Thursday, June 30, 2011
What has this got to do with smart cards, identity and security I expect you're wondering? Well it's because things like smart phones and tablet computers have become a part of our life. A few weeks ago we were doing the tourist bit in Paris, at the Moulin Rouge the doorman was busy searching for cameras, why waste your time, just about everybody there had a smart phone and have you ever seen a smart phone without a camera?
The thing is that these smart phones and tablets have confused the boundary between business and domestic life. Everybody wants to use their phone (or tablet) as a tool to do both. Please can I have my corporate email on my iPad so that I can check my email while playing Tap Zoo? You haven't got it yet? Oh boy it's addictive, the email that is!
Now to the more serious side, so here we have it, industry leaders combining business and pleasure on their mobile phones and tablets. Should they (we) be worried? You bet they should because malware can exist just as well in this portable world as the old fashioned PC or even desk top if you still have one. I keep on asking the question, if these mobile devices are so insecure why don't we hear a lot more about malware?
The truth is that it is just starting to happen, Google over the last few months has had to withdraw about 50 infected Android applications but not before they had been downloaded 10s of thousands of times. There is a fundamental law here, if you allow an open system it will get malware. The IT departments of course know this and they are hanging on to executive control of the phone for dear life, the user meanwhile wants to do his thing whatever that might be.
So where is all this going to end up? It is clear that unless you have spent the last couple of years on some desert island that the user is going to win this game. Do you remember on inauguration that Barack Obama was told to give up his Blackberry by the security service specialists? He kept his phone so it can be done it's all about behaviour. They all say it, don't keep sensitive data on your phone, don't do things with it that might expose your work (or your private life come to that). Actually all these things are actually quite easy to achieve and you can do wonders with a cryptographic MicroSD card, secure email, secure data storage, the list is endless. Ah yes I was forgetting that the iPhone doesn't have a MicroSD card but there are other ways.
The thing is that the most vulnerable part of most information systems are the users, it's no good having 12 digit passwords if people have to write them down. You have to create a security culture, people have to want to get it right and apply just the basic techniques well. If sensitive data is encrypted for storage and communications with a sensibly chosen password then really you don't have to worry.
Then you just have to ask why is it so many people lose their laptop or memory stick with some unbelievable data base stored in plain text, medical records, HR records, Prison records, you name it because its all happened in the last couple of years.
So part 2 of the plan has to challenge where the aggregated data is stored, surely not on the iPad, roll on Cloud Computing. I know it's a buzz word but you know what I mean! And then dear readers we get around to it, how do you adequately authenticate a user with an iPad? A MicroSD card will do nicely thank you, oh but we haven't got a slot!