We often talk about consumerization of IT. The advantages are huge – and so are the risks.
The key challenge is, that we increasingly started to rely on devices built for consumers to safeguard our company’s – or even worse our country’s – secrets. Consumerization is huge and makes a lot of sense from a productivity angle. However, I have not seen too many companies really doing a risk assessment and proper mitigations. It is often a yes or no and where it is a no, the senior leaders of the companies turn it into a yes.
There was quite some debate in this context about Windows Phone 7 and the security features. I am convinced that this is the most secure platform out there currently but we are missing some features like device encryption. On the other hand, I rather have good and strong encryption than one which can be broken in minutes (Phone Security:Lose your Passwords on iPhone in a few minutes).
Looking at these articles, it will be interesting to see, where these trends lead us:
- Federal government loosens its grip on the BlackBerry
- ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps
- Extracting the File System from iPhone/iPad/iPod Touch Devices
Should you ban such devices? Not at all as you will lose this fight but doing a proper risk assessment and mitigation would make sense. What kind of sensitive information do you allow on these devices (do you even have an implemented data classification scheme?) How do you protect your network (what about IPSec?) etc.
We might be missing features and we will deliver them but we all know that the basic security cannot be built into software afterwards and at least we did our homework with Windows Phone 7 there.