I don't know about you, but I'm doing an awfully large amount of work from my mobile device these days.
Yes, I know we call it a "phone". But I don't make many voice calls with it. Do you?
I do email. And lately, I've gotten pretty addicted to the browser.
For me -- it's my next platform -- the one I want.
But how to secure it?
The First Take
When this discussion came up a few years ago, most of the focus tended to be securing the information that might be on a mobile device.
I don't think that's quite as relevant as it used to be, at least, based on what I can see.
I'm using the phone as a portal into other systems. I'm not using it as a repository for sensitive stuff.
What I really want is to use it the same way I use my PC to access sensitive stuff.
RSA Is Moving In This Direction
You may have seen a press release that talked about putting soft-tokens on smartphones.
For me, that's a pretty big step.
Today, when I'm travelling, I have to carry two devices.
I have to use a corporate laptop and a hard token to get into the corporate network. Once there, I can browse various internal platforms and get to stuff that's behind the firewall.
And, for everything else, I can use my smartphone.
Why do I need two devices?
The answer is simple: once smartphones support a decent VPN and can support soft tokens, I can use a single device (instead of three: phone, laptop and hard token) to access all my information.
And, as a user, that's important to me. I also think it'll be important to more and more service providers that want to provide secure services (banking comes to mind) over wireless networks.
Now, if I can just get it on my Crackberry ...
You'll need your soft token enabled smartphone and you'll need your soft token enabled laptop.
Smartphones are great for reading incoming inbox junk, checking the odd fact or two, but try doing any real work on them. Can you honestly edit and send an email in a customer-presentable format with a Smartphone? Try editing a blog, or inspecting an Excel spreadsheet with a smartphone.
I'm sure this is very exciting for EMC due to the potential licensing revenue for RSA for all the smartphones out there, but in terms of your blog, I would have to disagree. You'll still be carrying your notebook with you on any business trip.
The other consideration here is what is a sufficient level of security? No doubt about it that an org can build multiple levels of security around who you are, what you have, what you know, etc. but what is going to be acceptable to the mass markets?
Right now the market has spoken and for example internet-enabled banking is just a userid/password away. The insurance companies of the world are happy to insure against losses with this level of security and while this status quo continues, the banks will not be rushing to load up their customers with ever more burdensome processes.
Posted by: You'll still need two devices | October 22, 2007 at 02:58 PM
All fair points, so thanks.
I don't do a lot of detailed PC-oriented work when I travel, so our needs might be different. Most of what I need that's behind the firewall is web-based.
I think the more interesting debate is your comment around "acceptable risk" around current name/passwd security.
Used to be enough to get into the corporate firewall. Then it changed to a more secure two-factor approach.
Might be that when the technology is widely available, the ante goes up another notch.
We'll see, won't we?
Posted by: Chuck Hollis | October 22, 2007 at 06:20 PM