There they go again, those Neanderthal IT folks who use security as a reason to resist change. A recent Computerworld story cites unnamed analysts as giving Apple’s iPad an “F” for its security features, then quotes Gartner analyst Ken Dulaney on why iPhones shouldn’t be used in the enterprise:
Despite Apple’s updates and the inclusion of the Cisco VPN, Dulaney said Gartner concludes that the iPad is “not enterprise ready … and Apple would have no problem with Gartner saying this was not enterprise ready. … We don’t endorse use of netbooks, and the iPad is in the same category. … We don’t think it has the security and manageability capabilities for offline applications and, more importantly, the support of Apple for the enterprise.”
Dulaney is a smart guy, and Gartner tends to be conservative in its recommendations; it was one of the first analyst firms to backtrack on promoting Windows Vista, for example, and it traditionally tells IT to avoid major operating system updates until 18 months or so after the initial version ships. Thus, I know he’s being honest in his cautious approach. It’s clear his standard applies to a broad range of devices, not just iPads.
The flawed premise behind the knee-jerk no
But there’s a flawed premise that Gartner shares with many IT managers: that mobile devices must meet military-grade security needs or, at least, financial-services-grade security needs. Why? After all, most laptops deployed don’t come with the hard-to-break (if, indeed, any) encryption, remote kill capabilities, and application management that analysts and vendors say mobile devices should have.
The fact is most companies are not defense contractors, financial service providers, or similarly highly regulated entities. So why should smartphones meet those industries’ special requirements?
One reason is Neanderthal IT thinking: that IT’s job is to control information and process by preventing users from doing much of anything. That ship sailed years ago, and IT leaders who stake themelves to that approach are doomed. IT’s job is to enable the business and minimize risk where reasonable.
If information is so critical that it needs to be tightly controlled on a iPad or other mobile device, you have to ask why that information is so accessible in the first place. The best way to control highly sensitive information is to not make it available, or at least keep it on the server and never let it be stored on an external device. That’s what many hospitals do with their wireless tablets and laptops, so patient information doesn’t leave the grounds even if the hardware does.
The hypocrisy of Neanderthal IT’s mobile expectations
If the IT department that insists on military-grade security for mobile isn’t doing the same for its laptops and other computers, you know the issue is not security but resistance to change — a reluctance to accept new technologies that are user-oriented.
I’ve seen firsthand what real military contractors have to deal with to protect their secrets: They get to tote an extra laptop for their security work, one that is encrypted at several levels, with automatic drive-wiping if the multiple passwords are incorrectly entered, often requiring a security token device in addition to the passwords. Also, the USB and other ports on those laptops are glued over or otherwise incapacitated. Email is restricted to approved recipients, and users are completely locked out from installing or modifying apps. (Financial-services-grade security isn’t quite as strict and doesn’t usually require a separate laptop, a hardware security token, or email whitelist.)
Yet I don’t hear analysts and IT managers criticize Hewlett-Packard, Dell, or Lenovo for shipping standard PCs that aren’t so equipped and configured. Why is there no analyst or IT demand for USB-less PCs? After all, USB thumb drives are an incredible security threat. Also, I don’t see most businesses implementing the severe measures that military contractors do. So why are they expected to do so for mobile?
Of course, the big reason is that PCs evolved when IT was focused on mainframes, and its initial resistance to PCs was too little, too late. IT leaders who still think that way see mobile as the new line in the sand: They lost control to the PC, and they’ll be damned if they lose more control to mobile. (Of course, it’s already too late; nearly half of smartphones in use in business today are employee-owned.)
Vendors, analysts, and consultants are happy to play to the Neanderthal IT crowd. After all, securing information is a lucrative business, and the control-freak IT department is the perfect bottomless purse. The latest example is Boxtone, which recently released a study with these findings:
According to the survey of more than 400 IT managers, there are still concerns with connecting the iPhone to the IT infrastructure. According to the report, more than 80 percent of respondents cited security (such as encryption, antivirus, and loss); 50 percent cited IT policy and compliance; and 30 percent listed limited carrier choice as concerns.
Boxtone, of course, sells tools to help IT manage mobile devices — yet it has no offering to manage mobile security, oddly enough. Its competitors — Good Technology, MobileIron, Sybase, Trust Digital, and Zenprise, among others — have released or promoted similar self-interested “studies” over the last few months to promote IT spending on their mobile management tools.
There are of course some businesses and corporate roles that require military- or financial-services-grade security. Right now, only the BlackBerry and in some circumstances the Good server/Windows Mobile combination offer that level of protection. (The forthcoming iPhone OS 4.0 should offer most, if not all, of these capabilities when paired with a management server such as Good’s.)
For the vast majority of businesses, there are plenty of mobile devices whose security capabilities are good enough: iPhone OS-based devices, Windows Mobile-based devices, Palm OS-based devices, Symbian OS-based devices, and in some cases even WebOS-based devices. (Google’s Android is the only major mobile operating system not to have any built-in business-level security capabilities.) As that Computerworld article mentioned, many IT managers who criticized the poor security of the iPad and iPhone weren’t aware of their Cisco VPN support, remote kill, and AES encryption capabilities — their knee-jerk nos were based on ignorance, which is scary, given their key role in security management.
I find it quite ironic that with all the hyperventilation around mobile security, which is disproportionately focused on the iPhone (no doubt there’s some proxy Apple-bashing going on there), you don’t hear criticism of IBM for not embedding mobile-oriented security into its Lotus Domino and Lotus Notes server platform, nor of Novell for not embedding mobile-oriented security into its GroupWise email platform. After all, they’re the access points for the data that allegedly needs protecting. Yet both of these enterprise platforms rely solely on outside vendors — mainly RIM’s BlackBerry Enterprise Server and Good Technology’s Good server — to do the mobile security work.
If security were the real issue, you’d think IT would insist that security be guaranteed at the server level, not leave it to the mobile devices. Instead, most IT organizations are content to bolt on third-party server and mobile-client software that typically handles a subset of their security needs and a subset of the devices out there. If the security considerations were that core, they’d be in the core.
More ironically, only Microsoft has built-in basic mobile security for its server (Exchange). The iPhone OS devices use that, as do the Nokia Symbian and, of course, Windows Mobile devices. Heck, even IBM is now licensing the Microsoft security management technology (Exchange ActiveSync) for use in Notes. My point: If the demand was significant for such strong security as the analysts and Neanderthal IT folks claim, it wouldn’t be a mid-market-oriented vendor like Microsoft leading the way.
So the next time you’re tempted to raise the security shibboleth when someone wants to bring in an iPhone or Droid, ask yourself if you’re not holding those devices to a different standard than you do your laptops and PCs — and why that’s the case. You may find your knee-jerk response is the wrong one, so you might consider a way to safely say yes instead. That’s the first step to moving off a dead branch of the evolutionary tree.