Gordon Merrill, MSIA, continues his series on security aspects of operating systems mobility and the cloud. Everything that follows is Mr. Merrill's own work with minor edits.
* * *
Here are a couple of anecdotes to get us thinking about the shift from company-issued computers to personally-owned mobile computing:
• I had a class of students one day time their smartphones to determine the time from when they pressed the icon for Facebook until login occurred. They averaged less than two seconds and not all of them have 4G service yet. When, not if, your company moves to the mobile device over the traditional client-server model, you will have to compete with a less than two second connectivity the mobile generation has become accustomed to.
• At a coffee shop, I had to smile as I looked at a customer who was working on his company-issued laptop with a boldly displayed label on the lid warning that no other applications were allowed on the device but those installed by the company. What I chuckled about was that
1. Companies are already losing control over which devices are connecting to their business to do business; and
2. Companies will not be able to control what is on these personally owned devices.
So how do you move from the old corporate lock-down-security approach connecting only devices owned and issued by the company and with only software and applications installed by the company?
The model we have grown accustomed to has three levels. The network
• verifies the user,
• verifies the device, and
• verifies that the device is free of known malware and vulnerabilities.
The new model now has to perform these steps at the speed of 4G, and at the swipe of a finger. Since all phones are now app friendly, what app will your company require to be installed on any mobile device to check and verify all three levels of verification before connection? Will the app need to connect regularly behind the scenes to remain current? Will the app need to update pre-screening algorithms so it can scan the device for any new malware prior to the swipe of a finger and the expected two-second connection? Will this need to be pre-authenticated every time the user picks up the phone or turns it on? Does this system require the user to log-in every time they open the phone?
Everybody wants the latest new device and technological toy. Everyone wants to be able to use their toy to connect for work and fun and personal reasons either now, or soon. But can they connect securely with our current business and security models? And are we educating our users to understand the importance of extending security to their personal mobile devices?
I know of a regional hospital where the medical director of a certain department has a new iPhone and wanted his hospital e-mail and medical charts to be available on his phone. The hospital allowed him to do so, but on every connection it scanned his device for malware. On his phone was a video of a grandchild sent to him by his son. However, his son had picked up some malware on one of his systems and the video the doctor received contained a virus. Understandably, the hospital security software removed his grandchild’s video. To the amazement of the IT staff, the doctor was irate: he said that IT had ruined his phone and lost his video!
This situation is not isolated. We will increasingly see users challenging (in every sense) our ability to protect data – and comply with laws such as the Health Insurance Portability and Availability Act (HIPAA) as the move to mobile computing continues.
In the next part of this series, Gordon Merrill will discuss changing security policies to handle mobility and cloud-computing changes.
* * *
Gordon Merrill, MSIA, currently lives and works in Tennessee. His career has taken him to 48 of the 50 states and to six foreign countries. Gordon's information assurance background has included working for major computer companies such as IBM, managing IT projects for Fortune 250 companies in the risk management field, owning his own business, and working as a private consultant. He was chair of the School of Information Technology at the ITT Technical Institute in Chattanooga for three years.