mardi 25 février 2014

BYOD: Bring Your Own Diskettes

One of the latest nightmares of Infosec practitioners, BYOD (Bring Your Own Device/Disaster/Doom/Death... your choice), is not that new after all.

For me, it all started in about 1992, the first job of my career, software engineer in a very small video game company.
We were less than 10 people working there, none of us permanent employee. Even the CEO was working part-time while pursuing his studies.
So all the scarce budget we had was spent in hardware and software licenses for our development work.

And some floppy disks for backups, but not enough. Most of millennial people don't remember this kind of storage media, and how the could be short-lived.

So my colleagues and myself were bringing our personal floppy disks to backup our daily work/code/images/soundtracks.

I remember one day, when at last we had corporate floppy disks owned by the company, and even some Syquest cartridges (Wow! 40 MEGA Bytes of storage, beware not to let it fall on the ground, it's rather fragile!), most of my colleagues still used their own floppy disks.
I told them they were taking an unnecessary risk: if their corporate machine's hard drive failed, and they needed the floppy backup and it also failed, so all their files belonging to the company were lost, who would be responsible?
There were also some data leak issue: were they certain the floppies they kept at home were safe, there? Did they bring with them when leaving for a weekend or holidays? Even in this pre-internet & mobile era, "data at rest" was already a fiction.

Sure, those old floppy disks or Syquest cartridges or even hard drives were passive storage, compared to nowadays mobile devices (even USB things), and the mix between personal and professional use was far less a problem: floppies were cheap, so having some for pro stuff and some for perso stuff was not a big deal.

But the responsibilities were already a serious issue.

Mobile Device Management systems, multi-user (or at least multi-profile) mobile OSs or other tools would be of help.
And of course policies: simple, clear, enforceable and yielding users engagement.

It's rather disturbing to see our so modern high tech industry is still stuck with those issues of another century.