Getting enterprises ready for smartphone security

The Android phone from Google is now available in stores near you. Actually calling Android or even Apple's iPhone a mobile phone is a misnomer - these are full fledged mobile computing platforms. Ask any user for a demo of their iPhone and I bet 99% of them will show you a cool app, fun game and playful display features. Maybe 1% will show off the telephone features. These devices have gigabytes of persistent data storage, can easily download applications, have browser-based user interfaces to corporate applications, and the phone just seems to be a special application. It is much closer to a personal handheld computer that will be within 10 feet of you 24/7.

The technology behind Google's Android and Apple's iPhone is spectacular (and Windows Mobile is none too shabby). The vendors will tout security features, but the reality is that these will need to be added in as the phones become commonplace within the enterprise. Mocana is one start-up with a security toolkit for developers of Android software. Their product set contains the crypto foundation - key management, VPNs, etc. They stress small footprint and tight code, but really I believe there is an opportunity to do so much more. The real security issues are protecting the data that sits on the device for those inevitable occasions when it is left in the backseat of a taxi, protecting business applications and interfaces from malicious activity, and reducing the cost of extending the infrastructure to include these phones.

There are a couple of opportunities to fundamentally change the way IT secures and supports application access via these devices. If we try to do everything the same old way (e.g. load up on antivirus, personal firewall, data leakage prevention, encryption, patch distribution, configuration fingerprinting, etc) IT will collapse.

• A smart phone such as Android can always be reachable - IT does not have to wait for a network connection. This changes the rules as now IT can access the phone (or the phone can initiate action) during off-hours to backup and remove confidential data, copy audit logs, and upgrade corporate-sourced software.
• Look at delivering applications as a service. Use the connectivity of the phone to connect to host-based applications with a browser, or custom interface app. I know a gazillion people that use their phones to check customer account data on salesforce.com before a meeting, and everybody checks email. Those are applications where the data and application software resides in the data center where IT can provide services and the data won't be lost. It's simple - keep data and sensitive software off the phone.
• A smart phone is the ultimate device for shared personal and corporate use. Virtualization technology can reduce the exposure of using smart phones for business, even when the phone is littered with games picked up on the Internet. All business will be virtualized, with verification of the integrity of the virtual interface, and frequent refresh of sensitive code. It is not perfect, but at least the data and the corporate apps will remain protected.