Wednesday, October 10, 2007

It's not about the iPhone - it's about the data

No really, it's not. Just bear with me for a couple of paragraphs (unless you fall asleep before you get past the iPhone bits).

I was walking along Regent Street in London over the weekend with a friend and dropped by the Apple Store. He wanted to buy a case for his laptop...not a Mac incidentally. That's becoming common though. Traditionally non-Apple users wanting to buy Apple branded (or inspired) accessories because they just look better than everything else out there. Some like me even decide they want an actual Mac, which is why I have a MacBook Pro. I'd never previously been a Mac user...such is the power of the Mac brand. The products have become fashion accessories, not pieces of technology.

This trip to the Apple Store over the weekend convinced me that never will this be more true than when the iPhone is released here in the UK on November the 9th (actually this will likely be true regardless of where the iPhone is released - except maybe in China where they'll have fake ones out before the release date). The release in the US has already seen unparalleled enthusiasm with the thing being sold out all over the place. The Blogosphere was noisy to the point of being tedious (including A-list blogger Robert Scoble who was first in line at the store to buy the thing and won't stop talking about it - just go to his blog and search for iPhone and you'll see what I mean). I actually ignored my Google Reader items that had the word "iPhone" in it for about 2 weeks.

The thing that actually prompted me to start thinking about this was the queue at the Apple Store. It was unusually long. I'd been there before and there are ALWAYS queues, but this one went out the door and round the corner! There was also a huddled mass around one particular section of the store. I was curious so I went to take a look. A couple of polite nudges, pushes an "excuse me please" grunts later, I emerged only to find they were huddled around the display/demo showcase for the new iPod touch. I don't know why Apple released this thing, but once again they proved they know their market. The iPod touch is pretty much an iPhone but without the phone. It even looks exactly like an iPhone. I then walked along the long queue to see what everyone was buying. You guessed it. They were buying the iPod touch. I guess they don't want the iPhone. Or maybe they want both...which is entirely possible with Apple fanatics. But if the demand for something like the iPod touch is so huge, you can bet the queues for the iPhone will be even longer. Most people will wait for the iPhone rather than buying the iPhone with no phone (aka iPod touch). So this suggests that the demand for the iPhone will far outweigh the huge queue I saw. I could of course have guessed from the reaction in the US, but this is the UK and things don't always work the same way here :)

Even being tied into the O2 network will not be enough to deter people, as observed in the US with AT&T being the exclusive network provider. So why is this the case? Because it is the best looking thing out there and can potentially replace all the devices you have. Your phone, your iPod (itself already achieving cult status and has a huge market share over its competitors), your PDA and your computer. In fact, as it evolves, it WILL replace your computer. As web-based technologies and applications become the norm (and believe me, Generation Y prefer using a web application to a fat Windows client, unless it's a computer game) there will be little need for laptops, except for poor sods like me who have to because I need to give solution demos to customers - I wish I could demo stuff on the iPhone. And that's exactly my point. Unless you need the processing power or a laptop (or desktop) or a decent sized screen, there is no real need for one. And as the iPhone evolves, it'll get to the point where it can power most applications (AJAX-intensive web ones or clients built for the iPhone) and there'll just be docking stations with keyboards and monitors to plug into your iPhone (or whatever mobile device you have). That's a little way off though.

I should also note that the iPod touch, being an iPhone without the phone, also exhibits these characteristics (it even has Wi-Fi capabilities). Whereas the iPod (and its variants) are just glorified USB disks that play music and video.

Don't get me wrong. We'll never do away with the desktop, servers or laptops. We just won't need to use them nearly as often. I get by most days without using my laptop. I just type away on my BlackBerry (and all the rest of you I see in airports, trains...and meetings do exactly the same thing). I could do so much more on a device like an iPhone though. It's an always-connected computer with the capability to interact with web applications much more seamlessly than the phones, BlackBerry and PDA devices of today. The crucial thing about a device like the iPhone is that I can actually use it for things other than email. My Blackberry is pretty useless for anything other than phone calls, SMS messages and emails. I can't view or edit any documents on it because it's just impractical. There are also a limited number of applications I can install on it...and most web-sites don't work properly.

Which means what exactly? It means you can view and manipulate information on an iPhone! This includes critical corporate data that really should be controlled. I know companies are only just starting to figure out how to control data access, movement and usage within their corporate environments and mitigate the risks of data loss and leakage (I see enough organisations about this to be able to make this statement with some level of authority), but the days of putting blinkers on and ignoring non-desktop environments as "just another fad" are going to kick you in the butt if CIOs, CISOs and Security Managers do nothing about it. Not just organisations, but all of us. Guess where all our personal, private information is held...YES, in the uncontrolled hands of the institutions out there that we deal with. Your bank. Your insurance company. Your local council. Your utility providers. Any retailer you've ever bought anything from. The car rental company. The airlines. The hotels. The list is endless, but I think you get the picture.

