iPhone Smackdown: Security vs. Consumerization

It's time to accept the fact that our consumer and business technology worlds are converging

Prepare yourselves for July 11, the day on which a quake will reverberate throughout the IT world, as the all-powerful iPhone descends upon us. Sure, we've had that pesky little device floating around for a year now, but on that day, the price crashes down in a maelstrom of affordability.

What – you don't support the iPhone? Not even with Exchange? Have fun explaining that to your CEO after he realizes that nifty new Major League Baseball application keeps him completely updated on the latest game stats while he sits on his executive toilet.

OK, so I can sling the hyperbole as well as any PR agent, but the truth is the iPhone is representative of one of the most disruptive trends hitting security today – the consumerization of IT. It's not the sexiest term out there, but the consumerization of IT just happens to be one of those pesky disruptive innovations that blows holes through existing security models. I won't use silly terms like "paradigm shift," but clearly how we use and manage IT assets will change, and with that change comes security challenges.

Until relatively recently we drew fairly strict lines between work and personal technology. Work provided, and completely managed, any and all IT assets we needed to get the job done. Our PC (or, occasionally, Mac) was provided by our employer, managed by our employer, and we used said assets (supposedly) while complying with corporate policies. And it isn't just our computers: Many companies still provide and manage cellphones, PDAs, and any other technology we need. While at work, we're restricted from large swaths of the Internet, including personal email, instant messaging, or pesky distractions like news sites, MySpace, or videos of singing cats (the hamster dance of the new millennium). To this day, I have friends who can't send personal emails from work, and have to carry separate work and personal cellphones. All of these assets are strictly locked down in the name of security. Don't even think of installing a new application on your desktop without running it through IT.

Now not all workplaces are so extreme, and there are still plenty of environments where a high degree of control and management really are the best approach. Why? Because people are idiots (present company included), and we download malware, accidentally email customer lists to our uncle in some former Soviet Republic, delete *.*, and would blow the entire work day browsing porn or playing World of Warcraft if so given the opportunity.

We're starting to see those lines between work and home technology degrade at a rapid pace. A generation is entering the workforce that sees cellphones as a hybrid fashion accessory and essential communications device. Cutting them off from SMS is like removing an eye. Right behind them is a generation that feels the same way about IM, social networking sites, and blogging. Want someone with a college education? You're pretty much guaranteed they'll walk in the door not only with a Mac, but with loads of software they've come to rely upon to be productive. Think it's limited to the kids? Last week I was at a conference and a group of us whipped out our cellphones to check schedules – four out of five were iPhones. The odds are very high some senior executives will be asking you to support their new toy before the summer is out.

That's the essence of the consumerization of IT. Be it laptops, cellphones, or Web services, we're watching the walls crumble between business and consumer technology. IT expands from the workplace and permeates our entire lives. From home broadband and remote access, to cellphones, connected cars, TiVos, and game consoles with Web browsers. Employees are starting to adapt technology to their own individual work styles to increase personal productivity. The more valued the knowledge worker, the more likely they are to personalize their technology – work provided or not. Some companies are already reporting difficulties in getting highly qualified knowledge workers and locking them into strict IT environments. No, it's not like the call center will be running off their own laptops, but they'll probably be browsing the Web, sending IMs, and updating their blogs off their phones as they sit in front of their terminals.

This is far from the end of the world. While we need to change some of our approaches, we're gaining technology tools and experience in running looser environments without increasing our risk. There are strategies we can adopt to loosen the environment, without increasing risks: