Moderator: Jill Clayton, Information & Privacy Commissioner, Province of Alberta
1. Chris Conley, Technology and Civil Liberties Fellow, ACLU of Northern California
2. Alex Manea, Security Product Manager. Global Security Group, Research In Motion
3. Kofi ???, Sales Systems Engineer, McAfee, Inc.
4. Stewart Cawthray, Chief Security Architect, IBM Global Technology Services
The were opening statements from each of them.
Chris began by sharing that smart phones have a unique set of data to them that make them a different paradigm than computers or cell phones. It was designed as a communications device that is constantly connected and constantly sharing information.
Example, Angry Birds (Rovio) has complete access to your iOS contact list. This was undisclosed and is an issue of transparency and control. I need to now if my information is being accessed, and stored, and used. Apple has a responsibility for providing an API that allowed this, Rovio for leveraging it, and the users for unwittingly consenting. Organisations should be held responsible for clear declaration and transparency of their intentions and actions. As a developer you need user trust to be long-term successful.
Alex thanked Chris for going after Apple. RIM experienced A paradigm shift in their security policies as they began as a corporate service provider, and had to shift to be more consumer risk and concern aware.
Your mobile device management strategy should start with what you do for your non-mobile assets and laptops. The additional key considerations are physical security and loss, and the fact that usage of mobile devices is not often contiguous, so security credentials often get simplified for convenience of device use.
Consider the platform itself, the basis of all security should be imbedded in the platform itself. You users want to download applications, and in some cases need to, have a strategy for optimising the use of applications. Third, how are you going to manage the deployment of the devices. The more you mix deployment strategies to more overhead you create and risk of something going wrong.
Kofi noted that a bridge from user experience to security policy is one of the greatest challenges in BYOD.
Stewart opened with the dichotomy between mobile devices and laptops, in so much that BYOD didn't really kick in until the prevalence of smartphones and other related tablet technologies became consumerised. The desktop and laptop market is primarily one OS, Windows, some Apple, and a tiny bit of Linux. The mobile platforms are far more diverse, not necessarily in over-all count of players, but more so in the equal distribution of platforms and increased percentage likelihood you will need to support four OSs.
You don't plan to have a security breach, but when it happens you need to have planned. The question asked is what do we have to do to stay out of the news? The reality is that we wont stay out of the news, but more how do we mitigate that story so that it is less "news worthy" and we can control the story, instead of the exploiters.
Fundamentally, your policy will dictate your security. Rely less on protecting the device, and more on protecting the data.
While the EULA may technically grant access to your personal information, expectations around transparency and reasonable use make this a legal grey area in Canada and the US. The app developers and platform developers have a responsibility, but not legal obligation, to provide that balance.
Question arose of whether there is a comprehensive online list of what apps leverage what data from your devices. The answer is that not really, but the App Genome Project was a start on this that may have fizzled out by now. A different approach to this issue is to encourage the platform developers to provide the option for the users to restrict information access by app, by information type (i.e.: contacts, location, call history, etc.). This is a more likely technological scenario and the platform vendors should be marshalled in this direction by consumer demand.
The concept of protecting the data more than the device was challenged well from the floor, based on the assumption that people don't have the level of insight on what data is where, and what data is at risk, it is a much simpler approach to lock the device itself. Debate ensued around the dilemma of balancing usability of personal devices with protection of corporate and private data.
My personal opinion here is that if users secured the devices to protect their own personal data as much as we'd like our corporate data protected, then there would be much less of an issue. It needs to be a multi-pronged solution, including educating our BYOD users about the risks to their own data as well as the private data they become couriers of, and encouraging the OS vendors to enable security management functionality and control to the API level for the device owners, and lastly, leveraging presentation and virtualisation technologies to keep the actual information in the data centre.
- Posted using BlogPress from my iPad
Location:13th Privacy & Security Conference