Had a very interesting conversation this week about the evolving trust model for mobile security in the enterprise.  I was talking to Terry R, who focuses on risk management and compliance, and he was telling me how his company’s perimeter security strategy needs to fundamentally change. 

As he put it:  “Our challenge is that our infrastructure, applications, and databases are designed for a perimeterized world.  Our systems rely on a strong perimeter.  We need to tear that perimeter down.”

The catalyst for the conversation was smartphones, which operate almost constantly outside the perimeter.  Since the perimeter is no longer “reliable”, security becomes a matter of trust.  Which device do I trust with which data for which user under which circumstance?  The same questions, certainly, as existed before smartphone adoption.  But the answers are now much more difficult to pin down.  The trust model for mobile is a rapidly moving target.  New operating systems appear every year.  New devices appear every week.  New consumer apps appear every minute.  And end-users constantly set and change the debate.

How does a security team keep up?  The more rigid ones will likely fall behind.  The nimble ones will adopt a flexible mindset that can trade effectively between security and privacy, usability and control.  Protecting enterprise data without compromising end-user experience will be the goal.  A dynamic but rational model of trust that can operationalize the model below will be one of the important tools.

(Thanks, Terry, for the ideas behind this post)

Network World runs the Insider Threat column bi-weekly and gave us the opportunity to contribute to today’s column.  You can find the column on the Network World site at http://bit.ly/3gPlQp .

Existing models for smartphone management take a very one-way approach to security.  IT ends up being the police force and it’s a role that is not scalable, especially since users are reticient to give up control of their phone to begin with.  Employee-owned phones just make the problem worse.

The central theme of the column is that responsibility needs to be shared in order for behavior and data to be secured.  This model of Cooperative Security requires both a change in mindset and policy, plus access to tools that support both.

I’m sitting on a plane right now.  Center seat … jam packed.  Guy on my left is asleep.  Guy on my right wants to talk way more than I do.  I don’t so much mind Left-Guy except when his head ends up on my shoulder.  But Right-Guy is getting into my personal space and it’s bugging me.

Back in corporate-land, there is no personal space.  Companies are very clear that all communication on company networks / devices is company property and the employee should have no expectation of privacy.  For legal reasons that needs to extend to employee-owned devices being used for corporate work as well.

But as an employee, that grates me.  It’s my phone and I really don’t want my employer to have access to my pictures, videos, ringtones, and [yahoo/g/hot/other]mail.  I need a data boundary that I know will be respected in all but the most exceptional situations. 

Companies are realizing this too.  @hyounpark_AG at Aberdeen Group has early data that says 20% of companies allow all employees to use personal devices.  That’s actually a staggering number.  The implication is that the need to set enterprise data boundaries is a problem of the present, not just the future.  Employers needs to protect corporate data and ensure compliance while respecting employee’s personal content.

But what boundary should my company set?  Is this type of flexibility a boon to employees or a bane to legal?   

True, it’s a question of both policy and technology, but I think most importantly it is a question of end-user satisfaction.  If you have employee-owned phones, your users need a good answer.  That answer might vary company to company but, like my Left-Guy / Right-Guy problem, it can’t be ignored.