PC sales continue to decline, mobile sales continue to climb, people work at home, and the notion of strict work/life separation for equipment is on its way out for many information workers. Yet most IT organizations and security vendors insist on applying legacy thinking for information security that simply cannot work in the modern world of heterogeneous, anywhere, and mixed personal/business computing. They keep trying to build mobile prisons, extending perimeter defenses across the digital world or creating satellite fortresses on every device. No one willingly enters a prison, and the gulag and straitjacket approaches favored by IT and security vendors simply will be bypassed by business users, who've been doing so for years on the desktop.
It's time to stop the madness and protect what really matters: the information that moves among all the devices. To do so, the industry needs to stop trying to turn smartphones into fortresses that people can't use and forcing the use of proprietary app containers that can't scale a heterogeneous, interconnected digital environment or that provide read-only access (what's the point, then, of having the file?). Instead, it's time we focus on protection at the information level, essentially using the notion of digital rights management (DRM) that travels with the data itself. The only way to make that work is through an industry standard.
[ Galen Gruman describes a smarter approach to mobile security. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
There are two great models for how this can work. One is Microsoft's Exchange ActiveSync (EAS) protocol, which provides a de facto standard for basic device security that ensures good security hygiene such as forced device encryption and enforced password use. This single protocol, if broadly adopted, gets rid of most of IT's often-stated "what if the user loses the device?" fear.
The other is the Wi-Fi Alliance, the group ensuring interoperability of the 802.11 devices that in the beginning could not talk to each other though they were based on the same IEEE standard. The alliance is now trying to create the same assurance of interoperability for video streaming via its Miracast standard. By having an interoperable information-level security standard, IT would be assured that critical information remains protected no matter what apps are accessing it and no matter on what devices.
Today, we have a muddle of competing proprietary standards from more than a dozen companies. Their containers typically work only with IT-developed apps that use their specific API and management tool, and sometimes with commercial apps that adopt that proprietary technology. That proprietary nature puts everyone at risk: IT and developers are wed to a single company in a frothy market where vendors come and go. Users are severely limited in the apps and devices they can use -- most of these systems, for example, don't work on Windows or OS X, even though PCs remain the biggest source by far of data loss, whereas mobile is a minor factor.
Some in the security industry understand that today's mobile device management (MDM) and mobile application management (MAM) tools can't both protect information and support realistic work scenarios. MobileIron, for example, has floated the idea of an industry standards group to define an information-level security standard. It's a good suggestion, but it should not be limited to mobile -- and it needs to work like the Wi-Fi Alliance in that it doesn't become a lip-service standards group vendors use to delay interoperability in hopes their proprietary platform might "win" in the meantime.
Any such standard also needs to avoid scope creep. There's a place for MDM (the equivalent of having locks on your doors and an alarm system, a first level of defense), but it should not get commingled with an information-level security standard. There's also a place for MAM, for organizations that need to essentially convert commercially available computing platforms into appliances, such as retailers or public safety organizations. But it too should not get commingled with an information-level security standard. We don't need a theory of everything; in fact, it would assure that nothing ever happens.