When you start talking about widely issuing tablets to your workforce, your security people are bound to get nervous. From a pure security perspective, tablets are your worst nightmare: highly mobile (literally small enough to put in a pocket), potentially well-connected to all your sensitive applications, primarily targeted towards consumers, and built on consumer-grade security. The same goes for manageability — the functionality that allows IT to control everything from the software that’s allowed on a device to all its internal settings.
The risks are so prevalent and obvious that if you listen to your security and infrastructure people, you’ll likely never allow tablets in your company. Obviously, this avoids all the security risks, but it also avoids any potential benefit.
The insurance model
To be fair, there are risks to almost everything. If we all followed the most prudent and risk-averse path, we’d likely be reading this wearing helmets and wrapped in bubble wrap. Many IT security folks make the mistake of considering a worst case scenario and encouraging a plan based on that rather than a more pragmatic approach.
The biggest precedent to tablet and technology security is corporate insurance. Your company has probably considered all manner of doom and gloom scenarios, and then purchased insurance that covers the likely ones, while allowing some exposure — all at an appropriate price point. The ability to operate in an uncertain world with enough protection is a balancing act, but even when the unforeseen happens, companies adapt and move on.
When you’re considering security and manageability related to highly mobile devices like tablets, use the same logic. You’re obviously going to expose yourself to some risk, so determine how you’ll combat the most likely scenarios of lost and stolen devices, and work from there. What kind of information will be resident on the tablet? What are the risks if it falls into someone else’s hands?
Take a rational approach here. The average employee’s e-mail is probably not going to bring down the company should it fall into “enemy” hands, nor will national security be compromised if a nefarious character gets into your ERP system. In all likelihood, someone stealing your tablet wants to make a quick buck more than they want to engage in corporate espionage.
The same goes for manageability. At this point, there really are no good solutions to “lock down” and control tablets. Frankly, if there were, you’d be wasting time that could be better spent elsewhere. Nearly all the tablets have some type of remote wipe functionality, and this is probably going to be the extent of management solutions for several generations.
The human factor
Nearly every security expert attests to the fact that the best security tool is the fleshy lump affixed to our shoulders. For tablets, I wholeheartedly agree. Emphasize that there may be sensitive information on these devices, and setup a “hotline” for stolen units, so you can immediately initiate remote wipe procedures.
Will you have people abusing these devices and spending more time on Angry Birds than your mobile sales solution? Of course, but spending time and treasure to mitigate this risk turns into a self-destructive cycle, exponentially multiplying hours spent towards a frustrating and fruitless activity.
The tools available today
While a pragmatic approach to security and an emphasis on the human factor may be all you need for your early tablet deployments, there are some emerging tools that offer an additional layer of protection. I’ve mentioned remote wipe, and this should be your go-to action when a tablet is reported lost or stolen.
Secondly, one of the best ways to ensure sensitive data are not lost with a device is to not store any sensitive data on it. To the extent possible, connect to your existing web, cloud, and client-server applications that use the tablet as a display device, storing only limited data on the actual device itself. This relies on a constant connection, but you can balance this requirement based on the type of worker or sensitivity of the data.
New tools are also emerging that allow you to create a “tablet within the tablet,” segregating corporate e-mail and applications from the rest of the device. This has an obvious benefit of allowing users to bring their own device, and it allows you to set access requirements and more granular security around corporate-specific tools versus the rest of the tablet.
Virtualization tools are promising a similar capability, essentially allowing you to “wall off” the corporate from whatever else is on the device. However, these tools come with a financial and complexity cost, and many of them are fairly new and will likely have their share of growing pains.
If there are compelling reasons to deploy tablets, carefully and pragmatically consider the security implications. Go into the deployment with your eyes wide open, just as you would when insuring the company against potential disasters.
Today, reliance on human factors, remote wipe, and minimizing the amount of truly sensitive data resident on the device are the best approaches. With tablets gaining so much attention, more advanced tools are likely to follow.