Mobility

Unified cloud-based accounts can create a BYOD nightmare

Donovan Colbert offers a warning about mixing leisure BYOD devices with corporate cloud-based services. If there's a conflict, it could have had a serious impact on a mission-critical response.

I recently had an experience that reinforced some of my deepest fears about BYOD solutions. I've been a huge advocate of Microsoft OneNote and its integration into SkyDrive, the OneNote web app, and the OneNote mobile apps. It's a great solution for professionals in an SMB environment to share documents and manage their work.

Even when business users don't have access to a secure public SharePoint portal, they can leverage Microsoft's cloud solutions to achieve a collaborative platform. Unfortunately, there are significant risks beyond the obvious in taking this route.

In my case, I had previously created a separate login for Microsoft services associated with my corporate address. I used it for my TechNet, MSDN, and other things that required a Microsoft online account. When my company was recently acquired, the incoming IT teams at the various regional offices shared our weekly meeting agenda via OneNote on SkyDrive. I quickly saw the incredible potential of this and began a push to move all meeting notes to this method. I also began to adopt this for all of my private professional needs, like organizing my Outlook inbox. Of course, I used my corporate-oriented Microsoft online account to create the OneNote/SkyDrive account that I used.

I've created and shared several documents, including an Outage Downtime Report for my office and a Security Response document, which were quite popular with the other regional IT locations. For example, we recently had to deal with the w32.changeup virus. When a smaller regional office experienced an unrelated outbreak later, we granted document access to them so they could review our response instead of learning first-hand how to best contain the issue.

Microsoft has moved to integrate Windows 8 Pro and RT, Xbox, and Windows Phone tightly with their cloud-based solutions. You can still create a local account (on Windows 8 Pro and RT), but to fully leverage the advantages of the integration between these devices and platform, you're best off using a Microsoft online account. Furthermore, Microsoft is moving to consolidate all of their various accounts (Live, Xbox Live, TechNet, MSN, etc.) into one single unified login for all products and services. Let's not get too hung up on the "Microsoftness" of this -- it's exactly the same approach that Google has taken across their ecosystem.

Around the same time that the virus happened, I was reviewing the HTC Windows Phone 8X on Verizon, plus demoing and reviewing Windows 8 Pro. Because I like to focus on enterprise and corporate (rather than consumer) applicability, I activated my device logins using my work-related Microsoft account.

I saw the first signs of this problem, but not all of its implications, almost immediately. Since I have a professional account for one set of roles and a personal account for my leisure and consumer needs with Microsoft's services, I found that I could not easily integrate the two on my devices. Microsoft's goal is for you to have one unified account, but I don't want my Xbox Live account associated with my professional life. This resulted in a situation where I could access my professional documents in OneNote on Windows Phone 8 and Windows 8 Pro, but I couldn't access my music, movies, gamer information, or other media. I could easily test the professional applications of the phone, or the leisure, but not both.

I knew that my phone review wouldn't be complete without some discussion of the quality of the music playback and Xbox Live integration. I looked at my local music collection and discovered that I had ripped my copy of the Get Him To The Greek soundtrack to digital format. I own this music and have frequently ported it between iTunes and Google Play Music, so I figured it wouldn't be a problem to upload it to my work-related SkyDrive in order to download it or stream it to the Windows Phone. I copied the music file over and listened to it. I had already shared the virus response document with a member of our other office. When I returned, he had sent me an email, asking me to share it with another team member.

When I went to share the document, my login was rejected. My account had been locked for a violation of the SkyDrive TOS. It didn't take me long to realize what happened. The upload of a media file with a title identified as protected IP triggered an automatic response that locked my account. It was a mistake, I knew what had caused it, and I was willing to correct the issue, even if it wasn't really a problem. But there's no live support for SkyDrive -- you're redirected to a site where you can basically submit a plea to have your account reactivated. That submission is reviewed, and your request to have the deactivation reversed is either granted or not. The details on the process are very vague and unclear, but it's evident that you're assumed guilty until you prove yourself innocent.

I was eventually able to resolve the issue, but my leisure BYOD devices and my professional corporate life had caused a tremendous conflict that could have had a serious impact on a mission-critical response.

This illustrates one of the many pitfalls of BYOD solutions. When tightly integrated with unified cloud-based accounts, you're forced to mix your professional and leisure uses on one device, and the results could be disastrous to your career.

