In my travels, and in working with many enterprises both large and small, I'm often surprised to find a lack of IT policies of any form. Policies define responsibilities, actions and procedures, and they are necessary for many corporate functions well beyond IT. Unfortunately, policies often get complex, and consequently the ethos of "it's easier to get forgiveness than permission" often prevails. Striking a balance between the fundamental complexity of a computing/networking environment and the specific requirements, both legal and otherwise, of a given company is therefore paramount.
Given that information is the lifeblood of most modern enterprises, that mobile computing allows information and IT resources to roam essentially at will, and that the threats to both security and -- equally important -- the very integrity of enterprise IT is at stake, policies for mobile computing are essential – again, no matter what the size or mission of the organization.
As I noted in my last column on this subject (Secure your corporate data with acceptable use policies), there are two cornerstones to an effective mobile computing policy. The first of these is an Acceptable Use Policy, which defines ownership of the computer and any data stored on it; what personal customization is allowed; what networks can be connected to; and how training, support, repairs and help desk are implemented. The second is a Security Policy, which, of course, extends far beyond mobile computing security alone. The key here is to understand what data is sensitive -- all enterprise data should be, by default -- and how it is to be protected. My general strategy is the encryption of data wherever it is stored, be that on a server or on a mobile device of any form, and the use of virtual private networks (VPNs) to secure the link between endpoints. I also think that two-factor authentication, also known as "something you have plus something you know," should be a core requirement in any enterprise setting.
But perhaps we should back up just a little bit here. I think one of the big problems is that we still think of the PC as just that – a personal computer, when in fact that's really no longer the case. We need to change our thinking from PC as computer to PC as information portal, an integral component of an enterprise's overall IT infrastructure.
The problem, though, is that most users do think of their PC as their computer and see nothing wrong with configuring it to meet their needs – including the loading (often unintentionally) of all kinds of applications that might even be harmful to a corporate IT infrastructure. Short of locking down the PC (no Administrator rights for you!) -- which won't work, of course, because of the need for authorized updates to antivirus and other software -- the only way to deal with this problem is via policies. Policies, after all, define acceptable and unacceptable behaviors, and it's therefore critical that written IT policies be present in any organization. It's also critical that these policies have teeth so that everyone gets the message that failure to comply has real consequences.
Over the longer term, I think the nature of mobile computing will change to the point where we will no longer carry typical computers. Rather, we'll have thin clients that act as interfaces to corporate IT. This will eliminate most of the concerns about compromised data, corrupted Windows configurations, viruses, and the myriad other threats that we spend so much time worrying about today. Of course, the key to this vision is essentially ubiquitous broadband wireless access – and we're well on the way to that today.
About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at email@example.com.