Thursday, June 17, 2010

Would you be a “Good Witch of the North” or a “Wicked Witch of the East” Security Officer?

I skim any story I see about the iPad these days. A story last month – “iPad Intro Brings a Nasty Surprise” – caught my eye. The anonymous security officer spied a problem in his office:
A couple of weeks ago, I noticed that a lot of people were using Apple iPads in our conference rooms. We haven't bought any iPads. I wanted to know whether they were being used on our internal network. Oh, yes, the users assured me; it was no problem. Well, I thought, it should be a problem; it should be impossible, in fact.
To remedy this situation, I needed to find out why it was so easy for users to attach personal devices to our network and how that came to pass. I started digging.

I can't vouch for the integrity of any device that a user brings in. In many cases, these are machines that an employee's kids have used to play games, chat on Facebook and download who knows what. Since they aren't corporate resources, we have no control over what software, antivirus protection or security patches are installed. And then there are legal issues to consider, since we can't control a personal asset.
To me this is totally a story like the Little Dutch Boy who saved Holland by sticking his finger in the leaking dike. This security officer has stuck his finger in the leaking dike. The problem is that rather than actually stopping the leak he's enabled the water to come over the top of the dike. You cannot stop the iPad wave sir. Sure, you can play Wicked Witch of the East and fly around on a broom stick with your monkeys in tow trying to banish every iPad you see. I would have much preferred - as a reader of the article - how the security officer solved the problem in a positive way. What guidelines would have been appropriate to allow iPads on his network? That would have been much more informative to me.

1 comment:

ralban said...

The iPad does pose an end-point security challenge:

I think a Guest WiFi network is the right answer here. You need network access control on your private corporate network to keep these devices away from corporate data. But you also need to provide an outlet for personal devices. There will only be more personal devices in the months ahead.