I've seen firsthand what real military contractors have to deal with to protect their secrets: They get to tote an extra laptop for their security work, one that is encrypted at several levels, with automatic drive-wiping if the multiple passwords are incorrectly entered, often requiring a security token device in addition to the passwords. Also, the USB and other ports on those laptops are glued over or otherwise incapacitated. Email is restricted to approved recipients, and users are completely locked out from installing or modifying apps. (Financial-services-grade security isn't quite as strict and doesn't usually require a separate laptop, a hardware security token, or email whitelist.)
Yet I don't hear analysts and IT managers criticize Hewlett-Packard, Dell, or Lenovo for shipping standard PCs that aren't so equipped and configured. Why is there no analyst or IT demand for USB-less PCs? After all, USB thumb drives are an incredible security threat. Also, I don't see most businesses implementing the severe measures that military contractors do. So why are they expected to do so for mobile?
Of course, the big reason is that PCs evolved when IT was focused on mainframes, and its initial resistance to PCs was too little, too late. IT leaders who still think that way see mobile as the new line in the sand: They lost control to the PC, and they'll be damned if they lose more control to mobile. (Of course, it's already too late; nearly half of smartphones in use in business today are employee-owned.)
Vendors, analysts, and consultants are happy to play to the Neanderthal IT crowd. After all, securing information is a lucrative business, and the control-freak IT department is the perfect bottomless purse. The latest example is Boxtone, which recently released a study with these findings:
According to the survey of more than 400 IT managers, there are still concerns with connecting the iPhone to the IT infrastructure. According to the report, more than 80 percent of respondents cited security (such as encryption, antivirus, and loss); 50 percent cited IT policy and compliance; and 30 percent listed limited carrier choice as concerns.
Boxtone, of course, sells tools to help IT manage mobile devices -- yet it has no offering to manage mobile security, oddly enough. Its competitors -- Good Technology, MobileIron, Sybase, Trust Digital, and Zenprise, among others -- have released or promoted similar self-interested "studies" over the last few months to promote IT spending on their mobile management tools.
There are of course some businesses and corporate roles that require military- or financial-services-grade security. Right now, only the BlackBerry and in some circumstances the Good server/Windows Mobile combination offer that level of protection. (The forthcoming iPhone OS 4.0 should offer most, if not all, of these capabilities when paired with a management server such as Good's.)
For the vast majority of businesses, there are plenty of mobile devices whose security capabilities are good enough: iPhone OS-based devices, Windows Mobile-based devices, Palm OS-based devices, Symbian OS-based devices, and in some cases even WebOS-based devices. (Google's Android is the only major mobile operating system not to have any built-in business-level security capabilities.) As that Computerworld article mentioned, many IT managers who criticized the poor security of the iPad and iPhone weren't aware of their Cisco VPN support, remote kill, and AES encryption capabilities -- their knee-jerk nos were based on ignorance, which is scary, given their key role in security management.
I find it quite ironic that with all the hyperventilation around mobile security, which is disproportionately focused on the iPhone (no doubt there's some proxy Apple-bashing going on there), you don't hear criticism of IBM for not embedding mobile-oriented security into its Lotus Domino and Lotus Notes server platform, nor of Novell for not embedding mobile-oriented security into its GroupWise email platform. After all, they're the access points for the data that allegedly needs protecting. Yet both of these enterprise platforms rely solely on outside vendors -- mainly RIM's BlackBerry Enterprise Server and Good Technology's Good server -- to do the mobile security work.
If security were the real issue, you'd think IT would insist that security be guaranteed at the server level, not leave it to the mobile devices. Instead, most IT organizations are content to bolt on third-party server and mobile-client software that typically handles a subset of their security needs and a subset of the devices out there. If the security considerations were that core, they'd be in the core.
More ironically, only Microsoft has built-in basic mobile security for its server (Exchange). The iPhone OS devices use that, as do the Nokia Symbian and, of course, Windows Mobile devices. Heck, even IBM is now licensing the Microsoft security management technology (Exchange ActiveSync) for use in Notes. My point: If the demand was significant for such strong security as the analysts and Neanderthal IT folks claim, it wouldn't be a mid-market-oriented vendor like Microsoft leading the way.
So the next time you're tempted to raise the security shibboleth when someone wants to bring in an iPhone or Droid, ask yourself if you're not holding those devices to a different standard than you do your laptops and PCs -- and why that's the case. You may find your knee-jerk response is the wrong one, so you might consider a way to safely say yes instead. That's the first step to moving off a dead branch of the evolutionary tree.
Don't forget to be part of the InfoWorld Mobile Patrol: Send in your tips, complaints, news, and ideas to email@example.com. Thanks!
This article, "iPad security: IT's foolish double standard," was originally published at InfoWorld.com. Read more of Gruman et al.'s Mobile Edge blog and follow the latest developments in mobile computing and security at InfoWorld.com.