Thursday, July 14, 2011

Wagging the dog

by Andreas Siegert

Currently it seems everyone is scrambling to implement usage guides and install security tools on smartphones. It feels like a mad kerfuffle in the chicken pen with users chasing the latest buzzwords. But when asking those that insist on the security measures about their reasoning, you only get answers pointing to the current threat of the day. Rarely anyone points to a policy based on the actual use cases for the devices. Not every threat is applicable to every type of smartphone usage. And as these devices get used for business purposes, as well as personal, the boundary is blurred and the issues become even more complicated.

For example, a private user might want to track and share his location in Google Latitude, whereas a business user might endanger his customer relationships when doing so. But it might also be the case that the business requires tracking, whereas the individual would prefer his or her privacy. Before running after measures, the allowed usage needs to be clear. Is it a private phone that can be used for business purposes, or is it a company phone that can be used for private purposes? Both cases look similar but have different implications for their usage and the underlying legal framework. Even for a smartphone that is supposed to be used only for business, the different ways of using it, which impacts productivity, as well as a wide range of potentially sensitive data on the device, needs to be analyzed first. Only then can a policy be designed that provides a good match between functionality and security requirements. And only until this policy is agreed upon can measures be implemented to enforce the policy, matching the needs of users and their organizations. Organizations that just implement measures according to the latest buzzwords risk missing threats or limiting the devices so much that their usefulness is no longer a given.

Although the above examples only deal with smartphones, making sure there is a sound policy before jumping to measures is prudent everywhere. Of course this takes a bit more effort, as it requires thinking things through, but in the end it provides better security and measures that are more attuned to your needs. For example, instead of saying, “Viruses are a threat so we need a virus scanner,” a more sensible approach is to define a malware policy that governs protection against malware in general, instead of just looking at viruses. It might turn out that a virus scanner is not needed, as other measures are more effective in a given environment (not everything is Windows based PCs after all).

Another example would be imposing the requirement for visitors to wear badges in small organizations where everyone knows each other. This may sound sensible, but a better approach would be to have a policy which states that visitors must be identifiable by the personnel. This can then be implemented according to the actual situation in an organization, which might require badges or might not. Not only are sound policies a much firmer foundation for any measures than jumping at measures directly, they also ensure a bigger picture is kept in view.

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.