Have you had any similar nightmare scenarios with BYOD solutions at your job? Share your experiences in the discussion thread below.

Also read

TechRepublic and ZDNet delve deeper into this topic in a special report page: BYOD and the Consumerization of IT.

About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

32 comments
greggwon
greggwon

All the flexibility of choosing so many different vendors to interact with, presents the opportunity for none of them to choose to work together. With iTunes, I can have my music wherever I want on my devices. I pay the price for the right devices because they solve this problem for me. Mixing work and personal life is going to happen. The question is whether you are doing it because it's work, or you're doing it because it works. Task specific Apps are what makes things work well. Certainly, single login that locks the economy to the data and apps, can be challenging, but in the end, if you want them to stay separated, then keep them separated. With iOS and the Apple app store, you can use separate usernames and passwords for each app, and thus have a different iCloud account associated with that data. I find it easy enough to do this, and keep my stuff separated, yet all together.

jk2001
jk2001

I don't understand how this fits with BYOD. The problem here is that you use the same email address to sign up for both personal and work accounts. The solution is to use your work email to register for work accounts, and your personal email to register for personal things. If you have a device that has only one login, and that provides a raft of services, then, that device basically cannot be used for work (or personal use if that's a work device).

carol
carol

On the same note, SkyDrivePro (replaces Sharepoint Workspace 2010 and SkyDrive) creates a local disaster zone by saving all content synchronised from all online sources in one place on the local drive: I work as a consultant, I want content from each customer in a separate place. I want my personal and professional data separate. And when I cease to work for a company I wish that the data synchronised from that company's Sharepoint site is automatically deleted from my devices when my account is terminated. SkydrivePro kindly keeps it for me, mixed up with all the other data. I know I CAN manually create folders and manually move items into the folders, but if I have different logins for different data, I would really have hoped that SkyDrivePro would keep the accounts separate automatically.

bmeyer66
bmeyer66

What happens when they also lock you out of your local account as well with your Windows 8 Computer as well?

lind777
lind777

This is very scary. I thought MS were the ones who advertise that they don't have rights to do anything with what you upload to your drive (as compared to Dropbox or others who said they could). The author owned the content he was storing legally owned the right to use the content. Such a sad state our world is in.

cpetersen
cpetersen

I might be on the other side of that spinning coin... I connected my personal device to our corporate e-mail system and did not get any notification that a policy was being pushed down that would wipe the device if I ever terminated that relationship. I can live with the policy forcing me to enter an unlock code every 20 minutes, but a full wipe policy has to be part of a notification process at "opt in" time...

bahnjee
bahnjee

I'd be satisfied to use the Skydrive app for my professional files, and just use the Skydrive website for my personal files, but I've got it set up backwards. What I mean is that when I set up my Windows 8 PC at work, I mistakenly used my personal Live account. And now that can't be changed. It's hard to believe that employees at Microsoft don't share the desire to segregate their own Live lives (see what I did there? :-) ). How could they not build in the ability to shift from our professional life to our personal life??

TsarNikky
TsarNikky

All the more reason to remain with the traditional, proven, and safe practices that have worked for ages. Pandering to those who feel the need to bring their personal/mobile devices to work and use them just creates needless security problems. With the millions of well qualified people seeking employment, rules about no personal devices in the office will not be a big deterrent. Not every company can afford to operate in a foot-loose-fancy-free environment.

Jay_H
Jay_H

I am really concerned about their scanning materials placed in my private account (not for public distribution). That is simply too much and absolutely unacceptable. It's not up to them to look at my stuff much less for them to attempt to determine if it's 'acceptable.' What else are they scanning for? Just another reminder of how dangerous the 'cloud is.

brt
brt

I always recommend to clients that as a 1st commandment, they implement MDM (not just ActiveSync mind you) - to ensure separation of professional and personal 'personas'. This has legal/compliance ramifications too, of course (to points made in other comments). This isn't about Microsoft or Google or Amazon - it's about IT policy governance. You want BYOD, you need MDM 2.0. I'm not advocating a specific solution, just the concept as a 'must-do'.

pocetnik
pocetnik

Nobody seems to see a real problem here. Microsoft has given itself not just right to spy on you but to be a judge –they decide what is illegal and immediate make execution. Then they strip you out of all yours data – not just suspicious one. Well in near feature I expect traffic control camera to shot you if they conclude you are about to cross street on red light or bank to confiscate all your assets if they think you ordered one drink too much with your credit card – possibilities are endless.

nospam
nospam

Just a thought to mull over but if someone has a BYOD and leaves the company.How are you as system admin to ensure all company documentation etc are removed from the device if you have no access to said device as it is not company property and you are not legally authorized access to it?

symowallo
symowallo

I am attempting to deal with the exact same issue. What really P's me off about this is Skype. I have a windows 8 box at home and work, but I want to use the same Skype account for both. No can do!!! This bundling of MS accounts is great in some ways but terrible in others.

robo_dev
robo_dev

We think about avaiability in terms of Google and Amazon as being 'too big to fail', but risks that a user account gets suspended or terminated are an interesting angle. An automated malware process that distributed some DRM protected content as part of the payload could literally take millions of accounts offline in an instant, assuming the account-suspension process is fully automated.

Marshall7005
Marshall7005

I Have also faced such issues with Skydrive where I am not able to keep my business and personal files apart, therefore I made the ultimate switch to storing my docs in Dropbox and integrating it with GroupDocs document management solution. Since Dropbox differentiates among media files, photos and my documents, I get to access my business docs directly from Dropbox and work on those using GroupDocs apps. It has been a handy solution for me and if you haven't used GroupDocs yet, check out its website here: http://groupdocs.com/

dcolbert
dcolbert

was that I had two separate accounts, one for work, on for leisure. Reread the article. Many OS platforms have a single login but allow you to set up multiple accounts for individual apps. Windows 8 isn't this flexible. Your login into the OS logs you in automatically to all of Microsoft's cloud services - and Microsoft clearly intends that to be a one-stop login to access all of your Microsoft services. You can't select an alternate account. But the issue it highlights applies equally to all BYOD solutions - it doesn't matter if there is a single unified login or not, really. I think the tendency of users will be to mix both leisure and professional roles in their cloud solutions. There are lots of potential ways to work around the issue I describe here - the problem is that the combination of BYOD, Cloud Services, and Unified Log-on make these kind of situations more likely to occur in the workplace - and I don't think IT policy makers have considered all the possible scenarios yet.

dcolbert
dcolbert

I would recommend always making a local administrator account that is not associated with a Microsoft login and is not "online" on any Windows 8 PC. That is probably an important key learning that I took away from this event that I think a lot of IT pros may not be thinking about right now. I don't know if having your Microsoft online account disabled would prevent you from authenticating to a Microsoft-linked Windows 8 account, but it can't hurt to have a stand-alone local account with Admin access, as a safety measure.

dcolbert
dcolbert

I didn't get a Skydrive support engineer... they don't exist. Online services are all supported through online support channels. But the person I did talk to told me that copying my own music to Skydrive was an FCC violation. I asked her how I was able to port my music between Google Play Music's cloud and iTunes if it was an FCC violation. She had no answer. I told her I would be content to remove the song from SkyDrive as I understood it was a violation of their ToS regardless of if it was illegal or not - she sent me to the same website where I had already submitted my issue. Keep in mind, Microsoft isn't alone in having such dismal support for their cloud based services. Some companies have far superior, far more responsive support, and others follow Microsoft's model. DropBox, Evernote, Google Drive, iCloud... you could potentially encounter the same kind of situation I describe here on any of those platforms. The problem isn't really the company, but how A company (pick your poison) handles supporting their cloud based services.

Jay_H
Jay_H

Am I understanding you right (not being a W8 user)? If that computer is transferred to another employee, the account goes with it????

smfrazz
smfrazz

You use their services free of charge and they have a right to keep an eye on your data...(essentially ONLY looking for DRM flags) don't get this confused with exposing your person private information. MSFT has strict policies regarding protecting PII (personally identifiable information). They are not "mining" SkyDrive and other online services storage or data as Google has been caught doing. Do you honestly think MSFT has actual eyes on your data? Get real. They are simply looking (scanning) for DRM IP flags. Nothing more.

stnwall
stnwall

Not sure how MDM does anything to assist on a cloud based file sharing platform. The issue here is not the seperation on the device which MDM would allow you to do. The issue is that MS and others are collapsing their model to encourage you to have one place for all data in their servers. One point of access certainly entails one point of failure.

bmeyer66
bmeyer66

I have been thinking about this since I saw a note about this type of policy, and can see several options. One is the loading of software when they start that is programmed for erasure of the "company" data. but this would requite several things one is the up front agreement of the owner of the device. Second is a way to tag the "company" data for the removal. I am not enough of a programmer to say how easy it would be to impalement.

