Some in the security industry understand that today's mobile device management (MDM) and mobile application management (MAM) tools can't both protect information and support realistic work scenarios. MobileIron, for example, has floated the idea of an industry standards group to define an information-level security standard. It's a good suggestion, but it should not be limited to mobile — and it needs to work like the Wi-Fi Alliance in that it doesn't become a lip-service standards group vendors use to delay interoperability in hopes their proprietary platform might "win" in the meantime.
Any such standard also needs to avoid scope creep. There's a place for MDM (the equivalent of having locks on your doors and an alarm system, a first level of defense), but it should not get commingled with an information-level security standard. There's also a place for MAM, for organizations that need to essentially convert commercially available computing platforms into appliances, such as retailers or public safety organizations. But it too should not get commingled with an information-level security standard. We don't need a theory of everything; in fact, it would assure that nothing ever happens.
What the InfoTrust standard should do
Instead, the information-level security standard — let's call it InfoTrust — needs to do the following:
Provide basic usage rights. Usage rights need to be embedded in documents, so they move with the document. Adobe Acrobat is an example of a file format that support this notion, and all popular file formats and productivity apps — Microsoft Office, LibreOffice, OpenOffice, Apple iWork, Quickoffice, Google Docs/Drive/Apps, and so on — need to offer similar usage rights that transport from one app to another. The rights should include:
- Restrictions on previewing content (such as in OS X's, iOS's, and Windows' document-preview capabilities)
- Restrictions on changing content
- Restrictions on copying content
- Restrictions on changing and/or assigning usage rights and access rights
Enforce basic access rights. It shouldn't be an endpoint device's or app's responsibility to control access to content, the approach used by many MDM and MAM products today. Instead, the documents should carry the access requirements with them, so the apps can validate access. The requirements should include:
- Password access (as Acrobat and Office today support)
- Policy access (such as requiring it be in an encrypted environment or be openable only by people in a specific Active Directory group)
Allow local policy management. Authoring and editing tools should be able to assign both usage rights and two of the access rights: the password requirement and the encryption requirement. That way, small businesses such as law offices can protect their documents directly, and trusted employees can share documents with others outside the corporate environment (freelancers, contractors, business partners, governments, and so on).
Sign up for CIO Asia eNewsletters.