Most of the items that I’ve written here have dealt with the consumer space – online banking and the like – as has the one piece written by my colleague Mike (yup, that was a little dig at my good friend Mike). But many of the same threats that target online consumers, retail banking customers etc. . . are being used against companies. The popular belief now is that the RSA breach was started with a successful spear phishing attack – the same sort of attack that has been used many times in the past to steal passwords and gain access to consumer or corporate banking accounts. So today I’m going to diverge a bit and turn my attention to enterprise security. But don’t fret – I’m not going to give up on mobility just yet.
I’m going to start this off by saying that I’m not an apologist for RIM - or their recently released Playbook. But I am going to throw a bone to their marketing people for recognizing a great message to latch themselves to in the face of an onslaught of marginal reviews and a somewhat dubious product decision (Ok, I’m being somewhat kind here). And that bone is Security!
While many observers are criticizing the need for Playbook users to tether their shiny new notebook to a Blackberry device if they want to access corporate applications (ie: Calendar, email etc. . . ), RIM is claiming that enterprises are looking for exactly that type of security from mobile devices:
“A lot of the people that want this, want a secure and free extension of their BlackBerry”, was CEO Jim Balsillie’s defence.
At the risk of sounding like an unimaginative new grad or marketing wannabe tasked with creating some positioning about a competitor who beat them to the market – this play to security at least validates a need!
I have a colleague who was down at the Infosec World show in Orlando this week and gave a presention on mobile security in the enterprise. The other day I was shoulder surfing while he went through his presentation and frankly I was amazed at the complex issues he was planning to address. We’ve all read the numbers: a recent survey by Morgan Stanley projected that 50% of large enterprises expect to purchase tablets for employees over the next year, and a study from Forrester last year reported that 48% of enterprises were about to invest in mobile applications for their employees.
Yet mobile devices represent an inherent security risk for organizations. My colleague grouped these issues into 3 buckets:
- Risks – which includes things like sensitive information on unprotected devices, shared passwords, sources of viruses, etc. . . ;
- Complexity and Cost – including challenges with device identities, application roll-out, platform selection etc; and,
- Lack of Controls – such as the inability to enforce policies, content monitoring etc . . .
These are all issues that companies are going to have to address if they really want to capitalize on the value of mobile devices. The security issues alone are probably keeping CIO’s and their teams up at night – compounded by the pressure of all those whiney employees who want to VPN into the corporate network from their brand new iPhone/iPad/Blackberry/Android thingy.
But it’s not tethering a new notepad to an acceptable enterprise device (ie: a Blackberry) that is going to be the great security breakthrough that corporate IT/Security teams are looking for – nor segregating data on the device (another suggested approach). If not properly secured, the extension of the corporate network to these devices creates a new hotspot to which other devices, potentially rogue devices, can populate malware and access on to the network. And that is no different whether there is a tethering method or not.
What will help is ensuring that devices that access corporate networks are strongly authenticated. Just like users are when they’re required to access a network. And the easiest way to accomplish this is to put a digital certificate on a devices that enables device authentication. This isn’t going to solve the myriad of other complex issues around the adoption and secure use of mobile devices in the enterprise, but it will solve one critical hole.
But back to RIM – by design or good chance they hooked their wagon to enterprise security. And maybe their defence could bring focus to some of the basic needs when adopting mobile devices for the enterprise. And for that marketing wannabe who’s furiously arguing that it validates the market? It probably didn’t need much validation, but for once they got it right.