The next frontier in fearing the iPad

Some in IT keep looking for another reason to say no to the world of consumerized IT; mobile DLP is their latest attempt to regain control

In 2010, scaredy-cat IT and security folks wrung their hands over users bringing in their own smartphones and tablets. In early 2011, they wrung their hands over how to control the applications on those devices. Now they're wringing their hands over data leakage from those devices, prompting security vendors to offer mobile DLP (data loss prevention) tools. Zenprise is the first, but you can bet more will follow. (Have you heard of any iPad- or iPhone-related data breaches? I didn't think so.)

I have to give these folks credit: They're persistent in finding ways to say no to modern technology and the realities of today's "consumerized IT," or at least to look for new ways to bind it up in hopes maybe it'll strangle to death. (Good luck with that.) Of course, it's the iPad that seems to stoke these folks' fears the most -- ironically, because it can connect to business systems and actually work with much business data, so people want and use it.

[ Apple has much to learn about securing Mac OS X -- and Microsoft could teach it how. Luckily, iOS security is much, much better. | Compare the security and management capabilities of iOS, Android, WebOS, Windows Phone 7, and more in InfoWorld's Mobile Management Deep Dive PDF report. ]

Let's be clear: There is data to protect, and I don't believe "anything goes" is the the right policy. And there is some technology worth considering to do so, as I describe later. But I see another agenda behind much of these claims over security concerns. I notice, for example, that companies citing fears over sensitive data emailed to an iPad or of users having unapproved apps on an Android tablet don't have the same concern over data emailed to computers or over the fact that they happily let employees work after hours from home computers full of personal apps. There's a double standard that reeks of a hidden agenda to block the shift to employee-driven technology or to assert new levels of self-justified control in a perverse land grab for relevance or job security.

A good test of whether a security policy is legitimate is if it is applied equally to all endpoints. These days, many endpoints are in use, and we will not go back to the day of employees all working at a corporate office on corporate PCs unconnected to the Internet and locked out from the rest of the world. It's 2011, not 1981. A second good test is whether its cost (in money, lost flexibility, lost opportunity, and time) is worth whatever is being secured.

The fact is, the iPad and all the other mobile devices that have enjoyed so much uptake by individuals and enlightened businesses bring tremendous benefit. More work can be done in more places, improving customer satisfaction and the company's bottom line. Employees can use the tools and devices that fit their personal style, reflecting and honoring what they bring to the table -- they are not robots, after all. And they can use a mix of personal and business tools, which helps the business because now they work more and across additional hours of the day. Additionally, this compensates the employee by letting them reclaim some of that time for their personal lives.


Proposing one problem, but addressing another

Back to this third wave of fear over data on iPads: This week, Zenprise announced an iPad app and related server software that lets iPad users access SharePoint files on their tablets, with the permissions and restrictions honored on the iPad. That's great -- Microsoft's approach to SharePoint has been to restrict it to Windows PCs and Windows Phone 7 smartphones, which only encourages employees to copy the files to cloud storage, email them, and otherwise work outside of SharePoint when they're using an iPad, Android tablet, Mac, or a home PC. This tool addresses some of the security risk created by Microsoft's lock-in strategy for SharePoint. (Zenprise plans a version for Android next year. It started with iPads because they are so widely used in business.)

But Zenprise's pitch didn't start so constructively. It first took the fearmongering route, using an example of the increasingly common practice of boards of directors using iPads to work with the sensitive documents in board meetings rather than going with paper copies. In this regard, corporate boards aren't alone: I learned during a work trip earlier this year that several counties in Florida now give their boards of supervisors iPads to review legislative and regulatory proposals, as they are easier to set up and use than computers.

The Zenprise pitch was that a DLP tool would keep such sensitive documents secure -- except it wouldn't. If the data were emailed, as I was informed, once the data left the organization to its legitimate, DLP-approved recipients, those files could be abused as desired on an iPad, a computer, or any other device with email access. Plus, in Zenprise's case, its DLP is limited to files accessed directly from SharePoint, so it wouldn't address an emailed document. For any documents accessed directly from SharePoint that the user had permission to edit locally, that local copy is not managed by SharePoint or the Zenprise app (it's now in another app, for editing), so it's now free for abuse. The tool does not address the example problem.

The other scary scenario in the pitch was the notion that IT set the data security policies. That's a mistake. Document access policies are a legal and business decision, not one that IT should make. IT should provide the tools to implement the policies and to monitor their compliance, but if IT has to decide what to protect -- or even if someone has to go to IT to protect a document, rather than do it directly -- something is seriously wrong with your technology management.

I don't mean to pick on Zenprise. The folks there try to balance the demands of their customers (for a security vendor, that means the most paranoid ones) with the realities of the users who ultimately deploy their customers' tools. But when a nuanced vendor like Zenprise goes down the fearmongering path, you can only imagine what the more old-school firms will say when they decide to join in.

A better approach to securing corporate data on the iPad

What's changed in business in the last decade (it started with working at home, not with iPads) is that information has to flow to be useful, because different people who may not even be in your organization need to create, refine, and act on it. That means it goes through multiple endpoints and a variety of tools. The old-fashioned approach was to standardize everything on a common platform and toolset, with the common security layer across it all -- the classic model for IT control. But that doesn't work when the world is heterogeneous and by definition not standardized. That's what it is today in most places, and traditional IT control doesn't fit that new world.

Within a SharePoint context, letting iPad users participate within the same rules as Windows users is a good thing. But at the end of the day, it's a partial solution attacking the wrong problem. And let's be honest, Zenprise is not offering a DLP tool but a mobile SharePoint client. That's a good thing for many companies in the here and now that use SharePoint, but it only works in the SharePoint context. If anything, the "consumerization of IT" phenomenon should teach IT that point solutions are insufficient in a heterogeneous context.

So, if you were to use the Zenprise SharePoint client, you couldn't stop there. You might also want to deploy a remote access tool that has the iPad user work with the data virtually so that sensitive information never leaves the managed server -- not just SharePoint servers -- in the first place. That approach of course requires expensive, management-heavy, and bandwidth-intensive desktop virtualization.

Of course, there's a simpler twist on that approach: Using services like Accellion and Box.net that let you set up access-managed shared folders, where documents are restricted to a managed workspace on the mobile device. The problem with these services is that they restrict the users to basic reading and commenting; an employee who wants to work on a proposal or presentation is either prevented from doing so or moves the files to another app, breaking the management control over that file. But that could change: both companies, as well as GoodReader and six others are looking to implement MobileIron's content management API in their apps; not yet in beta, this technology would let IT set policies for content via an MDM tool that the apps would enforce.

A better approach for many companies than all of these would be to extend traditional DLP to mobile devices. DLP works by funneling data traffic to a server that analyzes the content and applies its rules to it (usually just flagging suspect transmissions, but sometimes acting on them, such as to block the transmission).

That way, you're handling all apps and communications, regardless of the
endpoint device, through a universal filter at the data center, where this effort should happen anyhow. In fact, the endpoint device isn't involved, so you don't need to worry about if an app or OS gives you the visibility you need; all you need to do at the endpoint is ensure that its communication is routed through the DLP server. I suspect we'll see DLP tools get extended just that way to handle the new generation of mobile devices -- I sure hope so.

But over the longer term, DLP itself suffers from being an island. It can handle data sent over communications channels, but there are other means to get data from devices, such as local file copying. Ultimately, what we need is digital rights management that works across apps and platforms -- a universal standard that carries the DLP rules with the data itself. Until it exists (if it ever does, considering how proprietary the tech industry has become again, though MobileIron's effort could be a jumpstart), IT is stuck with old approaches that don't fit the new world in which IT still has to provide security.

No easy answers for legitimate IT security needs

Even IT and security leaders who aren't looking to enrich security vendors by asking for more tools that won't really work have a problem: How to secure all the data (and just the data) that needs to be protected while supporting the shift to employee-provided technology and its accompanying flexibility. However, there's no good answer -- yet.

Flexibility and control are a hard combination to get. But users will accept that goal and work with you on it. Remember, not all problems are solved with technology; people are good tools, too. You can start by not trying to recapture mainframe-era IT control, but instead figuring out what data really needs to be protected. From there, you can manage, monitor, and log access to the data so that it's available to those you trust. If it leaks, you might also know who's broken that trust.

If you try to use security to block the flexibility that consumerized IT is really all about, you'll drive your users underground (which increases your security risk), waste lots of money on tools that don't work as you want, and get in the way of your business's ability to work well, setting a path to failure and, ultimately, oblivion.