There are security challenges throughout the whole smartphone lifecycle, from device creation and marketing, through purchase, implementation and operation, to the eventual recycling or destruction of the device.
Each part of this lifecycle has a role to play in security policy creation and application, as challenges and opportunities are faced by each player involved.
Consider the first step in the process – the design, manufacture and sale of the device. Consideration in this current time has to be on the security of the device, as well as the data on it. Which of these is more important – the asset or the data? IT’s equivalent of the chicken and egg. The answer must be clear if the phone is to be desirable to consumers and businesses.
Research in Motion (RIM) went down the path of "secure by default", and supported its BlackBerry handsets with server architecture that would allow the application of security to meet corporate standards.
Apple, on the other hand, chose to pitch the iPhone directly to users, and its widespread adoption by consumers puts it at loggerheads with typical IT management systems.
Managing and applying security to these devices comes down to the smartphone security policy.
Security Think Tank: Challenges and opportunities of smartphone security policy
This raises a question as to whether a policy is required for smartphones specifically, or could a policy for telephony or mobile devices be more appropriate? This in itself is a clear challenge facing anyone tasked with the governance or management of mobile devices.
The opportunity to address this lies in having a clear understanding of the short, medium and long-term business strategies. Being able to align current and future business plans to this policy will allow mobile devices to enable the current and future business process, rather than hinder or play catch-up with changing technology and security.
Lannon Rowan is an (ISC)2 member and security consultant at a mobile network operator.
This was first published in February 2012