Main Nav

Mobile Computing 5-Day Sprint: Day 4 Recap -- Security, Privacy, and Policy

Thursday’s installment of the EDUCAUSE Mobile Computing 5-Day Sprint took up knotty questions of security, privacy, and policy for mobile computing. Most of us don’t have a deep understanding of computer security in the first place, and we’re even further out of our element trying to unravel the complexities of mobile security. Is it safe to pay your mortgage using a smartphone app? Is your phone tracking where you go? If you watch the Royal Wedding in the middle of the night on a university-owned iPad, will the network admin know about it? Will he tell anyone?

And so participants were eager to hear from security experts and share their ideas and experiences.

It’s All the Same, Except the Parts That Are Different

Underlying today’s discussions was the question of whether mobile security is any different from plain ol’ computer security. The answer that seemed to emerge was no, and yes. No, because many of the most talked-about security issues for mobile devices also affect laptops and, in some cases, desktops. A clearer understanding of those risks and better tools to mitigate them would be a tide that raises all of the ships. And yes, because in practical terms, mobile devices both exacerbate existing concerns (phones are far easier to lose or steal) and introduce new ones (location information from a smartphone can be a serious threat).

Nailing Jell-O to the Wall

Mobile computing represents an alarming diversity of users, cultures, needs, and devices. Worse, the technology landscape is constantly shifting, and people tend to use mobile devices in ways that prompt even a security neophyte to scratch his head and say, “Why on earth would you do that?” All of which underscores a message we have heard throughout the Sprint: Mobile computing represents a loss of institutional control. In some contexts this might be liberating; for security, it can be unnerving. That said, cloud computing and mobile devices are natural complements, and in some cases, a cloud provider might be able to provide greater security than an institution. Is it possible, then, to have more security but less control over it?

Questions of control led Sprint participants to wonder where an institution’s responsibility ends. Driving while talking or texting on a mobile phone is dangerous, of course, but is such behavior an institution’s concern? Certain kinds of information are protected, and colleges and universities have an obligation to safeguard that data. But is it possible to draw a line between that responsibility and, say, students’ personal data? In response, one participant suggested that “Society's problems are higher ed's problems!”

The Two T’s

Regardless of exactly how an institution defines its mobile security goals, the two prongs of an effective strategy are training and technology, which work in tandem. For example, most mobile devices don’t use password protection by default, which poses obvious security risks. The training piece is to help users understand that requiring a password (PIN) to access the phone is as commonsensical as doing so for a laptop; the technology part is disallowing unprotected phones to access network services. Training: Teach users to store as little sensitive data on mobile devices as possible; technology: Implement remote-wiping capability so that when a mobile device is lost, the institution or the user can delete all stored data from it. Such approaches might be difficult to deploy for user-owned devices (getting back to the question of institutional control), but the premise remains.

Presenters today mentioned training approaches that might fall outside the scope of what most institutions do. For example, some applications let an IT department send bogus phishing messages (sounds like a double-negative) to see who opens them and who falls for the scam, which, of course, is not a scam but a contrived teachable moment. Such a system immediately tells users they’ve been nailed and, presumably, teaches a valuable lesson. Other suggestions included creating games to educate users about security risks, prompting the comment that “People won't read training manuals, but they will play games.”

And the Two P’s

The other two pieces of the security puzzle are privacy and policy. In a real sense, mobile devices pose new risks to the privacy of individuals, and some amount of ink has been spilled over the question of whether the younger generations have a different stance on privacy. Presenters today suggested that the answer is no, students care just as much about privacy as the, ahem, older generations, but that students are...less sophisticated in their thinking about how certain actions might compromise their privacy. Students will tell a social network what they really think about their history professor, but they are shocked (and indignant, perhaps) when the professor sees that post. Or they brag in a public forum about the illicit activities planned for a party and are perplexed when the police show up.

An effective mobile program also depends on good policies. One participant suggested that policies (in this case, security policies) should aspire to technology-neutrality. That is, a policy should apply equally to a smartphone, tablet, desktop, or a typewriter. This might be difficult in practice, but thoughtful policies should underpin all of the other components of a mobile security program. As one presenter noted, though, a policy that cannot be enforced isn’t worth anything. 

For those of you not too sleepy from watching the Royal Wedding, join us tomorrow for the final day of the Sprint, which will cover mobile infrastructure.

Tags from the EDUCAUSE Library

Tags from the Community