dcolbert
dcolbert

Imagine a user gets their account suspended for some sort of illegal activity and that includes cloud storage that also contains critical corporate data. If there is a police investigation going on, do you think that the authorities and a cloud based provider are going to go, "Ok, we'll let you in JUST to get these documents you need, just be sure not to delete or corrupt any evidence in the case we're building." Obviously I hadn't really considered it either. I was doing something innocent that I routinely do between several cloud storage providers I use. As soon as I saw that I was locked out for a ToS violation, I knew the reason why, though. I immediately realized how much corporate data was also on that drive and now inaccessible, and anyone in IT who has experienced that sinking feeling in their chest knows exactly what my emotional state was at *that* point.

dcolbert
dcolbert

Because Dropbox just trades in another set of security concerns and potential problems for the ones encountered with Skydrive. I use Dropbox, I use Google Drive and I use Skydrive. Part of that results from my mixed platform utilization. As an IT professional I work for a 2000 employee organization that is standardized on being a Microsoft shop. We have Exchange, we have Outlook, and we use OneNote extensively for inter and intraoffice collaboration and communication. So, SkyDrive is a natural extension of that which integrates very smoothly with our Microsoft operations. I write most of my technical blogs on Google Docs, because I am very integrated into Google's ecosystem both with a single web-login for their suite of services and because it all synchronizes nicely with my Android devices. Finally, I use Dropbox because it is a robust, inexpensive and powerful cross-platform solution for my Windows, Mac, iOS, Android and Linux platform machines. Microsoft got picked on here because they're the ones I ran afoul of and experienced a cloud based interruption of continuity of access to my critical documents. No cloud service is immune from that potential - and on any platform where you are mixing leisure and professional needs, you run the risk of having those two issues come into conflict with one another. My experience is really just the tip of that potential iceberg.

bmeyer66
bmeyer66

Being a student, I am looking at it from the point of that may not always work. From Active Directory permission classes they could shut all access off by the computer as the account, not just the "admin" account that you normally log on with to their services. I will admit I am looking at the worst case that can happen but as professionals in the IT world one of the things that we are supposed to do is look for the worst that can happen.

dcolbert
dcolbert

This is one of the steps forward with Windows 8. If you buy a new PC, and you login with a Microsoft Online account that you used with your old PC, many of your settings transfer with you, almost like a roaming profile. So you can log into any Windows 8 PC and get it quickly back to where your previous system was set up, as far as the Modern UI is concerned. This is a very Android-like feature with Windows 8.

dcolbert
dcolbert

Microsoft has a poor reputation and less trust with being ethical with this kind of information than their competitors. It doesn't really matter if that is the truth or not, that is the overwhelming perspective of pro and home consumers with Microsoft. It isn't the consumer or pro-user's responsibility to grant Microsoft amnesty for their past perceived difficulties in this area, it is Microsoft's responsibility to rebuild that trust. They do have a right to keep their eye on my data. How they respond to that is what shows the character of the company. I suspect most cloud based services notified of potentially infringing copyright material send a take-down notice to the offending party, allowing for a dispute process, *prior* to taking any action that would prevent that party access to their data. Microsoft's response and policy shows a contempt, disregard and distrust for their end users. That is a classic and critical difference between the approach of Microsoft with corporate IP issues and say, Google or Apple. If Microsoft had gotten the early lead in digital music, do you think they ever would have used their leverage to force recording labels to remove DRM from digital music? I don't. I think Microsoft has a corporate culture that is content to let the consumers bear the burdens of unnecessary restrictions on their digital content. If Bing were the leading search provider do you think Microsoft would fight so many subpoenas and other Government requests for information on users the way Google has over the last 10 years? No - Microsoft would partner with those agencies and provide that information immediately and without oversight. This is Microsoft's reputation - and I think it is deserved. It illustrates a company that is out of touch with responding to consumer demand in almost the SAME way that the recording industry was out of touch with their consumer base. They need a revolution of corporate culture in Microsoft that places an emphasis on being customer oriented and customer advocates - instead of seeing customers as criminals and thugs that should simply be shaken down for every last cent in their pockets. Fairly or not, that is how Microsoft's corporate culture appears in comparison to their competitors, and someone at Microsoft should recognize this and take steps toward fixing the problem, while they've still got enough momentum to correct their direction.

