[NoteBook]

Many of the posts here are missing the point. In many industries (as well as in K-12 Education) there are several different legislative requirements that must be adhered to. Just because you and the mouse in your pocket have full reign over your personal computer and smartphone does not mean that that works in regulated sectors of the work world.

I am an IT manager, we have over 70 iPhones in our organization. However, we have deliberately prevented the email client from connecting to our servers because we have no way of ensuring our users are not receiving confidential or sensitive information to their iPhones, thereby making our data vunerable to theft.

Some of you need to consider what it is like to manage over 3,000 computers, and almost 100 smartphones, in a highly regulated industry!

[Nahel]

How do you handle "sensitive information" on Laptops and other cell phones ?

[flowney]

Actually, the problem runs even deeper that that because the people who interpret these rules and regulations operate under the mistaken assumption that you can solve a people problem with technology. As far as I can tell, there is no technology out there that is people proof.

Information is like water in a bucket, it will leak out wherever it comes into contact with a hole. One must endeavor to plug all the holes, not just the easy/compliant ones (technology). Dealing with people is march harder and uncertain than dealing with computer systems and networks. Those who would steal your sensitive information will look at all your vulnerabilities and they will follow what they perceive to be the path of least resistance.

Too often there is no one with the Chief Information Security Officer title who is responsible for the entire security picture, not just IT aspects. It is inappropriate to expect IT to address the whole security issue. They have an important part but not the only part.

[NoteBook]

On laptop computers we begin by encrypting the entire hard drive, and using a USB key to unlock the drive. Without the key the laptop does not function. To ensure email isn't used to inadvertently download sensitive information to the local desktop we have moved to the FirstClass email system, by OpenText. This is almost a thin-client email system in that when the user logs in and checks his messages or views various conferences it is all happening on the server, nothing is downloaded or even temporarily stored on the local machine.

The good news is, one day FirstClass will have a client for the iPhone and at that point we will be able to allow our users to send and receive email from their iPhone (the bad news is, Apple has had the FirstClass Mobile Client for iPhone for 78 days and have yet to post it).

[Nahel]

The iPhone 3.0 has option to fully encrypt its content, so that would be like your laptop. You have a wipe command as well in the event of being lost or stolen.

As for doing everything on the server, it seems unreal. Anyone can copy an paste e-mail to a word document or forward it to another e-mail account. The concept of doing everything on the server doesn't prevent anyone from taking the info locally or downloading it into media. So, such clients are a false security. Google internet mail is done all on the server and is secure. Why need any other thin clients ?

There is a need to rethink the old ways of securing data. With the tools available today to most devices and platforms, security lies in the had of the user and no USB key or Encryption will overcome their pitfalls.

[NoteBook]

I agree with both posts above, ultimately it does come down to the person using the phone. The difference is one of liabilty, however. If there is a breach in data, and we can show the Freedom of Information and Privacy Commissioner that we have performed due diligence by encyrpting the drive, requiring a USB key to access the device, and that all electronic messages are by default not accessible on the local machine, we have done all we can do in regard to security. If after all of this data is still lost, and the loss is a result of the end user consciously breaking policy to do so, the only person under scrutiny (and possibly without work) is the user, not me!

[Steve_S]

NoteBook said:

Many of the posts here are missing the point. In many industries (as well as in K-12 Education) there are several different legislative requirements that must be adhered to. Just because you and the mouse in your pocket have full reign over your personal computer and smartphone does not mean that that works in regulated sectors of the work world.

I am an IT manager, we have over 70 iPhones in our organization. However, we have deliberately prevented the email client from connecting to our servers because we have no way of ensuring our users are not receiving confidential or sensitive information to their iPhones, thereby making our data vunerable to theft.

Some of you need to consider what it is like to manage over 3,000 computers, and almost 100 smartphones, in a highly regulated industry!

I'm also an IT manager working in an environment is where at least part of our business is regulated. Does your company allow any smartphone to access e-mail? If the answer is yes, I'd have to ask you specifically what the qualifications for this access are. By most standards these would be hardware encryption for the device and remote wipe capabilities. The iPhone 3G s now has this. If you tell me that no smart phones are allowed to access your e-mail system, then I would submit that is a choice your company has made but not based on any real world requirement, even for a regulated industry.

[Nahel]

St. Louis University, Tenet Health Care exchange server and Creighton University exchange server were accessed with the iPhone. No restriction even before the wipe feature.

[ski542002]

When I hear these so-called "experts" spout about the iPhone (& Mac) deficiencies, I envision them looking like the short stubby guy in the camel suit on the Mac/PC comparison ads.
At business networking events, I see more corporate "suits" using the iPhone, the Blackberry be damned! These "suits" must not work in real corporations:)