Unchain your mobile users and just protect the data

IT and the security industry are both focused on dubious protection plans. This proposed standard shows a better way

Page 3 of 3

If a business has other reasons to enforce the use of specific apps (such as for compliance logging or to monitor and control distribution of supersensitive documents), it should use a MAM-style tool to restrict users to that tool for those specific documents that need the extra compliance. But there is no reason to burden everyone for such a subset of use cases.

Today's MAM and MDM tools are essentially network-based, requiring a device or app to check in with a central server to validate and even enforce its permissions and policies. That's not scalable for information management -- you can't require a server call every time a document is opened or is acted upon when in use. Yes, sessions can preserve the policies when offline, but that's cumbersome and is of no help when you're offline before you open the document. Network-based validation needs to be required for only the most critical documents.

Instead, access management has to be done at the source, so enterprises need to use tools like SharePoint or any of the many other information repository systems to control who gets access in the first place. That doesn't mean repository systems need to be the distribution points, of course -- the repository simply needs to add the permissions to the documents based on whatever policies IT wants to set using the policy management tools of their choice. That way, if a document is emailed, its policy goes with it. That's much more secure than today's situation, where if anyone gets a document out of the managed repository, it's now free and clear of all policy attributes.

Dozens of vendors who do such policy-based management tools could adopt InfoTrust. They could also extend its capabilities in the same way that Apple's iOS and OS X use Microsoft EAS as the basic lingua franca for policy control but added APIs for more controls that third-party management tools could choose to enforce. That gives everyone a sufficient set of information management capabilities for the vast majority of their needs and lets vendors layer additional controls for the truly special ones. That model works well for EAS across iOS, OS X, Android, BlackBerry 10, and Windows Phone.

Likewise, identity management needs to be done at the source. That means InfoTrust needs APIs to communicate with existing enterprise identity management tools, such as Active Directory, to validate user permissions (and even existence) on documents for which password security alone is insufficient. Likely, the operating system will need to provide the local service that the app communicates with, and the OS will handle the server communications -- similar to how EAS is implemented today. The use of documents with server-based identity protection will require an Internet connection to validate against the identity management server, but there's no way around that reality.

A plea to the tech industry: Make InfoTrust a reality
I strongly encourage Microsoft, Apple, and Google -- the three platform and app vendors through which so much business data is acted on -- to get together to develop the InfoTrust standard. Leading, progressive mobile and desktop security vendors such as MobileIron, Good Technology, AirWatch, Centrify, AppCentral, and Apperian should be key players. Perhaps one or two should even chair the effort due to their more neutral relationships with the platform vendors.

Traditional, backward-thinking vendors (such as those in the antivirus industry) should be kept at arm's length, at least in the initial stages. They've shown repeatedly that they can't get out of the broken defensive-perimeter trap.

IT keeps saying its security concerns are about protecting information. So, tech vendors, stop focusing on straitjacketing devices and apps and instead protect that valuable information wherever it is.

This article, "Unchain your mobile users and just protect the data," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen's mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.

| 1 2 3 Page 3
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies