Fearmongers miss the point on mobile security

Mobile security is too focused on securing the barn doors after the horses have gone, not about protecting the horses

Everyone is talking about security these days, especially in the mobile world. It's become one of the many buzzwords that smartphone makers are throwing out there to make it kosher for you to bring your device to work. It's no longer OK to just sell you a smartphone or tablet; vendors want to promote use in a BYOD program. They throw around terms like "secure containers," "containerization," "encryption," "VPN," "secure communication," "EMM" (enterprise mobility management), and a host of other terms whose use, of course, means it's OK to bring your device into work.

They hit the IT and business groups in enterprises as well. They send them whole white papers about why their technology or the next is the best thing since sliced bread. The problem is that's a just another whiff of the unicorn farts we've dealt with in the past.

[ Read InfoWorld's comparison of mobile security capabilities in iOS, Android, BlackBerry, and Windows Phone. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]

You see, everyone likes to trumpet the claim that mobile is insecure. Now that people are using their smartphones for work, enterprises are in trouble. The apps that people are using are going to let out all of the confidential data that everyone has been storing for decades. It won't be long until we all have the secret formula for Coke, the recipe for Kentucky Fried Chicken, or -- even worse -- how that McDonald's special sauce is made. These manufacturers and vendors need to throw this FUD (fear, uncertainty, and doubt -- a technique so common it has its own acronym!) out there so that they can then sell you their wares.

The dirty secret that nobody wants you to find out is that mobile has nothing to do with it.

Mobile is just an amplification of all the insecure practices you and your company have been using for decades. Long before we even had computers, people used carbon paper to make copies of files as they were typed and take the home to edit. Along came copy machines, and data became even easier to take home. People didn't buy briefcases just to carry their lunch to work. They used them to make their work easier and carry it around so they could work on it when they needed to. Before briefcases became passé, people lost them all the time.

We went from briefcases to desktop computers and floppy disks. If you had a computer at home, you would just carry the floppy disks back and forth each night so you could work on it. Those gave way to Zip disks (remember those?).

Then, of course, laptops became popular. You could take your work with you anywhere you went. Funny thing, laptops became popular long before whole-disk encryption was even possible. What happened when you lost one of those? It all became moot a few years ago when anyone and everyone had a flash drive. Today, you can get a flash drive that has a terabyte of storage on it.

All these ways of moving data around have existed forever, yet we still focus on the endpoint. We care about that app or that device that the app runs on. "Mobile devices are insecure!" every vendor screams from the rooftops. App vendors start talking about encryption at rest; they of course encrypt the data while it's on your device. If you are really lucky, some talk about encryption while in motion (let's not get started on SSL, please -- that's not data encryption). These vendors all miss the point.

We have loads of technical debt built up in our legacy apps that drive our organizations and enterprises. We spend so much time focusing on the endpoint that we never take the time to look at the data as it resides at the start point. We should be taking care of our data through its whole lifecycle because you never really know where it's going to end up or how it's going to get there.

Let's start with the basics like encrypting our data while it sits in the data center. Let's build identification and authentication frameworks on which we can then base access to that data. Let's develop a system of encryption keys that are based upon identity and can be handed off to apps and devices as needed.

I know -- it sounds really difficult. It sounds expensive, too. There wasn't enough bandwidth, or people couldn't afford the CPUs needed to do things like encryption. But in this day and age, where everyone is using virtualization and can spin up a new instance in seconds, can we really say we can't do what's necessary?

The truth is it's much easier to worry about that endpoint. It's also easier to sell endpoint solutions. That works really well only until that endpoint is a Dropbox folder that someone placed a critical document in or a USB flash drive they copied it to.

There's no doubt I'm oversimplifying things, but if you aren't willing to look at the basics, how can you really sit here and worry about whether the device you are using is FIPS-certified or whether it uses 128-bit or 256-bit AES encryption when you just emailed that data to your Gmail account?

You know, once the horses are already out, it seems awfully silly to close the barn doors.

This article, "Fearmongers miss the point on mobile security," originally appeared at A Screw's Loose and is republished at InfoWorld.com with permission (© Brian Katz). Read more of Brian Katz's The Squeaky Wheel blog at InfoWorld.com or at A Screw's Loose. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform