Proposing one problem, but addressing another
Back to this third wave of fear over data on iPads: This week, Zenprise announced an iPad app and related server software that lets iPad users access SharePoint files on their tablets, with the permissions and restrictions honored on the iPad. That's great -- Microsoft's approach to SharePoint has been to restrict it to Windows PCs and Windows Phone 7 smartphones, which only encourages employees to copy the files to cloud storage, email them, and otherwise work outside of SharePoint when they're using an iPad, Android tablet, Mac, or a home PC. This tool addresses some of the security risk created by Microsoft's lock-in strategy for SharePoint. (Zenprise plans a version for Android next year. It started with iPads because they are so widely used in business.)
But Zenprise's pitch didn't start so constructively. It first took the fearmongering route, using an example of the increasingly common practice of boards of directors using iPads to work with the sensitive documents in board meetings rather than going with paper copies. In this regard, corporate boards aren't alone: I learned during a work trip earlier this year that several counties in Florida now give their boards of supervisors iPads to review legislative and regulatory proposals, as they are easier to set up and use than computers.
The Zenprise pitch was that a DLP tool would keep such sensitive documents secure -- except it wouldn't. If the data were emailed, as I was informed, once the data left the organization to its legitimate, DLP-approved recipients, those files could be abused as desired on an iPad, a computer, or any other device with email access. Plus, in Zenprise's case, its DLP is limited to files accessed directly from SharePoint, so it wouldn't address an emailed document. For any documents accessed directly from SharePoint that the user had permission to edit locally, that local copy is not managed by SharePoint or the Zenprise app (it's now in another app, for editing), so it's now free for abuse. The tool does not address the example problem.
The other scary scenario in the pitch was the notion that IT set the data security policies. That's a mistake. Document access policies are a legal and business decision, not one that IT should make. IT should provide the tools to implement the policies and to monitor their compliance, but if IT has to decide what to protect -- or even if someone has to go to IT to protect a document, rather than do it directly -- something is seriously wrong with your technology management.
I don't mean to pick on Zenprise. The folks there try to balance the demands of their customers (for a security vendor, that means the most paranoid ones) with the realities of the users who ultimately deploy their customers' tools. But when a nuanced vendor like Zenprise goes down the fearmongering path, you can only imagine what the more old-school firms will say when they decide to join in.
A better approach to securing corporate data on the iPad
What's changed in business in the last decade (it started with working at home, not with iPads) is that information has to flow to be useful, because different people who may not even be in your organization need to create, refine, and act on it. That means it goes through multiple endpoints and a variety of tools. The old-fashioned approach was to standardize everything on a common platform and toolset, with the common security layer across it all -- the classic model for IT control. But that doesn't work when the world is heterogeneous and by definition not standardized. That's what it is today in most places, and traditional IT control doesn't fit that new world.
Within a SharePoint context, letting iPad users participate within the same rules as Windows users is a good thing. But at the end of the day, it's a partial solution attacking the wrong problem. And let's be honest, Zenprise is not offering a DLP tool but a mobile SharePoint client. That's a good thing for many companies in the here and now that use SharePoint, but it only works in the SharePoint context. If anything, the "consumerization of IT" phenomenon should teach IT that point solutions are insufficient in a heterogeneous context.
So, if you were to use the Zenprise SharePoint client, you couldn't stop there. You might also want to deploy a remote access tool that has the iPad user work with the data virtually so that sensitive information never leaves the managed server -- not just SharePoint servers -- in the first place. That approach of course requires expensive, management-heavy, and bandwidth-intensive desktop virtualization.
Of course, there's a simpler twist on that approach: Using services like Accellion and Box.net that let you set up access-managed shared folders, where documents are restricted to a managed workspace on the mobile device. The problem with these services is that they restrict the users to basic reading and commenting; an employee who wants to work on a proposal or presentation is either prevented from doing so or moves the files to another app, breaking the management control over that file. But that could change: both companies, as well as GoodReader and six others are looking to implement MobileIron's content management API in their apps; not yet in beta, this technology would let IT set policies for content via an MDM tool that the apps would enforce.
A better approach for many companies than all of these would be to extend traditional DLP to mobile devices. DLP works by funneling data traffic to a server that analyzes the content and applies its rules to it (usually just flagging suspect transmissions, but sometimes acting on them, such as to block the transmission). That way, you're handling all apps and communications, regardless of the endpoint device, through a universal filter at the data center, where this effort should happen anyhow. In fact, the endpoint device isn't involved, so you don't need to worry about if an app or OS gives you the visibility you need; all you need to do at the endpoint is ensure that its communication is routed through the DLP server. I suspect we'll see DLP tools get extended just that way to handle the new generation of mobile devices -- I sure hope so.
But over the longer term, DLP itself suffers from being an island. It can handle data sent over communications channels, but there are other means to get data from devices, such as local file copying. Ultimately, what we need is digital rights management that works across apps and platforms -- a universal standard that carries the DLP rules with the data itself. Until it exists (if it ever does, considering how proprietary the tech industry has become again, though MobileIron's effort could be a jumpstart), IT is stuck with old approaches that don't fit the new world in which IT still has to provide security.
No easy answers for legitimate IT security needs
Even IT and security leaders who aren't looking to enrich security vendors by asking for more tools that won't really work have a problem: How to secure all the data (and just the data) that needs to be protected while supporting the shift to employee-provided technology and its accompanying flexibility. However, there's no good answer -- yet.
Flexibility and control are a hard combination to get. But users will accept that goal and work with you on it. Remember, not all problems are solved with technology; people are good tools, too. You can start by not trying to recapture mainframe-era IT control, but instead figuring out what data really needs to be protected. From there, you can manage, monitor, and log access to the data so that it's available to those you trust. If it leaks, you might also know who's broken that trust.
If you try to use security to block the flexibility that consumerized IT is really all about, you'll drive your users underground (which increases your security risk), waste lots of money on tools that don't work as you want, and get in the way of your business's ability to work well, setting a path to failure and, ultimately, oblivion.
This article, "The next frontier in fearing the iPad," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen's mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.