There are millions of IT security people out there who have made a pretty good living keeping their stakeholders systems, networks and data secure. They have honed their skills in their current environments and depending on how much regulatory pressure they are subjected to, many have incredibly restrictive policies. These policies are designed to insure the greatest level of security and compliance and very often they don’t necessarily balance the burden placed on the ‘users’ with the security concerns of the organization.

Security policies that are onerous for users within a company’s facility can become impossible to implement for a mobile solution. These same policies may also be unnecessary or redundant for mobile applications built, deployed and managed using a Mobile Enterprise Application Platform (MEAP). These platforms have layers of security capabilities targeted specifically to address the mobile world. More importantly, some of these seemingly unnecessary internal policies may make the mobile application so unusable that there is very little point in deploying it.

How do you balance your IT security requirements with the ability to address your mobile application requirements? What are the reasons for specific policies and do they apply to the mobile application or user community? How will ‘standard’ security policies look, act and feel on a mobile device and when the user is operating off-line or disconnected from the network? I’m willing to bet that your security policies haven’t been designed with any of these considerations and that’s a bet I haven’t had to pay off on yet.

There has always been a balance between secure and usable. If most security people had their way user’s would need to give a DNA sample and submit a copy of their tax returns before logging into the company’s network or applications. On the other hand, most users would like IT to install the ‘clairvoyance module’ on the system so the computer, network or application already knows who they are and what they want to do before powering it up. Reality sits somewhere in between. The challenge is getting to tolerable solutions that, at a minimum, make neither group perturbed (and forget trying to make both groups happy).

One additional consideration in a mobile world is that your IT security folks have to deal with a syndrome I affectionately call the ‘wild, wild west.’ In the office they can always walk over and unplug your computer. If your worker is mobile, IT’s arms aren’t long enough to reach out and pull the plug on the mobile device and this scares many traditional IT security people. The business users who want a mobile solution on their handheld devices feel that IT security is overreacting. This is not IT’s fault. They have been given a nearly impossible task: keep our stuff secure at all costs. Much like most legal departments (who are tasked with: keep us from getting sued) they rapidly become the ‘business prevention department.’ What I’d suggest is have as many mobility conversations with your IT security team as early and as often as you can. Including them in your requirements gathering and design sessions will help them understand what you are trying to do and what the impact of any security decisions will be on end users.

But beware… You may get the IT executive responses that are sure application killers, ‘Frankly, I could care less if this inconveniences the users… I don’t care if nobody will use it, that’s the way it has to be… This I our policy, take it or leave it…’ There are lots more but you get the point. These responses are a typical sign that you have involved IT security too late in the process. They see you as ‘dumping this on them’ and when pushed they will retrench and fall back on tried and true policies.

Security is a Balancing Act

When I worked for the phone company I had a field staff. I wanted to provide them with laptops so they could log in from the field (remember, this was years ago). I submitted the request and got a violent reaction from a guy in IT security. The answer was no! Not being smart enough to let it alone I set up a meeting and asked John (the IT dude) to attend. I explained what we were trying to do. He listened and then said, politely, no. I asked why and the response I got was that it would be too easy for somebody to ‘monitor and intercept’ our transmissions and this introduced a security hole.

Since my team often tracked criminals, I explained, in gory detail, what it took to ‘find’ a specific mobile user, camp onto their call, extract the actual data from the call and use that data (complete with graphics, previous case examples, the cost of the equipment required and quotes from Federal, State and Local law enforcement agencies we worked with). He replied, ‘Why are we having this conversation… If our cellular network is that secure it is more secure than walking into one of our retail stores or offices. Go for it.’

John was doing his job. He was tasked with protecting our network and absent facts he had to fall back on the safest process. Once we gave him the data he could make an informed decision. Being a true IT security dude to the core, he audited our process once we were ready to get going and even spent some time in the field with us to make sure he fully understood how we would be using the system.  John was satisfied with the results. Bye the way, John has turned out to be a very close friend over the years after staring off a bit tense.

The point is that if John hadn’t been doing his job nobody would have reviewed what we were proposing. My mistake was assuming that John knew what I knew about what I was trying to do and the mobile world. That was a huge mistake on my part and caused delays to my project. My bad!

Security is always going to be a balancing act but without including it in your requirements and design process it has the potential to derail your project entirely and at the most inopportune time. Start talking now and keep talking till you’re all on the same page and be ready to compromise because this is a two way street.

Tags: Brian Philbin, Business Mobility, Business Process, Enterprise Mobility, Mobile Futures Today, Mobile Security, Mobility - General