Social Business, Mobility, and Security

Lock by xserve (Lok Leung) from Flickrhttp://www.flickr.com/photos/xserve/368758286/

Time for some viewer participation.  Raise your hand. If any of the following statements is not true, you can lower your hand.

• You work for an organization that strictly enforces security?  
• You work for an organization that is strictly regulated and require lots of compliance?  
• You work for an organization that does Social Business?  
• You work for an organization that allows you to mix mobility and social business and compliance together while doing it securely?

If you are still raising your hand, look around and count the number of people with their hands still raised. I would guess that you could count the number of people with their hands still raised on one hand.

The solution of building a secure social business solution with compliance buy-in is tough enough as it is, but once you decide to put it on a mobile device, all bets are off.  Why?  Instead of answering the question directly, let me ask you more questions ...  Is your organization willing to lose that valuable information that occurred when two or more employees collaborated on a solution?  How about if that collaboration occurred between an employee and a customer? Partner?  What happens if that collaboration between employees and customers included privacy data or confidential data?  So think of this scenario if you are not worried.

Joe, your star salesman is out and about, meeting with one of his best clients, Jill.  Jill asks a question about how the next version of software will work.  The information she is asking about is confidential at this time, as the company does not want its competitors to know about the new features in the next version of software. 

Unfortunately, Joe doesn't know the answer to the question and would like to get the answer quickly. He would rather not have to get back to Jill and prefers to provide a thorough but quick answer.  He knows the development team can answer the question and uses his mobile social business application to ask the question.   

Jan, one of the developers sees the question from Joe and quickly responds back to Joe, but warns him that if this information gets out, they could have some serious issues.  Joe trusts Jill to not spill the beans and since Jan responded quickly, Joe is able to respond to Jill with the latest information (since he was gabbing it up with Jill).

After Joe meets with Jill, he heads to the airport and while there, leaves his phone in the bathroom.    

What do you do?

The organization has the ability to remotely wipe the device. The organization manages the device and enforces the use of PIN/password on the device and the organization enforces the use of encryption on the device.  

But are those security mechanisms enough?  Managing the device is difficult.  If the device is taken off line, remote wiping the device is not possible.  While a pin/password is good, hacking a PIN (typically 4 digits) is not difficult (9999 combinations).   Passwords are harder but not that much harder.  The device can have a policy set to wipe the device if too many attempts to type in the PIN or password occur.  But in all honesty, who cares about the PIN when you are most interested in the data on the device. Cracking/rooting the device without the use of the password/pin is easier and safer to ensure the data on the device is not wiped.  And once you do that, the device's flash memory(think disk drive) is available to be read.  

So how secure is that confidential data on the device?

You can decide to wait until the device manufacturers and O/S developers play catch-up to make this type of  "security" more "secure".  That could take years.   What do you do?

There is another solution, build an application that is secure.  Have you ever heard of the term, managed application (as compared to managed device).   Managed devices dictate what the owner of the device can and can't do on their device.  It enforces the encryption of the device, forces passwords and other security mechanisms.  In contrast, a managed application allows the developer to dictate what is available for the application and enforces its own security, without relying on the device manufacturer.

How?  A managed application ensures that all of the application data is encrypted, separate and potentially in addition to the device encryption.  A managed application enforces a password for the application.  In the above example, the social business application and the messages sent are secured in transit and if they are stored locally to the device, they are encrypted by the social business application (managed application). If compliance is needed, build it into the system, either capture it at the server side, or provide some means to capture it from the device.