Forget the fear: Learning to love iPads and Androids at work

I’ve been talking to many IT executives in recent weeks at various conferences, and I’m finding a curious bifurcation among them when it comes to how they handle newfangled mobile devices such a iPhones, iPads, and Android smartphones and tablets. Some have the attitude “people can bring whatever they want, so long as the devices support our security policies,” while others take the “I’m very leery of how these will compromise my organization’s security if I let them in” position.

Yes, people in IT — many of them, in fact — still register the fear reaction to the new smartphone and tablets whose usage has exploded in recent years. I’m shocked at one level, but not at another.

I’m shocked because any organization that truly has its security threatened because there are iPhones in the building have much bigger problems than any single device: They have fundamentally insecure IT operations that haven’t acknowledged the idea of a physical perimeter is long gone in this era of wireless communications and high usage of outsourced services and contract employees. No device should have unchallenged access to sensitive information just because it’s in the building, and the notion that security measures would let newfangled devices right in is an absurd one.

I don’t believe most of these companies have any basis for their fears. After all, they use virtual LANs, VPNs, permissions-based access, and the like already, and iOS and Android devices have no secret ways to blast through those. If a file server or database requires a password or other credential to gain access, that applies to mobile devices just as it does to PCs and remote computers.

The outdated basis for IT’s fear of mobile devices The fear is typically based on another belief: People will be able to put information on their mobile devices and spirit it out of their organizations. Well, duh — employees have always been able to do that, using handwritten notes on paper, photocopiers, recordable CDs, email forwarding, USB thumb drives, remote access, FTP sites, laptops, and the like. The fact that an iPhone too can act as a storage device is just more of the same.

The fear centers on endpoints, and it misses the purpose of security. IT should be securing systems and data, not trying to control endpoints. There are simply too many endpoints, and trying to confine this expanding universe will only lead to hugely wasteful and ultimately ineffective efforts. Think of the hullabaloo five years ago over the need to secure laptops; now ask yourself if you actually spent all the time and money required to do so as recommended by security vendors or if you quietly stopped.

If people shouldn’t have access to data or shouldn’t be able to store it locally, that control should reside at the data level. If IT has to essentially retroactively control the data once it gets to an endpoint (a PC, a smartphone, an email message, a piece of paper), it’s already too late.

But IT grew up with an endpoint mentality, starting with its roots in mainframes more than 50 years ago. Those computers were hugely expensive and fragile, so only a few beknighted people had any access to them. Their data was also confined to a handful of people, and the number of endpoints was very limited and thus controllable. That ingrained mentality is why I’m not shocked that the endpoint control impulse persists.

That number, though, began to expand in the 1980s when the first PCs were placed in businesses. Suddenly, there were computers that IT (then called MIS or data processing) didn’t control. I remember the fears of IT back in those days, but also the liberation that businesspeople experienced when they no longer had to beg at the altar of IT to get the information needed to do their jobs. Guess who won?

The endpoint control metality should have died then, but it didn’t. IT glommed on to the client/server notion as a way to convert PCs back into dumb terminals. It sort of worked, at least enough for the endpoint control mentality to stick around. In the early days, PCs were very expensive, so they could be justified only for a limited number of staff, and the notion of email outside of universities and defense agencies didn’t begin to take hold until the very late 1980s.

By the mid-1990s, pretty much all white-collar workers had PCs and email, but the notion of endpoint control remained because these computers were in offices with limited connectivity beyond their business. In the late 1990s, however, laptops had became common and the Internet was nearly universally available. That’s when IT notion’s of endpoint control should have died. Instead, it remained, despite the obvious disconnect and all the stories of laptops and CDs containing sensitive information being lost or stolen from someone’s car — showing the futility of IT’s approach.

Then the iPhone debuted in 2007, doing to cell phones and BlackBerrys what PCs did to mainframes: making them obsolete. In terms of control, the cat was already out of the bag on the desktop, and now it was freed up in mobile.

Changing the control mind-set to be data-based It’s only been in the last year or two that this endpoint control mentality has begun to change. I know CIOs at several large, conservative, security-minded organizations that have stopped trying to fight the unwinnable war at the endpoints and have moved back to controlling data at the source, using well-established technology such as certificates, encryption, permissions policies, and in some cases thin clients to manage the access. They’ve stopped worrying about this device or that device. If a device meets the policy requirements, and the user has the right permissions, the appropriate data access and usage are allowed; if it doesn’t, the access isn’t permitted. That device could be a home PC, a terminal at an Internet café, an iPhone, a Xoom, or whatever.

