into a managed environment and (more importantly) allowing people to use these devices to access and store potentially sensitive business data opens the door to numerous additional costs.

Specifically, inadequate accounting for liability from increased legal and information risk and inadequate provision for control of business data on mobile devices may increase support costs. Here are a few suggestions on addressing these concerns.

Conduct a comprehensive risk analysis

There are three types of risk that should be considered when it comes to BYOD: financial, information, and legal.

Of these, the first (financial risk) is perhaps the easiest to break down. Oftentimes, this factor is where immediate perceived value is seen in implementing a BYOD policy because companies can baseline mobile devices as a fixed monthly cost.

However, based on a survey of over 100 companies earlier this year, the Aberdeen Group determined that organizations have underestimated the costs associated with BYOD, to the extent that an organization supporting 1,000 mobile devices through such a program is spending, on average, an extra $170,000 per year.

Analyzing information risk is often done poorly, or perceived as too difficult to do well. Fortunately, methods like Factor Analysis of Information Risk (FAIR)# make a reasonable analysis achievable.

Specifically, considering just the loss magnitude side of an analysis can provide a quick reference point to identify potentially hidden costs.

FAIR looks at primary and secondary loss estimates under six categories: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgment, and Reputation.

With just a cursory review, it is not unreasonable to think that, while Replacement costs will go down (for the business), the Response costs are likely to increase, since performing a response on a personally-owned device can be more difficult.

Additionally, you may see higher expected losses from Fines & Judgments since the business is potentially sanctioning employees to take sensitive data outside the defined, controlled environment, leading to legal risk concerns.

A detailed legal risk analysis should be conducted to ensure that allowing business data to reside on non-business-owned devices does not, in fact, greatly increase legal liability.

For example, how do you deal with search and seizure? What about remote wipe of a device that negatively impacts an individual's data? Many questions should be considered as part of a legal risk analysis to ensure that moving to BYOD does not significantly increase legal liability.

Identify and communicate a legal strategy

Once it has been decided to move to a BYOD approach, it is absolutely necessary to ensure that this decision is incorporated into governing legal strategy. The strategy must include adding employee agreements that cover acceptable use, remote management and wipe capabilities, and appropriate data handling requirements, to name a few.

There are at least three main actions to undertake at this stage:

  • Ensure that the approach is legally defensible. A risk analysis may reveal increased risk factors for a BYOD program. Documenting a logically sound decision to move forward, as well as accounting for any advice offered by subject-matter experts, will be imperative in proactively preparing a defense should a BYOD-related data breach occur.
  • Ensure that agreements are signed and iron clad. Allowing personnel to have business data on their personal devices is not necessarily new, but having it be officially sanctioned likely is. The business will have to maintain a degree of remote management responsibility for the device (minimally, remote wipe). It must be made very clear to the employee that their device is being managed, as well as ensuring that privacy rights are clearly delineated.
  • Ensure that awareness programs address the topic. Once new policies and practices are in place, it is important to launch an awareness program to proactively educate personnel on their rights and responsibilities. The goal is to set expectations, as well as to guide personnel to approved processes for participation in the program.

Deploy mobile device management

Finally, it is important to choose mobile device management (MDM) software that will be able to support multiple device types.

In moving to a BYOD policy, the organization must grapple with having less (if any) control over the selection of devices. Personnel are more likely to trend toward popular devices, which can be both good and bad.

On one hand, newer devices are more likely to support management software. On the other hand, devices may initially be too new to support the MDM software.

It is important to understand the market when reviewing MDM solutions to ensure that they support a broad range of products. Today there are at least four mobile device platforms to consider: Apple iOS, Microsoft Windows Mobile, Android, and RIM BlackBerry. Each platform has unique attributes and separate codebases.

MDM software should minimally provide remote wipe capabilities, and will ideally include additional capabilities to help track data and applications. Solutions may also provide additional security capabilities like AV, backups and secure file-sharing.

Moral of the story: Look before you leap

Allowing personnel to bring their own cutting-edge mobile devices into the enterprise can seem quite alluring for reducing business expenses. However, a quick analysis may prove otherwise.

Despite potential benefits (e.g., responsible handling of devices) and increased personnel happiness, the increased risk could have grave consequences. If an organization decides to move forward with a BYOD program, it should take proactive steps to ensure that proper legal agreements are in place governing participation in the program, as well as in deploying MDM solutions that can reduce information risk exposure.

The decision to move forward with BYOD should not be taken lightly and should be as well informed as possible.

Ben Tomhave helps global enterprises, SMBs, and service partners with integrated governance, risk, and compliance in his current role as Principal Consultant for LockPath, a GRC software company. He is a Certified Information Systems Security Professional, co-vice chair of the American Bar Association Information Security Committee, member of ISSA, and member of the IEEE Computer Society. Prior to his current endeavors, Ben has worked in a variety of security roles for companies including BT Professional Services, AOL, Wells Fargo, and Ernst & Young.

Top image courtesy of igor1308, Shutterstock

Filed under: enterprise, mobile, security

This posting includes an audio/video/photo media file: Download Now

Why geeks (and other lean machines) need high-intensity workouts

Posted: 05 May 2012 12:53 PM PDT

I just wrote a book called Fitness for Geeks, so as you can imagine, I get a lot of health and exercise questions from people who want highly technical answers. For example, I was recently asked, “What’s the best form of exercise for losing weight?”

The question itself is a little misleading because, despite the popular wisdom, you can’t really lose weight via the “burning off of calories by exercising as much as you possibly can.” This is because the vast majority of people simply put the calories back on after long workouts. It’s not their fault or a sign of a lack of willpower — the body is simply a smart system that is very efficient at retaining and replacing stored calories.

