The BYOD Data Dilemma: Is EAS Safe?


Thought Leadership

The BYOD Data Dilemma: Is EAS Safe?

Zix Staff

Skimming through old posts on the Zix blog, I came across this one from a year ago. A new Zix employee had pulled out his smartphone and demonstrated that although his ActiveSync account with his previous employer had been deactivated, all the emails, attachments and his customer contact list were still stored in the permanent memory of his device.

This got me to thinking – what is Exchange ActiveSync (EAS)? EAS is a protocol that has been developed to synchronize email, contacts and calendar entries from the Exchange mailbox to just about every mobile device or operating system, including Apple iOS, Android, Blackberry, and of course Microsoft Windows Mobile.

EAS delivers the very useful tool of replicating emails, calendar entries and contact lists across multiple devices so that all devices are up-to-date with what is stored on the messenger server. Once on the device, employees work on, copy or forward the data in emails and their attachments just as they would if the data was on a company desktop. It means, for example, that when called by a customer or colleague, a user can see her existing time commitments and confirm to that caller then and there that she is free to meet on Thursday at 2 p.m. This ability allows mobility users to be productive at times when traditionally we would not have been contactable or would not have been able to respond to questions or issues quickly.

As we all know, tablets and smartphones are very powerful consumer devices. Essentially they are micro-computers that will do a multiplicity of tasks required by their consumer owners. In doing so they are eminently fit-for-task. That is, they behave exactly as they were designed to behave. They respond quickly, and they “seamlessly” share information between apps so that we can forward a music clip via email, instantly upload a photo to Facebook, search “nearby” for a restaurant, and so on.

The very functionality that makes it easy to share information between applications turns these consumer devices into a business IT headache. In order for BYOD to work for the user, the password or PIN to use the device must be quick and easy to input – the antithesis of good IT security. More than this, the device must not time-out too quickly (requiring the password to be re-input to continue) because the users – your employees – would not accept this. A survey by McAfee and One Poll revealed that 36% of mobility users don’t lock their mobile devices with either PIN or password, while 30% have vital password information stored in notes apps.

And even if data is encrypted, the encryption keys are kept in known places on the devices and therefore hackable.

Most industry solutions to these dilemmas utilize sandboxing or containerization strategies to counter the very seamlessness that has been designed into BYOD devices. These solutions can work well in controlling what users can and cannot do with the corporate data on their own device. Unfortunately solutions like these can fall down when either a disgruntled employee decides to act against the employer or devices fall into the hands of savvy criminals.

Regardless of the security or encryption techniques used in combination with EAS, in my view EAS has one overarching security flaw. Business data is copied to the BYOD device. With data on the device, motivated criminals can access that data. And please don’t talk with me about remote wiping: that “remedy” is facile. Remote wiping works great if the device is lost – however “lost” implies that no-one has the device. It is down the back of the sofa, or in a pile of laundry; exactly when a remote wipe is unnecessary. The ideal time for a wipe is when a thief has the device, however any thief smart enough to search for corporate data is smart enough to apply airplane mode or to put the device inside a Faraday bag, thereby defeating any attempt to remote wipe the device.

ZixOne however is a fresh solution that takes a different approach to solving this BYOD dilemma by keeping business data off the device in the first place. Even if the device encryption or passwords are broken, there is no data on the device to be found. It’s a BYOD solution that employees accept with ease. ZixOne enables easy access to email, calendar appointments and business contacts, all the while keeping business data secure and off the device.