I've been talking to many IT executives in recent weeks at various conferences, and I'm finding a curious bifurcation among them when it comes to how they handle newfangled mobile devices such a iPhones, iPads, and Android smartphones and tablets. Some have the attitude "people can bring whatever they want, so long as the devices support our security policies," while others take the "I'm very leery of how these will compromise my organization's security if I let them in" position.
Yes, people in IT -- many of them, in fact -- still register the fear reaction to the new smartphone and tablets whose usage has exploded in recent years. I'm shocked at one level, but not at another.
[ Follow Galen on Twitter. | InfoWorld's Bob Lewis argues that IT needs to stop being control freaks and instead become stewards. | Updated for Android 3.0: Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. ]
I'm shocked because any organization that truly has its security threatened because there are iPhones in the building have much bigger problems than any single device: They have fundamentally insecure IT operations that haven't acknowledged the idea of a physical perimeter is long gone in this era of wireless communications and high usage of outsourced services and contract employees. No device should have unchallenged access to sensitive information just because it's in the building, and the notion that security measures would let newfangled devices right in is an absurd one.
I don't believe most of these companies have any basis for their fears. After all, they use virtual LANs, VPNs, permissions-based access, and the like already, and iOS and Android devices have no secret ways to blast through those. If a file server or database requires a password or other credential to gain access, that applies to mobile devices just as it does to PCs and remote computers.
The outdated basis for IT's fear of mobile devices
The fear is typically based on another belief: People will be able to put information on their mobile devices and spirit it out of their organizations. Well, duh -- employees have always been able to do that, using handwritten notes on paper, photocopiers, recordable CDs, email forwarding, USB thumb drives, remote access, FTP sites, laptops, and the like. The fact that an iPhone too can act as a storage device is just more of the same.
The fear centers on endpoints, and it misses the purpose of security. IT should be securing systems and data, not trying to control endpoints. There are simply too many endpoints, and trying to confine this expanding universe will only lead to hugely wasteful and ultimately ineffective efforts. Think of the hullabaloo five years ago over the need to secure laptops; now ask yourself if you actually spent all the time and money required to do so as recommended by security vendors or if you quietly stopped.