Let’s do the math. You’re a hardcore runner who jogs 30 miles a week, five six-mile runs on average. You finish a six-mile run in a little less than an hour, less than 10 minutes per mile.

Based on my vast experience as a runner geek, I’d say you’d expend roughly 500 calories during this training session (running all-out for an hour will expend about 700 kcal).

However, this calorie amount includes your basal metabolic rate (BMR) — what you would have expended by remaining stationary for that period. For me, the BMR for a 55-minute period is about 65 calories. So the run actually only burned off an extra 435 calories. This still sounds like a lot, huh?

But you’re hungry afterwards, right? Running for almost an hour? Possibly not at the moment, but certainly an hour from then. So you slam a banana (a healthy treat to replace the lost potassium, but fructose-packed and calorie-rich) and an energy bar.

One medium banana (105 cals) and the bar (about 220 cals) means you’ve just replaced 75 percent of the expended calories, and that doesn’t include anything eaten before or during the run. You also might leap onto the weight scale after the run to ogle the pounds you just lost, but the scale is probably sending more of a message about dehydration than anything else.

There are other things going on . Most of what you burned off during the run was probably glycogen, a form of starch that’s stored in the liver and skeletal muscles, and the body preferentially replaces that with carbs or glucose eaten after endurance-type exercise. You might have also tapped into the fat stores inside the muscle itself.

These are two places (glycogen and the fats the muscles use for energy) where you don’t really mind having energy depots. In fact, they represent essential energy sources for the body.

Getting back to the original question, how does exercise contribute to weight loss? By improving your metabolism in the long run. A person won’t lose weight until they move into a healthy metabolic realm. This means they want to retain sensitivity to their own insulin, and not develop insulin resistance.

When you embark on high-intensity type exercise session, such as sprinting and lifting heavy weights, you use the more powerful Type II muscles (e.g., the quads and the hamstrings). The glycogen in those muscles cells is expended (as it generally isn’t completely by jogging), and the muscles retain their insulin sensitivity at the same time as they pull glucose out of the bloodstream to replace the lost glycogen.

That’s a simplified description for a very complex and efficient mechanism in our bodies. With better insulin sensitivity you will develop lower-fasting insulin levels, and your body is less likely to be in fat-storage mode all the time. The actual calories you burn off during the sprint or weight-lift are almost beside the point.

As a person with healthy low-fasting insulin and glucose levels, you will also not experience the constant hunger pangs throughout the day, which are so familiar to many of us. You will only eat when you are experiencing actual hunger (admittedly, an elusive concept) and are in need of calories to fuel your brain, for instance. Intermittent fasting also helps promote a fitter metabolism.

The book goes into greater depth on all these issues, and I will expand upon them here in the near future. However, a sprint session once a week and a high-intensity weight bout once or twice a week represents more than a good beginning.

Imagine that you want to optimize the gas mileage you’re getting in your car. The typical strategy that you would use is maintaining the efficiency of the engine and the physics of burning as little gasoline as possible, and this is an apt metaphor for helping optimize your body’s metabolism.

Bruce W. Perry played college soccer in New York, then amidst a varied career in journalism and software engineering finished literally (ask his knees!) hundreds of road races and multisport events. He’s since moved on to family life and recreational alpine hiking, skiing, and resistance training. He wrote two recent software books for O’Reilly Media. After an unguided youth, the author hangs out weightlifting in gyms again, and climbs with guides now, recently Piz Palu in the Swiss Alps, Mt. Whitney’s Mountaineer’s Route, and Mt. Rainier. The Jungfrau in Switzerland is next up.

Filed under: VentureBeat

This posting includes an audio/video/photo media file: Download Now

Facebook buys Glancee, another app to beef up its mobile side

Posted: 05 May 2012 12:16 PM PDT

We’re guessing the pricetag on this deal was slightly less than the $1 billion it paid for Instagram, but Facebook has indeed bought up Italian startup Glancee.

Glancee is an iPhone and Android app that “helps you discover and connect with new interesting people around you.” The concept may sound like the sea of sameness that mobile/social apps are these days, but the app itself was quite pretty, as you can see below.

Unfortunately for the app’s users, this was a talent grab. It looks like Facebook is shutting Glancee down; users are being offered the chance to download their data, and the app has been yanked from the App Store and Google Play’s Android apps section.

The app hadn’t seen too much traction but had garnered some favorable mentions from Silicon Valley early adopter types such as Robert Scoble.

On its website, the Glancee team writes:

We started Glancee in 2010 with the goal of bringing together the best of your physical and digital worlds. We wanted to make it easy to discover the hidden connections around you, and to meet interesting people. Since then Glancee has connected thousands of people, empowering serendipity and pioneering social discovery.

We are therefore very excited to announce that Facebook has acquired Glancee and that we have joined the team in Menlo Park to build great products for over 900 million Facebook users. We’ve had such a blast connecting people through Glancee, and we truly thank our users for being a part of the Glancee community.

“We can’t wait for co-founders Andrea, Alberto, and Gabriel to join the Facebook team to work on products that help people discover new places and share them with friends,” said Facebook reps in a statement.

Filed under: deals

This posting includes an audio/video/photo media file: Download Now

Here’s how much WE would pay for Facebook stock

Posted: 05 May 2012 11:40 AM PDT

What a week is has been. Here’s what we’re covering in the weekly roundup:

Enjoy your weekend, and no matter how tempting it may seem in the moment, don’t run with scissors. We’ll see you again next week!

Filed under: video

This posting includes an audio/video/photo media file: Download Now