Why is this actually a problem? Peripheral devices used to simply be able to store data and allow you to cart it off somewhere else. There are levels of control you can place around these USB storage devices, ranging from draconian (e.g. you CANNOT use USB devices) to more elegant solutions that can determine what approved USB devices are and control data movements to and from these USB devices based on the information being moved (e.g. if the information contains personal information, encrypt the data before writing it onto the USB). Once information is on there however, nothing can be done to it until the USB is plugged back into something that can read it. If it's encrypted, it's safe because only an authorised device or machine can read it. If not, it's all garbage. Like I said, hordes of people have iPods and MP3 players but these are just USB devices. Again with the right tools, you can ensure people only load music and video files onto these devices. Or if not, the policies that govern USB usage will at least also apply to iPods and MP3 players.

Of course, I'm assuming that your organisation actually has a USB policy and enforces it. Having one and not enforcing it is pretty stupid. Being draconian about it is also not the smartest thing to do because you're disabling employees from doing legitimate work, but at least it closes off that risk for data to leave the organisation. The key is to practice a level of fine grained control over USB usage and to enable your employees to work more efficiently but within auditable, controllable security guidelines and policies. USB device control is actually very easy, if you have the right controls in place. What's not so easy is the issue around peripheral devices that are smarter than a USB drive.

Until now, the security guys have practiced the "hear no evil, see no evil, speak no evil" policy when it comes to PDAs, mobile phones, BlackBerry devices and the like. We haven't had as many issues here because as I said earlier, very few of us actually use these things to do useful work (except email - although it's debatable whether that's useful most of the time), let alone try to view and edit documents and work with data because it's impractical. There are of course people that do use these devices exactly for this purpose. Organisations just don't know about it...or pretend to not know about it because it's too difficult to figure out and the benefits gained compared to the perceived risks it presents don't keep the executives up at night. The exposure to data leakage and security this presents however, is relative minuscule compared to the iPhone age that is upon us. Or as some have been known to say, a fly on an elephant's bottom (the iPhone is the elephant).

  • Problem number 1: The iPhone (and devices like it - every competitor is going to want a piece of this market) puts a pocket sized, functionally useful computer in the user's pocket.
  • Problem number 2: Every executive is going to want one - and we know how difficult it is to enforce security policies on executives - imagine the risk it's going to pose when they insist on using their iPhone for work and connect it to the corporate environment. And I dare you to try telling them they are NOT allowed to use it for work.
  • Problem number 3: Apple's products are much more prevalent in the demographic that is going to make up the bulk of the workforce in the not too distant future - Generation Y. And they will all want an iPhone or at the very least, an iPod touch.

What this suggests is a dramatic increase in the usage of pocket sized, mobile, always connected to the Internet devices within the enterprise. What was once devices made up of functionally crippled PDAs, phones and BlackBerry devices is going to become a network full of mobile-mini computers that fit in your pocket.

If you think the network perimeter is non-existent in enterprises today, it's going to be even more non-existent when iPhones start popping up all over the place in you enterprise. And when they do (and going based on the launch in the US, it's going to be a huge spike rather than a gradual curve), don't get caught with your pants down.

Think trying to control data leakage and information access within a corporate environment is tough? Try taking down your firewalls and Intrusion Detection Systems. Because this is what the iPhone is going to do to your corporate network if you're not careful. Let's not forget that someone could also walk away with the equivalent of a laptop or desktop and not be noticed because the thing is in their pocket!

Ignore the iPhone and devices like it at your peril. For organisations, it presents a huge headache. For software vendors and system integrators, it's a business opportunity. Of course, it would help if Apple opened up the iPhone's APIs instead of forcing people to hack at it to write applications for it. Until then, I suggest you take a look at your data control and access policies. If an iPhone is plugged in, it may not be such a good idea to let sensitive information get to it...at least not until someone out there gives you a valid solution.

Data security and leakage prevention is a much bigger issue than just USB device control and locking down iPhone access to the corporate environment. But when given a large problem, what does one do? Tackle the biggest one first. I'm not saying the iPhone problem is going to be everyone's largest issue or exposure, but it's not going to go away either.

Did someone say iPhone security agent? No I'm not selling one. I'm pointing out that I have yet to see one. Who is going to step up to the plate?

No comments: