• September 14, 2014

Mobile Device Security—A Ground Game

The recent hacking scandal involving iCloud and the release of private celebrity photos was most likely aided by a common mistake: weak personal passwords. All of the firewalls on the face of the planet won’t solve a problem like this. There’s no way we can electronically control every possible vulnerability, every looming threat surface. Ultimately, with the rapid spread of cloud computing and mobile devices, we have to depend on people doing the right thing. And that introduces a number of conflicting tensions.

Clash of Password Priorities

The recent hacks bring the simmering anxieties surrounding passwords to the surface. Organizations promote strict password policies because they create a formidable first line of defense. Password policies with x number of letters, numbers, and special characters that must be changed every three to six months are great for security.

But users hate them. They’re a bad user experience. People get frustrated with complexity. They want to keep things simple. Effective security in the age of mobile and as-a-service computing hinges on a single question: How do you create a positive user experience while actually improving password security? It requires a change in mind-set.

The security environment is far worse than the public actually knows. There are millions of vulnerabilities. Attempts to compromise systems are detected on a daily basis. The spread of mobile and as-a-service computing is expanding this risk.

People are using cloud file storage services that may or may not be authorized by IT departments or risk management. In restaurants, you see parents handing their smartphones and tablets to their kids for entertainment. How implausible is it for little fingers to expose confidential information purely by accident?

Think of the information resting on bring-your-own-device tools backed up in iTunes, or on services provided by cellphone carriers. In essence, your enterprise information is only as secure as the user passwords for those applications and services.

The solution? Organizations are rapidly installing layers of security around applications. They’re securing data with encryption. Use of enterprise applications and data on personal devices requires re-authentication—beyond what the user has installed on the device.

People Power

But that gets back to the most crucial element: People. Users, employees, customers—people—frequently think more about themselves and getting their jobs done than they do about the impact of accidental exposure. Most security professionals would advocate this: educate, educate, educate. Users have a critical role in protecting, a stake in security.

Because when all is said and done, users and employees are on the front line. They need to realize that failure to protect critical information could directly impact their livelihood. Because the loss of a trade secret or confidential enterprise information can very easily result in the loss of jobs. Indeed, the loss of the enterprise itself.

About the author: James “Coop” Cooper is a Distinguished Technologist in the Hewlett Packard Enterprise Chief Technology Office. Prior to his current role as Chief Technologist, Mobility & Workplace Global Practice, Cooper focused on emerging services, including research with HPE Labs on consumerization of the workplace—how it will impact users’ interaction with business applications and corporations’ compliance with security policies.