Smartphones and the Road to Compliance Hell

Wayne Rash

If you've been reading this blog regularly, you're no doubt aware by now that I've been spending the last couple of weeks playing with a rather large collection of smartphones. The makers of these devices would like nothing better than having a place at your enterprise computing table. Some of them -- the BlackBerry and the iPhone and to a lesser extent the Palm and Windows Mobile devices -- already do. But there are more devices on the horizon, and you will be inundated with requests to include these in your enterprise as well. You may already have such requests.

With most such devices, the requests are reasonable as long as your e-mail system supports them and any applications will still work. One of the things that I've found out during this smartphone focus is that a move of mobile applications to the cloud is almost inevitable. This is partly because smartphones are pretty limited in what they can do, and partly because they have decent browsers and are getting high-speed access to the Web, offloading mobile applications to the cloud is now feasible. As a bonus, nearly any smartphone with a good browser can run a Web-based mobile app that lives in the cloud.

The scary thing is that you may not want nearly any smartphone with a browser having access to your data, your e-mail, or anything else in your enterprise. Part of the equation that goes with adding a smartphone to your enterprise is that the smartphone has to be secure. Some devices have good security and adequate encryption, and some don't. Android-based devices, for example, don't currently have enterprise-class security or encryption available.

There are others. Organizations have found to their peril that the Paris Hilton-endorsed Sidekick isn't at all secure. It's been cracked any number of times, once notably while being used by members of the U.S. Secret Service. Now the issue has grown. Not only do your wireless devices have to be secure, you have to be able to prove it.

And here lies the quandary. On one hand, IT managers are under pressure to allow users to bring their own smartphones to the enterprise. Doing so helps cut costs and raise morale, since everyone gets to use their favorite phone and carrier. On the other hand, not every phone is secure enough for sensitive data or protected information. Worse, in some cases, it's nearly impossible to prove compliance with regulatory and industry requirements.

This means that just because someone has a mobile device that can access your Exchange server, that doesn't mean they should be allowed to. Android devices, for example, now come with the ability to have access to Exchange. But they don't meet the security requirements of regulators. So what do you do? For now, at least, you limit their use to only those employees who don't use any important information.

In the long run, it may mean that you will have to find a means of securing the devices that aren't currently secure. In the case of Android devices, it's a pretty safe bet that the necessary security capability will arrive at the hands of the open source community in short order. But what do you do about the next device, or the one after that?

The short answer is, you have to have a strategy for allowing devices into your enterprise. The day is probably past when you can decree only a single acceptable device, but you can still create a short list of devices for employees that handle protected information. Beyond that, once you create your strategy, you need to publish it along with acceptability guidelines so your employees will know up front what devices they can buy and use on your network. To do otherwise is opening yourself up to Compliance Hell, and you probably don't want that.

Add Comment      Leave a comment on this blog post
Dec 22, 2009 5:12 PM Adam Bullock Adam Bullock  says:
Really great commentary here, Wayne. Have to echo one of the last statements: " have to have a strategy for allowing devices into your enterprise." This is incredibly true, whether for smart phones, policies for social media, etc. Thanks for sharing! Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.