Employees tend to have multiple cloud endpoints in the form of mobile and tablet devices that are used to access both personal and corporate data from inside and outside the work environment. However, by giving our employers’ access to our devices via cloud, is there a way to protect our devices and the personal data they contain from said employers? This question has become important due to a recent incident involving IBM implementing a draconian policy that banned Siri from their employee’s iPhones. How did they accomplish this and how do they intend to enforce it?
First, you need to take a closer look at how Siri handles data:
- Siri’s voice recognition ability is not performed through the device, but from Apple’s cloud
- All of the user’s contacts and calndars are saved to the Apple Cloud and used for comparison
- All location data is also saved to the Apple Cloud instead of the device
The above means that the Apple Cloud and Siri can be a potential security threat, since they have access to critical data about the device’s user, and if the individual uses it for work, then the organization he or she works for could also be open to any potential security risk that Siri poses. Due to this, IBM’s actions certainly have justification – however, this may be a case of exchanging one security risk for another – there is no way to determine if Siri is enabled on an iPhone unless the organization has access to the phone itself and enabled all security controls within the phone. It’s true that Siri is easy to disable, but one should also look at all the other apps used by iPhone users, as a number of them also use personal and location data.
There are a few possible solutions to this problem, and one that has recently surfaced is Symantec’s Mobile Management product. If a company has access to all the phones or all the users agreed to be part of the service, the Mobile Mangement software will provide a single access point for controlling device security for all iOS and Android based devices. With SMM, the company can disable location services for apps, as well as disable Siri. It also gives them the ability to control the downloading of apps. The only problem with SMM is that it requires the phone to be part of SMM, so if a user doesn’t want to participate (which would happen if said person is hiding something), then it would not work.
Another solution is VMware’s Horizon Mobile, which is basically a mobile virtualization platform. The only problem is that it will only work for Android devices right now, as there’s no iOS version.
One other problem that comes out of the whole debacle, is that it’s currently on auto, and may not differentiate between personal contacts and work contacts during the blocking stage. There’s also the problem of work contacts who are also personal friends. This requires human intervention, which is not available right now as it would be a logistics nightmare if there were too many employees.
One possible solution to all the problems outlined above lies in the system Disney parks use. Basically, Disney parks only display information when you are within a specified range from their park, which means you need to actually stay close to the parks in order to determine the line length and ride availability. In the context of organizations, they can put contact details, work-related data, and apps on their own cloud and have it available only within a certain distance from the office, via location services. This is an ideal solution, with the only stumbling block being that it requires the individual’s consent, as there’s no way to install the app and modify security settings without the user’s permission.
At the end of the day, one can’t completely blame IBM, as they have valid reason for wanting to protect corporate data and safeguard against intrusions into the organization’s system. However, we can’t blame users either for feeling that their security has been compromised by the organization they work for. It seems like the solution is to either find a good compromise between the two sides, or to prevent employees from using their own devices for work, in which case the organization must provide their employees with devices meant for work.