End User Computing: Protecting Data From the Device

Some of us have multiple cloud endpoints in the form of mobile end user computing devices all trying to access our personal and corporate data to do our daily jobs. These incredibly useful enduser computing devices (smartphones, tablets, etc.) are now a part of our organizations life. So how do we protect our data from them. IBM recently took a draconian measure of banning Siri from their employees iPhones. Yet, how can they enforce such a measure?

All Security revolves around the data, so let us look at how Siri handles this data:

  • Voice Recognition is not performed locally but within the Apple Cloud somewhere
  • All Contacts are uploaded to the Apple Cloud for comparison
  • All Calendars are uploaded to the Apple Cloud for comparison
  • All Location data is uploaded to the Apple Cloud to enable better answers

Not only does Siri know alot about your life, it has access to possibly critical data about your individual life and possibly the organization in which you work. That information includes phone numbers that are generally not public knowledge, names of team members, as well as meeting names which usually include unpublished project names and concepts.

Given all this, I can understand IBMs pronouncement. However, is there a way to determine if Siri is enabled on an iPhone? I do not see how they could do this without owning the phone itself and enabling all the security controls within the phone. Granted Siri is easy to disable, but what about all the other Apps that use this data? I would not just target Siri, but look over all Apps used by iPhone users. For example, why would Angry Birds require location services?

There are a few solutions, and one I recently discovered is the Symantec Mobile Management product. If the organization owns the phone or all employees agree to be part of the service, the SMM provides a single location to control device security (if Mobile Device Management is enabled) for all iOS and Android devices. This would include disabling Location Services for most Apps as well as disabling Siri, and controlling which Apps can be downloaded, etc. But this requires the phone be part of SMM. If it is not, there is no way to control the phone directly.

Perhaps this is where a Mobile Virtualization Platform such as Horizon Mobile from VMware could come into the play, but currently there is not one for iOS devices only Andriod devices. But this would require the user to be involved in deciding into which address book or calendar a name could be placed on entry. How would the phone know if the calendar entry is for business or even a contact represent an internal or private number? That takes human intervention to decide unless these revised Apps put such entries into a pending but hidden location until it be compared against a corporate database to determine if there is any data loss and if there is place it automatically into the proper database (corporate vs personal), but there is some overlap here when co-workers are also friends so triggers could not be on employee names but perhaps on telephone number prefix which could lead to multiple entries for one person.

Mayhap, the best method to protect data is to modify the Calendar and Contacts Apps to directly access corporate entities when the user is on call (by schedule) or within a certain distance from the office (by using location services). Disney does this with their applications to display park information only when you are within the park you want to see. Which forces you to visit their parks to determine ride availability and line length.

Then again how would you get those modified Apps on the phone? The user once more.

So in essence the only way to protect contact, calendar, and other information (such as notes on an iPad) is to inspect each device to determine if device encryption is enabled, strong (non-4 number) passwords are in use, Siri and other such Apps are disabled and permanently removed, and that other security measures are in place.  Does this mean that at IBM sites, there is a technical person at each doorway asking you to surrender your phone unlocked so they can determine if the corporate guidelines are upheld? Would this not also be an invasion of privacy given that the technical person could then look at private and personal information on your personal phone?  Would IBM not also have to inspect the employee’s home computer to which they synced all data from the smart phone? Would this not cause legal issues?

I understand the need to disable Siri, personally I have never enabled it, but how could it be enforced if the organization does not own the phone? Users being users, they want stuff to just work with minimal decisions on how to enter data. Even so, this discussion is not about things like email, SMS, or other messaging capabilities which could make this even more interesting an issue.