A somewhat rhetorical question really. Much like which came first, the chicken or the egg. In his ThreatPost article, George Hulme highlights the challenges and risks associated with allowing consumer-owned devices (phones, laptops, netbooks, tablets) onto corporate networks.
Realistically, consumer devices and applications are both high risk with the devices presenting slightly less risk than the personal applications (social networking, webmail, IM, media, etc) that are in use. Several reasons for this line of thinking:
- Personal applications are in use, plain and simple. And they are a very target-rich environment for cyber-criminals and their stealthy malware. Cyber-criminals have adapted to new user and application behavior patterns; criminals know which applications are hot and they know how to get a user to “click here”.
- The applications are difficult or impossible to control by IT. Many are web-based but are client-server architecture. Others hop ports or use encryption. And none of the firewalls or other tools can effectively see them, or who is using them, leaving IT to allow them wearily.
- The applications (like the devices) would be used regardless of control efforts. Assuming IT can block the applications, users know how to get around them using remote access tools, external proxies and circumventors.
- Finally, the reason applications are a bit riskier is that they would be used no matter what the device is.
The edge in terms of greater business and security risk: applications, but only by a photo finish. Now the question is, which would be easier to control and secure the network against. The winner again would be the applications because IT owns the network and they can apply (using Palo Alto Networks) application usage policies (as recommended in the article) that securely enable applications by:
- Enabling the use of social networking, webmail, IM applications by allowing and scanning, shaping, and scheduling use.
- Outright blocking of unwanted applications like P2P, circumventors, proxies and so on.
- Limiting use of remote tools to those who really need then and know how to use them.
By exerting control over the network, the applications that run on it, then IT can help mitigate the risks of personal devices as well as personal applications (used often for business), without hindering the business (or getting fired for blocking Gmail for an Executive VP).