We are in the midst of a perfect storm of technologyconvergence. Mobile devices are proliferating like rabbits inAustralia. Internet connectivity is available almost anywhere inthe western world. Service-oriented architecture allows platform-and device-agnostic interoperability.

Social networking and Web 2.0 applications keep us on the gridand plugged in 24/7. An inevitable result of this trend is that wehave removed the demarcation between work and play. The vastmajority of the duties that an information worker is required toperform can be accomplished on the same device that they use forpersonal recreation.

I looked around the conference table earlier this week and tooknote of the devices in use. I saw iPads (both versions); an Androidtablet; a variety of smart phones; BlackBerries; net books (mostbut not all using an Apple operating system); laptops runningWindows XP, Vista or Windows 7; and one individual with a notebook(paper) and pen. I'm not sure how that Luddite managed to sneakinto an IT meeting.

With the exception of the spiral notebook, all of these deviceswere connected to a network—some using a public Wi-Fi access point,some using secure Wi-Fi, some using RJ-45 connectors, and someusing a connection to a cellular data network. These devices wereaccessing corporate email in the cloud, on-premise Javaapplications, on-premise portal, online meeting software, acollaboration platform in the cloud, another one on premise, Gmail,Office Web Applications, federated instant messaging, and so on.They were consuming and writing to Microsoft Office documents usinga variety of applications that were not all licensed by the folksfrom Redmond. The guy with the paper notebook was the only onestaring at the slide deck projected on the screen.

If your profession involves hands-on work for things likeengines or mechanical devices or building material objects, you mayhave the ability to leave your tools at work and do nothing butrecreate in your off hours. For those of us that deal in businessprocess or information management, we don't have that luxury. Amanager who proudly announces that he leaves his BlackBerry in thecar when he goes home has simply demonstrated that the PeterPrinciple is alive and well in his organization.

I imagine that Karl Marx would have observed the constantly“on-the-grid” life of an information worker and lumped him into themass of slave-like proletarians who “like a horse, must receiveenough to enable him to work but does not consider him, during thetime when he is not working, as a human being.” [Wages of Labour –1844]. 

The fact is we choose our professions, our lifestyles, and ourwork ethic. No one is required to be “on the grid” all the time,but a lot of us willingly decide to do so. I tried to be a ski bumearlier in my life. That didn't work out so well. I enjoy my workand would not choose work I didn't enjoy.

The issue here isn't lifestyle, though, it is reality. Thereality that “bring your own device” has become part of the ITlandscape. We routinely deal with decision makers who need toaccess and use sensitive information outside of the physicalworkplace and outside of the firewall. When I say sensitive data Iam referring to data that would either provide our marketplacecompetitors a competitive advantage or that we simply don't wantanyone who isn't an employee or the signer of an NDA to have accessto.

I am specifically not referring to PCI(Payment Card Industry) data, confidential customer information, ordata that could be used to perpetrate financial fraud. I will callthis restricted data and it clearly must be handled using industrystandards and should never be stored on or be accessible usingnon-secure or semi-secure personal devices. The data we arediscussing is simply information that we use every day in ourbusiness, but that we really don't want the Wall Street Journal orthe New York Times to analyze (or publish). Our concern isprotecting data that falls under the data-loss prevention (DLP)umbrella. There are three legs to the DLP stool—protection of datain use, data in transit, and data at rest.

Electronic data protection is a strange bird. We find itnecessary to create powerful information-security departmentswithin our IT departments to protect our digital assets andintellectual property. Yet we all know there is a much greater riskof someone leaving the latest quarterly sales information in theseat-back pocket on an airplane than there is of someone performinga true electronic attack on our mail system.

Corporate espionage is accomplished by social engineering and“easy” undetectable forms of electronic snooping like monitoringcellphone traffic. It is far too easy to obtain a credit-cardnumber by phishing to make sniffing and decrypting SSL packets aworthwhile exercise. Email systems are notorious weak links,usually accessible using only a username and password. The usernameis ridiculously easy to obtain. That leaves the password, which Ican grab by any number of methods while hanging at the local coffeeshop sucking on my triple venti cappuccino.

So what are the new security weaknesses that we are presentedwith when our users bring their own devices? Ignoring basic deviceand operating weaknesses—things like no secure VPN or the inabilityto use a smart card or biometric readers—the single biggest concernis the device itself. A recent article published by a Germanorganization—the Fraunhofer Institute for Secure InformationTechnology (SIT)—revealed the ability to take a password-protectediPhone, jailbreak it, hack it, and reveal passwords and other dataon the device. Included were email passwords for AOL, Gmail, YahooMail, Exchange, WiFi WPA, VPN passwords, etc.

