Wednesday, May 25, 2011

A new metaphor for securing corporate data on consumer devices

The growing trend of personal devices being used for company business needs a new metaphor: digital rights management (DRM) for corporate data. Given the history of DRM in the music industry, does this mean we're doomed?

I work for a large company in Jacksonville, FL. A company that has to be very careful with data about our customers. If our employees make mistakes, it could result in jail time. I'm in IT, and I appreciate that we want to go to significant lengths to protect our customer data from "getting out". It's just bad for everyone if that happens. At the same time, I see the growing trend of employees wanting to be able to use their personal devices for work. A personal smartphone, or tablet can make a person much more productive when they're not at their desks. This could be in meetings, or at lunch, or anytime outside of work hours. The problem is that personal devices provide a lot of freedom to the owner. Freedom to choose just how secure the device needs to be. The default settings are often extremely lax, no security at all. No password to unlock the device, no encryption of the data on the device. This makes the device really easy to use. And a potential catastrophe if sensitive corporate data were there for the taking.

The methods currently in use for protecting corporate data fall into two main camps: lock down the device entirely, or lock down a portion of the device where the corporate data is supposed to be stored. The former usually means the company owns the device, controls the administration of the device, and severely restricts the user in terms of their freedoms to choose their level of security. Password policies are enforced to make sure strong passwords are always in place, encryption of data is the only option, installation of apps is restricted or prevented. The device really isn't a consumer device anymore at all, it's a corporate device. RIM has made a lot of money in this space and for good reason. Companies will pay for the productivity gains and for the piece of mind that comes with the control. The other option seems to be products like Good Technologies, in which a piece of software installed on the device provides the security measures, gives control to the company, and sandboxes the corporate data so the "bad guys" can't get to it. If the device is lost or stolen, the company can prevent anyone from getting to the company data. The rest of the device can be whatever the user wants it to be. This is a respectable tradeoff, but still limits what a person can use their device for with respect to work. If the "sandbox" app doesn't do a certain business function, the user can't use their device for that business function.

I thought of a new way to think about the problem, and it got me wondering if it might help solve the problem. In my mind, the problem is controlling access to the corporate data, regardless of what application wants to see it, create it, modify it, search it. In a similar way to how the music industry wants to control access to music content, companies want to control access to corporate content. What we need is digital rights management (DRM) for corporate data. How successful has DRM been for the music industry? Not so good. The movie industry? Uh, no. Should we think that DRM for corporate data is going to fare any better? Well, maybe. Because it's got to. And the solution cannot be that we sue everyone who somehow gets access to our sensitive data.

I think there are lessons to be learned by thinking about protecting corporate data like we hope to protect music, movies and books. It is too damn easy for pirates to make available copies of copyrighted material. We've tried mechanisms and failed. We've got to keep trying. We may never be done, but we must continue to raise the bar ever higher.