Andrew Buss, originally published on The Register
Business today is a very different beast to that of just five years ago, and a world away compared to ten years back. While some of us are undoubtedly still office based, there has been an equally clear trend towards more flexible working which is less dependent on a fixed location. The spread of Wi-Fi in the home and workplace and then in public areas made mobile working feasible and even tolerable. And with increasingly effective connectivity technologies such as 3G, mobility for all its good or ills is here to stay.
The move to mobility has been arguably wondrous for productivity, but has been a difficult transition for security. Just under half of you reported that your workforce has a poor or very poor approach to IT security, which is a difficult situation to resolve, even with the best policies and most comprehensive training. Coupled with the tendency of users to try to connect to any available network and a susceptibility to fall victim to exploits of unpatched vulnerabilities, virus outbreaks and phishing attacks, mobile computing has experienced (more than) its fair share of horror stories.
New technologies aimed at managing and securing the notebook estate have emerged. These include comprehensive group policies, systems & patch management, NAC, advanced end-point protection, intrusion protection and identity protection. Plus there are newer initiatives such as disk or folder encryption to protect sensitive data. While these have been deployed with various levels of success, at least they exist and are available.
Now that notebooks are firmly established as an enterprise workhorse, a new challenge has arisen. The growth of smart devices that act as productivity enhancers and electronic communicators par excellence threatens to take us back to the dark ages of management and security yet again.
At the dawn of the smart phone age the devices were expensive, crude and very corporate. They were generally managed and deployed by IT as part of a controlled rollout, usually to quite small groups of senior users.
The last couple of years, characterised by products such as the iPhone, have seen some fundamental changes in the market and people’s expectations. Smart phones became low cost (OK, relatively low cost), more sophisticated and positioned for consumer tastes. Apple’s success has spurred on the likes of Nokia, Palm and Microsoft to speed product development and developer ecosystems. Even Blackberry, the enterprise email stalwart, has quickly moved to try and capture the consumer market. But in the case of the new wave of smart phones, it has been employees as consumers, not the IT department, that have driven uptake and use.
Part of the attractiveness of the new wave of smart phones is the blend of both consumer applications and interactivity of the devices, together with the ability to connect to work systems, something that enterprise focused items had spectacularly failed to do previously. This blurring of the lines between personal and professional identities is something that needs to be managed carefully. People cherish their beloved gadgets, but are also spectacularly careless with them as they take them through life’s ups and downs. Witness the discovery of a lost iPhone prototype in a San Jose bar after a party. Although the loss has now revealed Apple’s potential hardware design, the data and new operating system features were protected from discovery through remotely wiping the device. In the ideal world, the company would specify and provide a (very) limited range of devices to the workforce, and the employee would be happy to be provided with one. These devices could be more easily deployed, managed, supported and secured. The reality is that these are intimate devices, and very personal. If what the company provides is not appreciated or is found to be wanting for functionality or desirability, then employees will look to acquire devices on their own to do their job more effectively. In many situations where companies provide a device such as a Blackberry, the employee will still carry another gadget to get around the restrictions imposed by using the corporate machine.
So this then leads to a dilemma. If the company strictly limits the devices employees are able to use, it may just encourage them to use unsupported ones in secret, allowing a back door to open up. On the other side, should the company be prepared to allow employees to supply their own devices, and what if any restrictions should be implemented? A free-for-all would just be asking for trouble. Considering a shortlist (or not so shortlist) of approved devices may be suitable to give enough choice for general satisfaction without going overboard with coverage.
Once the question of user choice of device is decided, the issue then revolves around management, security and support. If the device is provided by IT, management and policy should not be an issue. But if an employee supplies the device, where should the dividing line lie? The device must be secured, but at whose discretion or expense? Arguably, by tacitly allowing use of a personal device on the network, the company must then provide a list of required software and configuration information or policy. Ideally, the company would also be able to provide the software for the employee. However, issues such as benefits-in-kind tax may be a concern, as may the ability to extend corporate or volume licences to equipment not owned or controlled by the company.
There is also the issue of granularity of protection. What exactly should be covered in a remote wipe? If the user loses the device should everything be reset in a big bang, or only specified applications and data? What if the employee has pictures, personal messages or similar that are not backed up anywhere but are wiped from a lost device that is subsequently found?
Finally there is the thorny issue of identity management and the confidence that the person using the device is the legitimate account holder. Company notebooks and such like are more easily secured by means of complex passwords and multiple authentication procedures, such as smart cards or one-time tokens. Establishing links with domain accounts by means of a SIM card or phone number may help. But the issue remains that smart phones and newer devices still have a way to go to match their notebook cousins for security.