Of iPhones, Google Phones, Androids, and Other Sneaky Security Threats…
Posted by Bob Warfield on November 14, 2007
I’ve been sitting on a couple of articles by Ben Worthen of the WSJ for a little while now trying to decide what to do about them. In essence, Worthen is warning that ubiquitous wireless Internet access in the form of iPhones and such brought inside your corporate walls makes for an immediate security threat. It gets much worse, so the story goes, with things like Google’s Android phone operating system because its open source and who knows what crazy modifications hackers might make.
According to Worthen, 70% of iPhone purchasers intend to use them for business. No surprise given what they cost: too much for a teenager outside Beverly Hills but a bargain compared to a Rolex President in terms of being a business status symbol. The concern is that the iPhone has no built in IT shock collar facilities for these business users. If IT wants to jerk your chain, they need tools such as a remote kill switch that lets IT remotely wipe the data if the employee loses the phone (yeah sure, they push that button if you leave the company too, regardless of how much of the data is personal).
Worthen turned loose two hand wringers on the Google phone. First up was “A Business-Tech Nightmare Waiting to Happen”. You can tell from the title that would be upbeat. It contains a prediction that IT will ban connecting these phones to your computer or the corporate network. Hello? Has anyone seen what happens to laptops that are on the road with salespeople? Good luck with these bans. This was followed closely by the slightly less dire, but still pretty snarky “Will IT Resist the Google Phone At First?”
Here’s my take on all this: why are these phones any different than laptops? They go home at night or on the road and nobody knows what gets installed. They come back, get connected to the corporate network, and they do what mischief they will do. Yes, you’re running antivirus programs and all of that good Safe Computing stuff, but the risks are still there.
How about this for an angle? Move all your data into the cloud and things suddenly get a lot less risky. Yes, that’s right, go SaaS for everything, or at least provide the semblance. If every app is a thin client that is treated as though it’s being run outside the firewall, IT can put into place one set of policies that work for all these gizmos. Why give anyone much access inside the firewall? If all you’ve got is a browser, it’s well understood how to go about buttoning things up so they’re secure.
The obstacle is all the legacy software that won’t run according to this model, but you have to wonder how many people in the company actually need to access that stuff. Start with the laptops and smart phones. Clean up all the apps there and boot them off the corporate network. Move all the data into the cloud. It’ll be backed up, and access will be secure if everyone is using the VPN all the time. Life is simpler.
IT Hates Laptops: Another Worthen gem from WSJ. Predictable, I suppose. IT had better figure out how to quit hating providing value lest they quit providing any value. In the context of my post, this is just more evidence that IT needs to view all access to its systems as coming from outside the firewall. Then they can relax and quite worrying: they’ll be the only ones inside.