If your profession involves hands-on work for things like engines or mechanical devices or building material objects, you may have the ability to leave your tools at work and do nothing but recreate in your off hours. For those of us that deal in business process or information management, we don't have that luxury. A manager who proudly announces that he leaves his BlackBerry in the car when he goes home has simply demonstrated that the Peter Principle is alive and well in his organization.

I imagine that Karl Marx would have observed the constantly “on-the-grid” life of an information worker and lumped him into the mass of slave-like proletarians who “like a horse, must receive enough to enable him to work but does not consider him, during the time when he is not working, as a human being.” [Wages of Labour – 1844]. 

The fact is we choose our professions, our lifestyles, and our work ethic. No one is required to be “on the grid” all the time, but a lot of us willingly decide to do so. I tried to be a ski bum earlier in my life. That didn't work out so well. I enjoy my work and would not choose work I didn't enjoy.

The issue here isn't lifestyle, though, it is reality. The reality that “bring your own device” has become part of the IT landscape. We routinely deal with decision makers who need to access and use sensitive information outside of the physical workplace and outside of the firewall. When I say sensitive data I am referring to data that would either provide our marketplace competitors a competitive advantage or that we simply don't want anyone who isn't an employee or the signer of an NDA to have access to.

I am specifically not referring to PCI (Payment Card Industry) data, confidential customer information, or data that could be used to perpetrate financial fraud. I will call this restricted data and it clearly must be handled using industry standards and should never be stored on or be accessible using non-secure or semi-secure personal devices. The data we are discussing is simply information that we use every day in our business, but that we really don't want the Wall Street Journal or the New York Times to analyze (or publish). Our concern is protecting data that falls under the data-loss prevention (DLP) umbrella. There are three legs to the DLP stool—protection of data in use, data in transit, and data at rest.

Electronic data protection is a strange bird. We find it necessary to create powerful information-security departments within our IT departments to protect our digital assets and intellectual property. Yet we all know there is a much greater risk of someone leaving the latest quarterly sales information in the seat-back pocket on an airplane than there is of someone performing a true electronic attack on our mail system.

Corporate espionage is accomplished by social engineering and “easy” undetectable forms of electronic snooping like monitoring cellphone traffic. It is far too easy to obtain a credit-card number by phishing to make sniffing and decrypting SSL packets a worthwhile exercise. Email systems are notorious weak links, usually accessible using only a username and password. The username is ridiculously easy to obtain. That leaves the password, which I can grab by any number of methods while hanging at the local coffee shop sucking on my triple venti cappuccino.

So what are the new security weaknesses that we are presented with when our users bring their own devices? Ignoring basic device and operating weaknesses—things like no secure VPN or the inability to use a smart card or biometric readers—the single biggest concern is the device itself. A recent article published by a German organization—the Fraunhofer Institute for Secure Information Technology (SIT)—revealed the ability to take a password-protected iPhone, jailbreak it, hack it, and reveal passwords and other data on the device. Included were email passwords for AOL, Gmail, Yahoo Mail, Exchange, WiFi WPA, VPN passwords, etc.

That is pretty scary stuff. Obtaining the device is obviously not a problem. I suspect that could probably be easily accomplished by hanging out at the right taverns on Friday evenings. Jailbreaking is the term used for code that allows users root access to the operating system on devices running Apple's iOS. A similar exploit on Android devices is called rooting. This scenario—the stolen and jailbroken iPhone—opens a whole world of possibilities and questions.

A Couple of Things…

First, why is it so easy to jailbreak devices? Do the creators of the mobile operating system have the ability to prevent malicious code that can bypass standard operating-system protocols? Of course they do. It would be relatively easy to build in protection that would automatically and immediately scramble enough bits in the flash memory device to render it unusable as soon as root access is attempted. For that matter it could simply be set to wipe all user data or reset it to factory settings.

The real device owner could rebuild the device easily enough by using the synching application. So why don't the manufacturers make it more difficult to thwart jailbreaking? Because they have a vested interest in allowing a larger community to develop applications for their platform. Why not let the best and the brightest use a jailbroken version of your operating system to build best-in-class applications? Not only does it validate the platform as being extensible, it just may open the doorway to a world-class application that the manufacturer may eventually sell and license.

Second, it was recently revealed that your iPhone tracks and logs the physical location of your device. Now that's probably not a real security concern although it raises a heck of a privacy issue. So now we potentially have the ability to track the rascal that just stole and jailbroke your phone and who now has all your passwords. Conversely he has the ability to determine that you leave your house every night at about 10 p.m. and travel to a cross-town motel where you remain for about two hours. You may feel the need to tweet your every move, but that would probably be a concern for me—assuming I did such things. Which I don't. Anymore.

The Bottom Line

What is important here is that losing physical possession of the device is the real problem. I would say that could probably be chiseled in stone as the first commandment of information security. Thou shall not lose thine device. A few years ago an administrative assistant stole a “secret” Coca-Cola formula from her boss and tried to sell it to Pepsi for something like $1.5M. Pepsi quickly alerted their rival and the formula was recovered. Physical possession of that formula was definitely the issue here—and it didn't matter if it was a piece of paper or a tablet device. What prevented the data loss was the ethical behavior of PepsiCo.

If I leave my corporate laptop at McDonald's I am probably going to be in big trouble, but chances are the data on my harddrive is safe. The data is encrypted with a strong private-key system, which means it probably isn't going to be accessed by anyone short of the NSA. If a dumb thief attempts to guess my username and password or use the biometric scan, they are going to get locked out pretty quickly. The machine itself is worth something and can probably be outfitted with a new hard drive and used. So we are out a thousand dollars or so, but I probably haven't compromised any corporate information (unless I left the third-quarter earnings report in the DVD drive).

If I leave my iPad at Panera I may be in a bit more trouble, and not because Panera patrons are more sophisticated than those at MickeyD's. In order to access my iPad I need to type in a six-digit code, so there are a million combinations and you get something like nine tries. The chances are pretty slim that an unskilled hacker will gain access, although I would try the obvious—111111, 123456, 987654, 666666. Nevertheless, the data on the device is not encrypted and it can probably be hacked for root access. Any data stored on the machine must be considered compromised.

We desperately need a security standard for all these new devices. I can't even say corporate-issued devices because iPads are now regularly issued to corporate users. You can force users to apply basic password locking of the device by pushing down a policy when they access corporate email, but they can get around that policy by removing the corporate email account from the device. If we are going to permit the latest generation of mobile Web-enabled devices into the corporate environment we must be able to insist upon certain requirements.

1. All user data must be encrypted using secure industry-standard methodology.

2. All devices must have the ability to be wiped remotely on demand.

3. All devices must have configurable, built-in data “self-destruct” capabilities that are triggered by certain conditions.

These are not unreasonable expectations. At the present time we are caught in this perfect storm that is forcing IT departments to accept what are essentially consumer-entertainment products for use in the corporate environment. I also don't think it unreasonable for the manufacturers to create corporate variations or plug-ins for their product. Ease of use and extreme portability on lightweight OS's running on ergonomically pleasing devices is a good thing. I love my portable devices. Please don't take away my iPad. I would just like a modicum of additional security.  TD

Please address comments, complaints, and suggestions to the author at [email protected].