smfrazz
smfrazz

Have you never heard of SkyDrive Pro? Have you or your IT department actually talked with anyone at MSFT to see how this "SHOULD" and DOES work? Why not take your reporting up a notch and actually discuss this with someone at MSFT to see how you and your IT can use these seamlessly without issue? I have a Windows 8 Phone, and use SKyDrive for personal pics or other data and SkyDrive Pro and Office on the MP8 to connect to our SharePoint and work OneNote data with no issues whatsoever. SkyDrive doesn't have the security controls SKyDrive Pro does and your company should use SkyDrivePro and your Office/SharePoint for work along with clear policies on using SkyDrive for work documents to make sure sensitive data is kept inside. This isn't rocket science. Talk to someone at MSFT and let them show you how this works seamlessly for most well run Enterprises.

dcolbert
dcolbert

Isn't that powerful. In fact, if you can get physical access to a PC, AD and GP permissions are among the easiest "security" features to breach. Worst case scenario, unless the drive is encrypted, you can reinstall Windows over the top of a Windows instance you don't have permissions to and you'll either have access or be able to take ownership after the rebuild. Not sure if there is anything like Winternals for Windows 8... but basically, if you've got physical access to a machine, AD and GP security and policies don't mean anything, if you *really* want in. Lenovo BIOS passwords and hard drive passwords are one example of enterprise class hardware designed to compensate for this shortcoming.

dcolbert
dcolbert

and close your account seems to be a strong point of DropBox and Google. Of course, we can assume that when you remove your data it still may be archived somewhere else on the hosted solution's servers... but the ability to remove the copies of files from *my* drive is important to me. Right now I know I've got about 450 songs that I did not know were in Microsoft's cloud on their servers. I don't know where, I don't know how they got there, and I don't know how to manage them. I vaguely remember doing something with either XBox Live or Windows Media Player, probably several years ago - and maybe it is something that I can remove if I want to, but finding information on it is difficult. I don't feel that Microsoft has the same kind of maturity with dealing with large scale consumer demands on cloud solutions as Google.

carol
carol

I have not found out how to AUTOMATICALLY keep documents from different sources in different places. Manually creating folders is NOT a user friendly option. Also SkydrivePro leaves local copies of documents and has no "wipe on disable account" feature. A nightmare for corporate admins.

dcolbert
dcolbert

Microsoft isn't clearly communicating their vision to their different target markets. You sound like a Linux pundit pushing the blame for not understanding the complexities of that platform back onto the user. Linux has managed to carve out 2% of the target market with that approach - how well do you think that will go over for Microsoft? I reached out to a contact at Microsoft Skydrive prior to writing this article. I explained my situation in detail. That contact never responded to me. That was part of the original article, was cut in editing. I do appreciate that you've pointed out that Microsoft offers a pro version that addresses many of my security concerns regarding SkyDrive. It seems that I and a lot of other SMB IT professionals are not aware of this. This is not a failure on our part as IT professionals, it is a failure on Microsoft's part to communicate their services, products and intended markets to consumers, end users and professionals. The lack of communication and the tiered levels of support where consumer platforms are treated like second class citizens at Microsoft is part of the current threat Microsoft finds itself challenged with. Apple and Google have carved out a business that is eroding Microsoft's market share slowly but surely in part by increasing the focus on consumer and leisure users. That wasn't just by making compelling consumer/leisure platforms, but also by being *available* to assist consumers with the same degree of availability as they provide business customers. It should have been easy for me to contact a real person for support of a *consumer oriented* service, who could have told me, "I see what you've done, I'll fix it right now, you need to remove that file, and may I recommend that for business use you research SkyDrive Pro for your corporate enterprise needs." If Microsoft doesn't figure this out soon, (and this goes for other Cloud Service providers that approach cloud services with a similar model, too), they're going to find themselves in trouble. Keep in mind, this isn't a warning about SkyDrive or Microsoft in particular, this is a warning about cloud service providers and BYOD solutions in general - especially in the manner that SMBs might be tempted to implement those solutions. I'm sure SkyDrive Pro is a lot more expensive than SkyDrive? For a lot of small businesses with tight budgets, when Microsoft says, "Well Run Enterprises," they mean, "organizations with deep enough pockets to afford our Enterprise solutions." You've brought some good information to this discussion, Smfrazz - it is too bad your snark and condescending attitude detracts from that.

Editor's Picks