How New iPad Can Be Blast from the Past
Smart Device Can Act Like a Dumb Terminal in Cloud Milieu
"We're thankful that we were able to get out a little bit in front of it," Elayne Starkey, Delaware's chief security officer, says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
In allowing employees to use their own devices, Starkey's department set up seven controls so users can access state computers securely, including requirements for strong passwords, inactivity timeouts and, if necessary, remote wiping for lost and stolen devices [see 7 Steps to Secure Mobile Devices].
Starkey also has seen an upswing in the move to cloud solutions over the last 12 months. Delaware has an architecture review board that looks at every new IT initiative, and Starkey's department was able to get contractual language included in front of all cloud initiative contracts. Her office also reviews the solutions.
With this paradigm shift in technology well on its way, organizations can no longer wait. "For the folks in the security world, it's really easy to stay secure in this space by not allowing the personal devices," Starkey says. "I'm afraid that's not a real practical decision now."
As organizations set up their BYOD [bring-your-own-device] policies, they must ensure that parameters are spelled out, expectations are set and that employees and IT understand what they're getting into. "At this point, the time to sit back and see what's going to happen is over," Starkey says.
In the interview, Starkey discusses the:
- Seven controls Delaware places on employees' mobile devices so they can access state computers with their own smartphones and e-tablets;
- BYOD phenomena that's sweeping business;
- Expected increase in demand by employees to use their own devices at work because of the introduction of the iPad3 [see iPad3 4G Nudges BYOD].
- Urgency for businesses and governments to implement BYOD policies without further delay.
Starkey has been Delaware's state CSO for more than six years. She earned two computer science degrees, a master of science from Rochester Institute of Technology and a bachelor of science from James Madison University.
Delaware's Mobile Device Policy
ERIC CHABROW: I'd like to discuss the way the mobile marketplace is evolving and how that has an impact on IT and IT security. But first, let's remind our listeners about Delaware's nearly year-and-a-half old policy of placing controls on mobile devices that can access the state network. Please take a few moments to remind us of that policy.
ELAYNE STARKEY: About 18 months ago we deployed a BYOD [bring-your-own-device] policy, which allowed our employees the flexibility and convenience of using their personally owned smart phone, rather than carrying around multiple devices on their hips, with the state BlackBerry. Their personal device gave them the option to consolidate to a single device, but along that came some important security controls and their willingness to abide by a minimum of seven security controls, things like strong passwords on the device, password history and inactivity timeouts, and if necessary, remote wiping for lost and stolen devices, encryption and lockout after seven failed attempts. Those are some of the same controls we have enjoyed for years on the state-owned BlackBerries and we wanted to extend those same important security controls to the new BYOD policy. It's been very successful. We've rolled it out almost without incident. Of course, in the beginning, we had a few challenges to get through, but we have a lot of folks giving up the state-owned BlackBerry for the personally owned device option.
Tablet Use Increases
CHABROW: What I find most intriguing about the new Apple iPad isn't the latest bells and whistles, but the rapid evolution of the e-tablet as a replacement for traditional clients, such as laptops and desktops. On my iPad, I've downloaded an app that converts my tablet into a Windows desktop with a full suite of Windows productivity tools when I'm connected to the cloud. Doesn't this potentially present a fundamental change in the way that IT organizations manage and secure their information resources? And this isn't just about BYOD; it could be cheaper to provide employees with iPads than laptops.