Skip to Content

Disclaimer: I do not want to diss Security as a service here, but I want them to provide me a solution instead of saying what I can’t do! So I’ll give my own, humouristic, view on the issue, hoping that they (all security guys in the world) may understand our needs.


One of the main blocking issues with mobility is security. Take any large corporation and they’ll have a dedicated security team. They’ll all be using RSA tokens and VPN tunnels. The entire intranet is locked down to the outside world and nothing gets past. It all makes sense, until you want to use your mobile device for enterprise purposes.

[Actually, I’m willing to debate whether all this security really does make sense. I can understand you don’t want any outsider to get write access, but daily documents leaking out is hardly a threat. A lot of these companies don’t really have confidential documents. Apart from privacy regulations, most of the corporate restricted info is just a summary of common sense. It seems to be hip to have “Top Secret” information.

“Our mails mustn’t leak out!!”

-“What? You’ve been sending your illegal price arrangements via email to competitors again? C’mon…” *shrug*

Seriously, let’s stay realistic. But I’m not going to discuss that, I accept security regulation and just want to find an acceptable arrangement for mobile security.]


Why oh why, do we try to be holier than the Pope?

When you enter your house, you disable the alarm by typing the code. The code doesn’t change every minute, nor do you have to repeat the process for every room. If you stay quietly in your sofa for 5 minutes, it doesn’t reactivate automatically. No! You enter it once when accessing your house and you no longer worry about it anymore until you leave the house (or go to bed).

On your bank card, you have a 4 digit pin-code. The code doesn’t change every minute, yet no one really worries about the security there. If your bank card is lost or stolen, you call card-stop and have your card blocked.

You even walk around with a Visa card having a X-Thousand Euro/USD limit, with no pin code whatsoever. Only a quick signature is necessary and no one actually verifies this signature. Yet, we don’t particularly worry about it.

Your laptop contains a lot of documents stored locally. There is a lot of “confidential” information on there. Yet, the only protection for local access to your laptop is your user name and a password. Oftentimes, the laptop is in standby or hibernate, so the user name is remembered and you only need the password. Given enough time, they’ll figure out your password and have access to all your confidential documents on the hard drive. Even if your entire drive is encrypted. Can you remotely wipe your laptop? You can with a mobile device…. There are actually options to remotely wipe a laptop, but I still have to encounter the first corporate laptop that actually has such functionality.

Someone printed a report to read it in the taxi on the way to the airport, but lost it along the way. Oh no! Data leakage and no way to wipe it remotely.

You should be God blessed happy with a mobile device that you can control!

Apply this to mobility.

From security, the message you’ll get is: You need strong authentication!

So really, we’re all going to have our token next to our mobile phone, anywhere we go. When we quickly want to check something on our device, we’ll wait 10 seconds for a new code to refresh and then enter the code for our access. And we’ll do this every frigging time our device comes out of standby, because it needs to reconnect. Oh and PS, if you carry your token and your phone and they both get stolen, you’re still in for it.

Some go even further and only want to make Citrix and virtual desktop available to any device. Seriously? We want to use mobility for user friendliness, for quick access, and your recommendation is Citrix? I’ll have you eat my mobile phone, see how that tastes.

Why is a single pin code on your mobile device not enough? You enter a 4 digit pin whenever it comes out of standby and then you can access the corporate information, via specific apps with specific rights and specific contents. You do not need access to everything when you’re on the road. No! You only need that data which makes sense and mobile apps will serve you with the right data needed.

Use client certificates for the login procedure. It’s pretty secured, very user friendly and can be managed centrally. What more can you ask for?

Your mobile device is the employee’s responsibility. When you lose it, alert your security by any means possible, just like you would immediately call card stop after losing your bank card.

Stop being holier than a laptop when talking about mobile devices. You’ve got data leaking out of every gap and you’ll only make the problem bigger if you do not supply a reasonable solution to your users. The more you are going to lock users down, the more they’ll find alternative ways to get data out. (Google Docs, home servers with VPN, webserver for web services,…) I know, I’m one of those creative users. We’re going to find loopholes anyway. Better supply us with a big giant gate, to which you hold the key and control.

Security leaks might just actually go down.

But then again, isn’t Security supposed to be Paranoid? After all, it is their job, so you can’t blame them for it…

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Stephen Johannes
    For publicly traded companies the only true super-sensitive information is “product formulations”, “cost of goods sold”, “pricing”.

    Remember it is legal to provide discounts to customers in certain ways, and not provide those to everyone.  The product forumulations are crucial for companies that don’t patent key products or have the recipe under lock and key.

    It would be nice if remote wipe was a reliable means to protect mobile devices, but even that can be defeated without much effort.  I guess the key is what type of sensitive information really should be made mobile and then whether always keeping an offline copy is a wise choice.

    On the otherhand we probably don’t need to go overboard in trying to secure information such as it’s taco salad day in the cafeteria, but I still think there are some legitmate gaps that do exist.

    Take care,

    Stephen

    (0) 
  2. Harmeet Sandhu
    This is hilarious but true 🙂 It is easy to go overboard and most of your observations are correct, not only to mobility world but also other areas of enterprise support.

    Thnx

    (0) 
  3. Tom Van Doorslaer Post author
    Thanks all for the replies.

    The way I see it, your average security department has not evolved. Back in the days, you had bulky desktops you could bolt down to the desk. The only way to get data out of the company, was by copying it onto paper, or by putting it on a disk. So they removed the disk drives, leaving only the paper transcripts.

    As technology evolved, more means to copy data became available:
    -printing
    -email
    -flash drives
    -cloud storage

    Can security control your email and stop you from sending sensitive data to another mail address? Privacy may be an issue here. Of course, they could block all mails to other domains.

    Can Security prevent you from using flash drives? Unless they physically remove the USB ports, or disable their drivers, those will remain an issue.

    Security can of course prevent access to any cloud storage. But there’s a lot of those. Maybe they should just block internet access?

    Printing, still remains an issue. You can’t stop anyone from printing a document and walking right out. Unless of course you remove all printing possibilities at all.

    The point is, that Security still thinks in terms of “Blocking”. That’s not even me saying this. I’ve talked to quite a few people working in IT security and they all still have the “Blocking” mentality.

    I believe that you simply can’t block all threats. And if somehow, you do manage to do so, nobody will still want to work for you. the magical word is no longer “Block”, but it’s evolved into “Control”.

    You as security should provide means to share data where necessary and control the way in which it’s done. Control what data can be shared. Control to whom it can be shared. Control how it can be shared.

    Because if you don’t provide a controlled way to share data, you will end up with data leaking out of every crack in the wall without knowing about it.

    You can’t lock a city down without having disgruntled citizens and riots. And they’ll still be sending out pigeons.

    You can however protect your city with a wall and provide a big gate, with gatekeepers.

    To my feeling, that’s where IT security is still having the wrong mentality in a lot of companies. I’ve seen only a handful examples where they used the “Control” mentality and those were mostly small firms.

    On a sidenote, I’m still very much convinced of the value of IT security. I’m no security expert either, just giving my POV as a user. But I just can’t get my head around some of the ideas which “Security-guys” still have concerning mobility…

    (0) 

Leave a Reply