Most people may not immediately recognize the name Reinhold Niebuhr, but they are probably familiar with some version of his best known prayer:
"God grant me the serenity to accept the things I cannot change, courage to change the things I can change, and the wisdom to know the difference."
If ever there was a prayer for dealing with the security impact of consumerization, it's that one.
I was recently asked to provide commentary and advice for IT and security folks trying to manage the impact of smartphones on their corporate security. I offered what I hope were some good suggestions on how to help educate users, how to think about security policy, and so on. However, there was one thing I didn't say; a nasty, distasteful aspect of this problem that we may not want to vocalize, but will have to face sooner or later...
What if you can't make them secure? What if, in fact, smartphones can never be secure enough to house sensitive information?
And in case you think I'm being somehow coy here, let me be 100% clear – what I'm saying is, there is a chance that we should not allow anything sensitive to reside on a smartphone. Ever.
What's that? Heresy!
Further clarification – I'm not saying we shouldn't try to make smartphones secure. Far from it. I'm pleased to see how far we have come and how much improvement has been made – and is still being made. Including encryption in the OS is, frankly, table stakes these days, but hey, at least it's there (or will be in some cases). The problem isn't that manufacturers aren't trying; it's that the entire philosophy, the very nature of smartphones, makes them inimical to good security practices.
Now, talking about the "security" of anything introduces some immediate semantic traps, because things aren't either "secure" or "insecure". There's a continuum, and everything sits at some point along that continuum (and where it sits on that graduated scale often depends on the threats you are discussing). It's clear that things that are very simple, inflexible, and with few connections to the outside world tend to live at the relatively secure end of the scale, and things that are complex, highly flexible, and highly connected tend to sit at the other end. So, where would you put your average smartphone? Yep, me too.
Smartphones are brought into the corporate world, in most cases, by the user who wants to keep his/her own device and use it to access corporate resources. Classic consumerization. These users want, in fact, all the things about smartphones that make them (a) cool and (b) a security nightmare. On the corporate side, having mobile, powerful, promiscuously connecting devices running applications with little or no screening is absolutely no way to keep information secure.
The security of user owned Smartphones is always going to take second place to other concerns. If you doubt me, take a look at how people pick their passwords:. By far the most common password people pick for their iPhone is, you guessed it, "1234."
So is the answer to abandon all hope? I think at the very least some cold hard realism is in order here.
First: Businesses are going to have to do their best to keep smartphones secure. That means defining good policies, enforcing some kind of centralized controls, keeping encryption turned on, setting password strength requirements, etc. In other words, business as usual (or at least it should be).
Second: These same organizations are going to have to accept that smartphones are a bad place to keep sensitive information. That doesn't mean that sometimes there won't be sensitive information on them – but on the whole, it's something to avoid as much as possible.
You could argue that at some future date it may be technically possible to lock these systems down to such an extent that they really are more secure. But my point is this: the way people expect to use smartphones means you will be constantly swimming upstream, fighting both the design philosophy of the devices and the way the owner wants to use them. That almost certainly means you'll be fighting unwinnable, expensive battles that make your security policy even less popular than it already is. I doubt that's something most security organizations will want to sign up for.
Debora Plunkett, director of the NSA's information assurance directorate, was recently quoted in an InfoWorld article saying that she really looks to the cloud for data storage and sees smartphones as essentially disposable devices. I think this approach really gets to the core of how businesses will need to think about smartphones and sensitive data. While they may be a poor place to keep health records, they make a great place to quickly call them up and check on a patient's treatment history.
So, in the end, the solution might be to focus our efforts on making cloud storage secure enough, and use smartphones as temporary viewing devices. While organizations may be suffering heartburn over the risk of moving data into the cloud, it’s still going to be less painful than battling every new device release, every new app, and every user from the CEO on down.
Some fights you can win and some you can’t. The trick, of course, is being able to tell the difference.