This necessary change in security thinking doesn’t mean allowing a free-for-all. What it does mean is focusing on what you are really trying to protect — the data — instead of the endpoint. The security policies relate to the data, which largely takes the endpoint out of the control equation, at least as far as IT is concerned.

I say “largely” because there are some features on mobile devices that can’t be controlled via policies, or at least can’t be guaranteed to be controlled. For example, most mobile devices come with cameras, which means they could photograph sensitive information and never be detected doing so. (Ironically, although IT can shut off cameras in iPhones and BlackBerrys, it applies to only the devices that have registered with IT on the network; IT could conceivably turn off employees’ cameras but not visitors’.) In a case like that, telling people to leave their devices at the door while in sensitive areas remains a legitimate “endpoint control” strategy, though it also is a data control strategy. Part of the permissions to access that physical location includes not having devices with you, just as it usually requires being accompanied by a chaperone or having the appropriate keycard to enter.

For those who have trouble with this concept, let me ask: In the four years since the iPhone debuted and in the decade since the original iPod premiered and digital cameras became commonplace, how many security breaches have been attributed to their use? I can’t think of any. Can you? Laptops, email, and CDs seem to be where most of the reported breaches occur, as well as through inside jobs and “advanced persistent threat” attacks — not iPhones, iPads, and the like.

When you turn the fear into love Those organizations that have given up on the endpoint control paradigm all tell me a similar story: IT is freed from a lot of busywork, employees are happier, and costs go down. Often, people are more creative because they’re not focused on evading hurdles but taking advantage of capabilities.

When IT allows device heterogeneity, it enters into a different compact with employees. Usually it works like this: The company issues Windows PCs as standard equipment and, for certain positions, BlackBerrys, iPads, and/or iPhones. In government, Windows Mobile devices may still be in the mix as well. Employees can bring their own PCs, including Macs, and their own smartphones and tablets. They can run their own software, as well as get reimbursement for company-preferred or standard software. But they’re responsible for their own tech support and for ensuring whatever they bring in supports the IT security policies.

As long as those policies aren’t secretly designed to force the use of certain products but instead address legitimate security requirements (such as on-device encryption, certificate-based authentication, or expiring passwords), this works. Even with thousands of users, IT finds itself doing a lot less endpoint troubleshooting and worrying about standard images and the like. It also doesn’t worry about the logistics of ordering and stocking the nondefault devices, which often end up comprising half or more of the devices in use.

Employees whose jobs don’t require specific equipment get a sense of personal empowerment and enablement, creating or augmenting a culture that says outcomes matter more than (bureaucratic) process. Naturally, some processes matter in and of themselves, but think about how few processes actually depend on specific equpment being used and often don’t require specific software — as long as they support the process requirements, such as tracked changes in a legal workflow.

Costs go down at several levels. IT has less to manage at the endpoint, where service delivery is the most expensive. How often have you seen Gartner, Forrester, and IDC issue reports saying PCs costs $5,000 per year per user to manage and smartphones cost maybe $3,000? I’ve always found those figures suspect, but even if true, that simply shows the value of getting out of the endpoint business. You can’t get rid of all management costs — after all, the network and data center and databases need to be managed so that the endpoints can appropriately access them — but you can get rid of a lot, especially related to support.

Many companies have also found they get big cost reductions by not issuing smartphones or paying for data plans. Instead, they give employees a stipend based on their role (and thus need for mobile data access). Many don’t even pay for the device, figuring people would buy one for personal use anyhow, so the device is becoming like broadband access at home: a required personal investment. All of this means employees are now policing their own use, and the company is no longer in the “check on the carriers” game that costs hundreds of thousands or more to play each year.

All in all, the shift to heterogeneity is easy to embrace, oce you get past the endpoint control mentality. Companies have successfully embraced diversity in people, in geography, and in work processes. Now it’s time for hetereogeneity in work devices.

This article, “Forget the fear: Learning to love iPads and Androids at work,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.