Disclaimer: I do not want to diss Security as a service here, but I want them to provide me a solution instead of saying what I can’t do! So I’ll give my own, humouristic, view on the issue, hoping that they (all security guys in the world) may understand our needs.
One of the main blocking issues with mobility is security. Take any large corporation and they’ll have a dedicated security team. They’ll all be using RSA tokens and VPN tunnels. The entire intranet is locked down to the outside world and nothing gets past. It all makes sense, until you want to use your mobile device for enterprise purposes.
[Actually, I’m willing to debate whether all this security really does make sense. I can understand you don’t want any outsider to get write access, but daily documents leaking out is hardly a threat. A lot of these companies don’t really have confidential documents. Apart from privacy regulations, most of the corporate restricted info is just a summary of common sense. It seems to be hip to have “Top Secret” information.
“Our mails mustn’t leak out!!”
-“What? You’ve been sending your illegal price arrangements via email to competitors again? C’mon…” *shrug*
Seriously, let’s stay realistic. But I’m not going to discuss that, I accept security regulation and just want to find an acceptable arrangement for mobile security.]
Why oh why, do we try to be holier than the Pope?
When you enter your house, you disable the alarm by typing the code. The code doesn’t change every minute, nor do you have to repeat the process for every room. If you stay quietly in your sofa for 5 minutes, it doesn’t reactivate automatically. No! You enter it once when accessing your house and you no longer worry about it anymore until you leave the house (or go to bed).
On your bank card, you have a 4 digit pin-code. The code doesn’t change every minute, yet no one really worries about the security there. If your bank card is lost or stolen, you call card-stop and have your card blocked.
You even walk around with a Visa card having a X-Thousand Euro/USD limit, with no pin code whatsoever. Only a quick signature is necessary and no one actually verifies this signature. Yet, we don’t particularly worry about it.
Your laptop contains a lot of documents stored locally. There is a lot of “confidential” information on there. Yet, the only protection for local access to your laptop is your user name and a password. Oftentimes, the laptop is in standby or hibernate, so the user name is remembered and you only need the password. Given enough time, they’ll figure out your password and have access to all your confidential documents on the hard drive. Even if your entire drive is encrypted. Can you remotely wipe your laptop? You can with a mobile device…. There are actually options to remotely wipe a laptop, but I still have to encounter the first corporate laptop that actually has such functionality.
Someone printed a report to read it in the taxi on the way to the airport, but lost it along the way. Oh no! Data leakage and no way to wipe it remotely.
You should be God blessed happy with a mobile device that you can control!
Apply this to mobility.
From security, the message you’ll get is: You need strong authentication!
So really, we’re all going to have our token next to our mobile phone, anywhere we go. When we quickly want to check something on our device, we’ll wait 10 seconds for a new code to refresh and then enter the code for our access. And we’ll do this every frigging time our device comes out of standby, because it needs to reconnect. Oh and PS, if you carry your token and your phone and they both get stolen, you’re still in for it.
Some go even further and only want to make Citrix and virtual desktop available to any device. Seriously? We want to use mobility for user friendliness, for quick access, and your recommendation is Citrix? I’ll have you eat my mobile phone, see how that tastes.
Why is a single pin code on your mobile device not enough? You enter a 4 digit pin whenever it comes out of standby and then you can access the corporate information, via specific apps with specific rights and specific contents. You do not need access to everything when you’re on the road. No! You only need that data which makes sense and mobile apps will serve you with the right data needed.
Use client certificates for the login procedure. It’s pretty secured, very user friendly and can be managed centrally. What more can you ask for?
Your mobile device is the employee’s responsibility. When you lose it, alert your security by any means possible, just like you would immediately call card stop after losing your bank card.
Stop being holier than a laptop when talking about mobile devices. You’ve got data leaking out of every gap and you’ll only make the problem bigger if you do not supply a reasonable solution to your users. The more you are going to lock users down, the more they’ll find alternative ways to get data out. (Google Docs, home servers with VPN, webserver for web services,…) I know, I’m one of those creative users. We’re going to find loopholes anyway. Better supply us with a big giant gate, to which you hold the key and control.
Security leaks might just actually go down.
But then again, isn’t Security supposed to be Paranoid? After all, it is their job, so you can’t blame them for it…