With the near insane level of interest in the iPhone now at a dull roar, it's time to figure out how to get the company to buy you one. And it's way past time we really started nailing down what level of security is adequate for a phone -- and to require it. (See i Caramba! iPhone Hacked Already.)
First, if you want the company to buy you an iPhone, there are at least two guys who figured out how, and you can likely justify a couple of the devices as easily as they did. Gartner is clearly helping to keep these phones out of our shops, but when was the last time a non-IT executive listened to Gartner? IT often doesnt get a vote.
What we need is a set of rules that every approved mobile phone must follow, allowing us to more effectively block unapproved phones. This will help us keep out phones that arent secure, like the first generation iPhone (although Microsoft is evidently working with Apple to make a future generation of the phone better), to cover our backsides when execs need to have the coolest new toy.
With every device, there is likely a list of applications, such as virus checkers, that should be running on it to ensure it isnt broadcasting out things it shouldnt be. The idea that phones can be hijacked and used as spy devices is incredibly scary and likely to become a reality as smartphones from all vendors become more commonplace. Users love to take stuff off of their PCs that they think they dont need, and the result is often a breach that could have been avoided had they left the damned anti-malware tools alone. The mobile phone needs to be able to report what it's running on it so we can lock it out of the enterprise network if it isnt adequately protected.
Users have a nasty habit of installing things that look fun but are actually malware in disguise. A phone, like a PC, is increasingly a target for all kinds of hostile software. And if the user can install anything, you know some things will bypass the security settings and anti-malware software on the phone, thus enabling them to install something that they shouldnt. You can lock down an iPhone if you detect a threat that could lead to disaster.
Phones are increasingly becoming portals to the outside world, with their own networks that can bridge WiFi security and provide an unauthorized laptop access. Their built-in cameras can capture confidential information, too, but telling users their cameras are off limits isn't as effective as actually being able to simply turn the camera feature off altogether.
In addition, we need to be able to encrypt and protect the data on the phone because these things grow legs: A loss could require public disclosure if the mobile phone contained customer, patent, unreported financial, or employee information.
If the data is stolen or lost from the phone, we need to be able to lock out and possibly destroy that data.
These devices will become portals through corporate security, so we need to find a way to shut that down before the wrong folks get access to things they shouldnt be able to touch.
User Authentication Management
Until phones come with consistent biometrics (and likely even after), we need management control over phone passwords. Password-protected notebooks and phones are becoming similar repositories for your data, and there's a good chance that policies initially written for PCs apply to smartphones. We need to enforce these policies on iPhones and other mobile phones.
Passwords (which should have been made obsolete years ago) get lost, forgotten, and need to be reset. Mobile phones should not require a password, but instead should have the ability to lock up their data. The danger of password-protected phones would be an emergency situation where, say, a woman was being raped and couldnt call for help because she didnt remember her iPhone password.
If you're sending out an emergency message about anything from a natural disaster to a terrorist attack, you need to be able to alert the employee that this is no spam message. The ability to tie notifications to specific alerts would be a massive help to preventing the kinds of communications problems over the last few months in natural and man-made disasters.
We need to be able to set alert sounds so employees know that means immediately drop everything and move -- to save their own lives and the lives of their co-workers.
Who Can Do This Now?
I only know of two companies that offer most of these security features now -- HP, with its new enterprise cellphone offering, and Good Technology.
In the meantime, you can probably scare potential iPhone buyers half to death by showing them what the total cost of this phone is likely to be. You can also check out the HTC Touch, which is the only iPhone-like product that can be set up to meet most of these requirements. You can only buy it currently at Dynamism.
And, you can share with your family the high-quality customer the iPhone is attracting and use him as an example of what you dont want your kids to grow up to be.
Seriously, though, it's well past time we secured these things.
Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading.