When Apple scared the pants off IT with its iCloud syncing service, both cloud-storage services (in most cases, just fancy FTP services) and mobile management vendors scrambled to offer read-only repositories to secure corporate information. Microsoft, for reasons wholly unrelated to security, played along by making its SharePoint repository servers incompatible with all but its own Windows Phone platform. VDI clients got a second wind as well, as a way for IT to keep all information safely in the data center, exposed through Windows desktops delivered to mobile devices -- a solution so ungainly it quickly became tagged as a last resort.
Few users opt for these services because they hinder work, but the desire among IT police was nonetheless deepened. All those vendors wanting a piece of the IT paranoia pie sharpened their knives.
Then we started to see an approach that was harder to argue against: the development of APIs and wrapper technology IT could apply to specific corporate apps, so the data they used stayed separate from personal apps. Quickoffice -- the closest thing to Microsoft Office in mobile -- adopted such an approach for a corporate version of its Quickoffice suite. The big names in mobile management tools -- Good Technology, MobileIron, and SAP Sybase -- all have gone down this road, partnering with providers of major business apps such as Quickoffice and Box to provide corporate-secured versions. A host of smaller vendors offered various approaches with the same goal -- Mocana and Symantec's Nukona with products that wrap apps in a way that controls who they share files with; AppCentral, Good, MobileIron, Sybase, Veracode, and Verivo with SDKs by adding app management to homegrown apps; and Antenna Software, Cellrox, Enterproid, Fixmo, and Open Kernel Labs by creating separate work partitions for corporate apps and data.
The straw that broke this camel's back
Now comes a wave of mobile apps that encrypt emails and their attachments so that they can be opened only by an IT-managed client. MobileIron announced one yesterday, and I know of several more yet to come. These apps made me realize that IT police were steadily adding more and more restrictions and locks to smartphones and tablets, making them into BlackBerry-like devices that many in IT still love because they make great agents of the state. "Like a lobster being brought to a slow boil," I thought, "and the temperature is already hitting 200 degrees!"
I get the need to protect corporate data, but too much of it is through blind control that distrusts the very people charged with using and creating the information in the first place. Let's be honest: Security is too often used as an excuse to justify distrust, avoid human management, and avoid making the hard, honest calls on risks. Worse, the technology is applied unevenly and stupidly, which creates more opportunity for dangerous behavior and accidents.
Case in point: MobileIron's Docs@Work product announced yesterday. With it, IT can wrap emails and their attachments when delivered to iOS devices, so only the Docs@Work app can open the contents -- and only for users known to the server (such as through Active Directory integration). Companies such as Voltage have long offered similar technology for the BlackBerry, and it's a basic feature in mobile clients such as that offered by Good.
What's different about Docs@Work is that it doesn't use standad encryption or keys; instead it wraps attachments in a proprietary format -- sort of a secured Zip. MobileIron takes advantage of Apple's Open In facility to allow only the Docs@Work -- not the standard Quick Look preview facility or other apps -- to access the wrapped attachments. If the iOS user forwards the email from their iPhone or iPad, the wrapper is retained, making the attachments unopenable on computers or other mobile devices.
As you can imagine, this product should have strong appeal to the IT police. But here's where Docs@Work falls down:
- Only iOS users are "protected," though Android support is on its way. If you get the same message sent directly to your PC or Mac, it's not protected; the wrapper is added by the server only on the attachment copy pushed to iOS. In other word, mobile users are explicitly distrusted.
- All users can do is read the contents, not work on it, as you would on an iPad. MobileIron expects to add editing capabilities, likely through integration of its APIs into corporate versions of apps like Quickoffice, at some point. Until then, Docs@Work disables much of the value of getting an attachment in the first place.