25 years of mobile security

This year marks the 25th anniversary of my first foray into mobile security. True story.

Back in the day, the early halcyon days of mobile computing, any device weighing in at less than 20 pounds was called portable – an archaic term replaced by today’s immensely culturally immersed word of choice, “mobile’. My former company built security systems for desktops as well as a plethora of long forgotten “mobile’ computers. Access control, read/write/execution permissions, boot control, full hardware encryption, object reuse and event logging made up the suite of what we then called “C2′ level security.

U.S. government civilian agencies, notably the IRS, bought en masse the Zenith Z-170 “Lunch Box’, an 11-pound contraption with dual high-density floppies. Even in pre- regulatory and compliance days, the need for security in such sensitive arenas was obvious. It was a technical kluge, but it worked.

Bygone military laptop supplier Grid needed equivalent C2 security for their customers. We added another 2 pounds of an extruded metal security module to the already backbreaking 16-pound mobile device.

But nothing had prepared me for the call I received one pre-dawn California morning. The voice was not American; that was clear. I was pretty sure it was British, and the name used was Ian Smythe (with the long, arrogant “i’ sound). He asked if we could customize our products to add new features. “Of course we can,” was my autonomic response.

Even though he had initiated the call, Ian haltingly stuttered his needs, and I recall it was like pulling teeth to get a specific set of requirements.

“Well, let’s say one of our people is in a phone box.” OK, I thought. A phone booth. “And he’s dialed into our offices.” OK, an RS-232 connected acoustic modem transmitting data at like, what was it, 300 or 1200 baud?

“And let’s say he fell over.” Fell over? In a phone box?

“Who fell over? Why would he fall over? What offices?” Questions spewed from my mouth, all answered with abject silence.

“Can you do it?”

“Do what?” Trying to be nice to the squirrely Brit, but my frustration must have been evident.

“If he falls over-¦ you know-¦” No, I didn’t know. “Can you disconnect him from the office?” Not exactly geek-speak in the least. I had to seriously read between the lines. So I made an educated guess.

“Let me see if I got this right. You guys have spies running around using laptops. You want them to be able to dial into HQ. But, if they get shot in the phone booth and keel over dead, you want the modem to automatically disconnect.” (Remember the Cold War mindset?)

In a blustery acknowledgement I suspect had to do with the fact we were talking on an “open line’, Ian responded, “Hrmmph-¦ grggh-¦ ah-¦ well, yes, something like that.”

“Can do.” So we went to work.

Now this was cool. Spies, laptops and bullets flying everywhere along the Thames. In the long-before accelerometer era, we used mercury-wetted switches, set to toggle if they sensed a deviation of more than a few degrees from either axis. Tilting the mobile device meant that remote communications with MI-5, MI-6, GCHQ (et al) were immediately severed, thereby saving the Empire. It worked.

Fast forward to today.

Too many organizations treat mobile devices as a fixed extension of their enterprise, locked to a universally enforced static policy. Mobile devices, should however, be treated as if they are really mobile.

My experiences from a quarter century ago are echoed by the demands of today’s mobile enterprises, especially those concerned with protecting sensitive information and needing to comply with stringent security and compliance regulations.

We learned back then that “All places are not created equal’, such as the sanctity of a phone box. As I travel, am always learning from experts and practitioners.

• We don’t want our employees to be able to access corporate resources while they are traveling to (country, state, city of choice).
• We cannot have our foreign staffs accessing porn on their iPhones while they are in culturally sensitive regions (or on customer sites).
• Our accounting department wants to make sure our international travelers do not run up huge data transfer bills on their iPads.
• We want to allow our senior officers to access certain information while in certain defined locations, but not in others. (Vague in detail, but clear in policy.)
• Our doctors need to have one set of rules while physically at specific medical locations, and another set when they are off-campus.

25 years ago I was introduced to the concept of location-specific mobile security enforcement by Spooks, Spies and Goblins, LTD. While the technology back then was certainly primitive, the mobile security needs of government and sprawling global enterprises are not. In fact, they are more explicitly stringent than ever.

To have any real meaning and effectiveness, mobile security, compliance, management and remediation must be policy enforced based upon the mobile device’s physical location. Policy enforcement rules must dynamically and automatically change as the device (and presumably its owner) moves by car, train or plane.

Perhaps most importantly the mobile device user must not notice any change in his experience or be expected to tell manually configure the device for localized security need. Such is an antique approach, doomed to failure as the migratory paths of global workers integrate hundreds of millions of mobile devices into the enterprise.

The dynamic approach to mobile security is now twenty-five years old and it should be a non-negotiable component of any modern mobile enterprise security endeavor.