That is pretty scary stuff. Obtaining the device is obviouslynot a problem. I suspect that could probably be easily accomplishedby hanging out at the right taverns on Friday evenings.Jailbreaking is the term used for code that allows users rootaccess to the operating system on devices running Apple's iOS. Asimilar exploit on Android devices is called rooting. Thisscenario—the stolen and jailbroken iPhone—opens a whole world ofpossibilities and questions.

A Couple of Things…

First, why is it so easy to jailbreak devices? Do the creatorsof the mobile operating system have the ability to preventmalicious code that can bypass standard operating-system protocols?Of course they do. It would be relatively easy to build inprotection that would automatically and immediately scramble enoughbits in the flash memory device to render it unusable as soon asroot access is attempted. For that matter it could simply be set towipe all user data or reset it to factory settings.

The real device owner could rebuild the device easily enough byusing the synching application. So why don't the manufacturers makeit more difficult to thwart jailbreaking? Because they have avested interest in allowing a larger community to developapplications for their platform. Why not let the best and thebrightest use a jailbroken version of your operating system tobuild best-in-class applications? Not only does it validate theplatform as being extensible, it just may open the doorway to aworld-class application that the manufacturer may eventually selland license.

Second, it was recently revealed that your iPhone tracks andlogs the physical location of your device. Now that's probably nota real security concern although it raises a heck of a privacyissue. So now we potentially have the ability to track the rascalthat just stole and jailbroke your phone and who now has all yourpasswords. Conversely he has the ability to determine that youleave your house every night at about 10 p.m. and travel to across-town motel where you remain for about two hours. You may feelthe need to tweet your every move, but that would probably be aconcern for me—assuming I did such things. Which I don't.Anymore.

The Bottom Line

What is important here is that losing physical possession of thedevice is the real problem. I would say that could probably bechiseled in stone as the first commandment of information security.Thou shall not lose thine device. A few years ago an administrativeassistant stole a “secret” Coca-Cola formula from her boss andtried to sell it to Pepsi for something like $1.5M. Pepsi quicklyalerted their rival and the formula was recovered. Physicalpossession of that formula was definitely the issue here—and itdidn't matter if it was a piece of paper or a tablet device. Whatprevented the data loss was the ethical behavior of PepsiCo.

If I leave my corporate laptop at McDonald's I am probably goingto be in big trouble, but chances are the data on my harddrive issafe. The data is encrypted with a strong private-key system, whichmeans it probably isn't going to be accessed by anyone short of theNSA. If a dumb thief attempts to guess my username and password oruse the biometric scan, they are going to get locked out prettyquickly. The machine itself is worth something and can probably beoutfitted with a new hard drive and used. So we are out a thousanddollars or so, but I probably haven't compromised any corporateinformation (unless I left the third-quarter earnings report in theDVD drive).

If I leave my iPad at Panera I may be in a bitmore trouble, and not because Panera patrons are more sophisticatedthan those at MickeyD's. In order to access my iPad I need to typein a six-digit code, so there are a million combinations and youget something like nine tries. The chances are pretty slim that anunskilled hacker will gain access, although I would try theobvious—111111, 123456, 987654, 666666. Nevertheless, the data onthe device is not encrypted and it can probably be hacked for rootaccess. Any data stored on the machine must be consideredcompromised.

We desperately need a security standard for all these newdevices. I can't even say corporate-issued devices because iPadsare now regularly issued to corporate users. You can force users toapply basic password locking of the device by pushing down a policywhen they access corporate email, but they can get around thatpolicy by removing the corporate email account from the device. Ifwe are going to permit the latest generation of mobile Web-enableddevices into the corporate environment we must be able to insistupon certain requirements.

1. All user data must be encrypted using secureindustry-standard methodology.

2. All devices must have the ability to be wiped remotely ondemand.

3. All devices must have configurable, built-in data“self-destruct” capabilities that are triggered by certainconditions.

These are not unreasonable expectations. At the present time weare caught in this perfect storm that is forcing IT departments toaccept what are essentially consumer-entertainment products for usein the corporate environment. I also don't think it unreasonablefor the manufacturers to create corporate variations or plug-insfor their product. Ease of use and extreme portability onlightweight OS's running on ergonomically pleasing devices is agood thing. I love my portable devices. Please don't take away myiPad. I would just like a modicum of additional security. TD

Please address comments, complaints, and suggestions to theauthor at [email protected].