Archive for the ‘security’ Category


the iPhone and IT policies

June 22, 2008

The announcement of the 3G iPhone has re-surfaced the tension between users and IT organizations because the iPhone is a cool phone that can connect to Exchange email. For IT, cool does not have a lot of value. Yes, it works with Exchange, but it also has a number of drawbacks: unproven security model, almost no business applications, limited implementation of ActiveSync mobile applications, locked to one carrier and two year contracts. All this with no upside for IT of from a business perspective: there is nothing you can do on an iPhone that you cannot do with a Windows Mobile device. But this is getting into my next post, where I will compare iPhone and Windows Mobile for enterprise mobility.

In many organizations there will be a very volcal group of users that want iPhones (sometimes executives) and an IT organization that does not trust the iPhone as an enterprise device and does not (for the most part) trust Apple as a credible provider of enterprise technology.

The success rate will depend on two main factors: how bad do top executives want to use iPhones and most importantly, how strict or controlling is your IT department.

In my experience, there are a few IT departments that have very loose policies, a practice of trusting users and reactive incident control. On the other side of the spectrum there are organizations that will only allow employees to use company-issued laptops, will not allow any non-approved third-party applications to run on it, will probably require two factor authentication (Secure ID or smart card usually) when accessing any resources remotely and will require encryption of all confidential information at rest. I used to work at Motorola who was like this (for example, all files ont he intranet must be categorized based on their level of confidentiality). Microsoft, on the other hand, was leaning towards the trusting/freedom end of the spectrum.

It organizations will lean towards being protective/controlling either because of parania or because of one of many good reasons: the need to handle highly-sensitive confidential information (i.e. military, law firms, or banks), need to comply with government regulations (like HIPAA or SOX), or because they have had bad incidents in the past.

What is important is that IT organizations:

  1. Define what are the security and information protection policies,
  2. Explain the business reasons behind them,
  3. Get executive-level buy-in for the policies and the authority for enforcing them
  4. Communicates to all employees and enforces the policies regardless of type of device being used

The last point is really important. Not too long ago I was sitting with a group of people from the IT department of a Fortune 500 company who were asking if a mobile platform provided for encryption of data at rest. Before answering the question directly, I asked what was the company policy for enforcing encryption on laptops and other devices. The answer: there was none.

I contiued to explain that it made no sense to have a different policy based ont he type of device. First, the line between mobile devices and laptops is blurring: compare the Macbook Air and other mini PCs with an HTC Advantage or a Windows Mobile device with a Celio Redfly.

Second, at any given point in time there were probably dozens if not hundreds of company laptops in rental cars, hotels and other public places where they could be stolen. Most people with medium-level technical skills know how to take a hard drive from a laptop and connect it to a desktop computer where they would get access to gigabytes of information.  My phone is protected with a pin password, which combined with the wipe policies (local, self or remote) make it very hard for a would-be information thief: they would have to immediatelly turn the unit off to avoid a wipe, disassemble the phone, separate the memory fromt he surface-mount board (which is almost impossible), download the content to a PC using EPROM reader or electronic oscilator, figure out the file system and access the information. McGyver maybe could have done it in his good days.

For most spies or information thieves, it would be so much easier to go to the garbage dump in the back of the building to get access to the information they want. Which brings me to my last point: Users are the weakest link. Two stories to illustrate:

A government official in Europe was sitting next to a colleague. He was reading a lot of emails – in hard-copy, paper. The government person explained his organization had very strict IT rules which prevented them from using any mobile device, so he printed his emails to read them on planes. Imagine if he lost a page or two, or if  any of these government employees were to forget his emails on a place (people forget books, glasses, laptops and may items tht could be considered more important). There is no security to protect paper. At least not yet. Well, at Microsoft they use so many acronyms that people would have a hard–time understanding any MS-speak.

The second story iread in eWeek I believe. A security consulting firm was challenged by an IT director who believed his systems were absolutely secure. Using social engineering, the very next day they appeared at the fron desk claiming to be on a very important project and requesting temporary badges. They were supposed to work for someone the agency had learned was on vacation, so the front-desk could not confirm their claims. After a few minutes, they proceeded to provide them a badge. During the process, the security offer asked casually if they would be needing access to the company data center. Once they were in the server room, they had full access to all the information in the company. A visit to the CEO’s administrative office during the weekend provided the CEO’s password – on a post-it note under the keyboard, and the key to the CEO’s office in the main drawer. Unfortunately, this scenario could happen in most companies today.

The bottom line: if there is a good reason to enforce security policies in the company and the organization values the confidentiality of their information as well as customer data, a cool gadget is not a good reason to bend or ignore those rules. In fact, it may be against the law.