Credit: Hemera Technologies
At most businesses, it's now an accepted fact that at least some employees use personal smartphones and tablets for at least some work purposes or use work-provisioned mobile devices for at least some personal purposes. Just as the separation between work hours and personal hours has disappeared for whole swaths of worker roles, so too is the line between work and personal devices and -- more important -- work and personal information for many information workers.
This intermingling raises questions in areas for which there are no easy answers. The methods for the first line of security and information management were easy: a mobile device management strategy coupled with a role-based policy on who pays for and owns what. Although the next set of issues have no set answers, it is time for IT, business managers, and employes to start thinking about them.
[ Read Galen Gruman's framework for a mobile information management strategy. | See how iOS 6, Android 4, Samsung SAFE, BlackBerry 10, and Windows Phone 8 compare for key mobile security features. ]
I was reminded of these tricky issues in preparing a panel on device heterogeneity for last week's CIO Global Forum and in subsequent discussions with CIOs in multiple industries at this invitation-only event where I've been a regular part of the moderator team. These smart CIOs are way beyond the "should we?" phase and are now dealing with these messier questions.
Managing information access
When people first started bringing iPhones to work, many IT organizations freaked out over allowing a new conduit to corporate data, with fears of lost smartphones compromising corporate secrets. If you check the national database of reported privacy breaches (a decent benchmark for breaches of all sorts), you'll see this fear has not been proven. But the fact that mobile devices have not led to a mass loss of corporate information does not mean businesses shouldn't be concerned about information leakage. They should -- no matter what device employees use.
In mobile management circles, you'll hear lots of talk about mobile information management, but there really is no good way to walk that talk. The reason: Information privileges are not embedded with the information itself. Plus, applications have no way of knowing -- much less honoring -- what those permissions are even if the data carried those rights details.
Yes, there are products that let you embed rights management into a custom app, as well as some information access apps that provide an IT-managed container. But they don't allow users to work on the information; most are read-only and/or require a live Internet connection for what is essentially remote access to the data. Even those that allow users to do real work can work only on a small subset of files on a subset of devices. It's not a scalable approach.
Operating systems vendors, app vendors, development tool vendors, and management tools vendors need to get together to figure out a common protocol to enable true information management, as Microsoft Exchange ActiveSync protocol and the API extensions from Apple and other vendors have largely done for device management.
In the meantime, all you have to work with is the notion of determining who you trust and when, along with managing initial information access accordingly. Intel has a good model for approaching the information management question, one based on access privileges to keep information away from unsecured environments in the first place.
When BlackBerrys ruled enterprise mobile, one key capability that set businesses at ease was the ability to remotely wipe a lost or stolen device, if it was managed by BlackBerry Enterprise Server (BES). iOS added support for remote wipe in 2010, using Microsoft Exchange native EAS protocol, with both Android and Windows Phone following in 2011. BlackBerry 10 also supports remote wipe via EAS, so you don't need to have BES deployed to get this basic protection.
The universal support for remote wipe from the major mobile platforms removed a lot of IT angst. But remote wipe may not do what you expect. It erases the device's flash memory, but that erasure is similar to erasing a hard drive -- with the right tools, a determined thief could recover some or all of that wiped data. That might matter if your users are storing supersecret data on their mobile devices.
On a hard drive, there are tools that write nonsense data over the entire medium multiple times to inhibit such recovery, but I'm not aware of such tools for mobile devices today. Plus, flash memory doesn't tolerate such repeat writes as well as magnetic disks, so a truly obscured mobile device may not be stable enough to be reused. It probably makes sense to destroy the device to wipe its data where you need assured access prevention.