Wednesday, October 31, 2012

ATR: iPad, uPad, We All Pad...

As Apple announced the next iPads recently, it dawned on me that I'm a year into my personal experience with the iPad. Interestingly, that iPad2 has already been put two generations behind, plus there is a new size. Gotta love technology. I'm also now up to iOS 6, which means I have done two OS upgrades since I first opened the box. It feels like 1992 all over again.

The number of folks with iPads in the office has increased modestly. I'm not certain that most are as geeky about them as I have been, but they get plenty of use.

For this one year anniversary post, I thought that I would  noodle a bit about the state of BYO (Bring Your Own) and the smartphone / tablet revolution. I'm mainly going to set out some of my observations and analysis.

Trend: Fewer employees have company-issued smartphones. Like company paid Internet access, it seems that many companies are phasing out paid cell phones. While this can be a risk relative to information security and e-discovery, the cost savings are driving this, plus employees can buy whatever phone they desire rather than settle for what the company supports.

Trend: Tablets will represent the general limit for most organizations with BYO programs. While there are companies experimenting with computer / laptop BYO programs, integrating and monitoring unmanaged computers is hard. Virtualization is expensive and often doesn't work very well. HR and Legal have concerns about litigation and acceptable use. Tablets generally don't get onto the company network, have limited storage capability, and represent less risk across the board.

Trend: Smartphones and tablets will see increased security threats. With employees generally becoming smarter about threats to their computers, attackers will turn to smartphones and tablets to gain access to corporate data and networks. Antivirus / anti-malware software is immature and few users utilize the software that is available.

Trend: Monolithic vendors (i.e. Apple and RIM / Blackberry) will tend to become more sanctioned for office use. Android will lose share for devices used for business purposes. Windows will be driven by Microsoft's commitment and security patch velocity. More on this below.

Trend: Laptops will become more tablet-like. For all of Microsoft's efforts to get acceptance of Tablet PC, the real limiter wasn't the OS so much as the hardware (weight and battery life). With extreme thinness in, we're seeing laptops that aren't much bulkier than tablets, yet allow greater functionality. The new Dell Ultrabooks with the convertible touch screen refresh an older design in a thin package. That form factor should be the winner over the long haul. The next question deals with the ability of Microsoft to deliver an OS that is nimble.

A significant factor, as I mentioned, is the increased security threat represented by smartphones and tablets. Android devices will be at a significant disadvantage here. My 18 month old Atrix is no longer going to see its OS updated. That means, until I buy a new phone (which, because of subsidy contracts, means at least another six months), I'm not only stuck with an old OS, but I'm stuck with its foibles and vulnerabilities. Imagine that your PC was limited to Windows XP, and then only to the updates from 2003. Now look around your office. How many PCs are still running XP? Quite a few, I'll bet. The security issues with XP would be unmanageable if it wasn't continually patched. Eventually, Microsoft stops patching, but generally at a point where the risk is diminished.

The challenge with smartphones is twofold: hardware and carriers. Each manufacturer builds several different phones each year for each carrier... globally. That could mean several dozen new models every year, tweaked for the numerous cell phone carriers around the globe. And each manufacturer likes different chipsets and other hardware features. That means that "Android" has to be written to the specific phone and carrier, then tested on that network. And the carriers like to enable and disable certain features, as well as add their own bloatware.

Monolithic manufacturers like Apple and RIM control their own destinies a bit more. They are still at the mercy of carriers, but they can manage code updates far better than the Android crowd. This means more frequest OS refreshes and potentially longer life for the underlying devices. That said, smartphones and tablets appear to be destined to have much shorter lifetimes that the current generation of laptops and desktops. That very much parallels the experience of computer users 20 years ago. The computer OS and software changed at very high frequency and computers became more and more powerful with each new chipset, requiring frequent upgrades, replacements and software purchases. Somehow, Microsoft managed to ensure that DOS and Windows could support multiple generations of hardware from disparate vendors. This is what Google has to be able to do with Android at some point.

Corporate support for the BYO world is largely going to be dependent upon security down the road. Right now, the devices have to connect and not mess up the corporate network or cause networking issues. If they don't increase support calls, they are good. That's a given. But at some point, BYO devices will be vulnerable to a new generation of malware and frequent enough targets that enterprise IT will have to insist on protective measures. Otherwise, the noise level just gets crazy and the risk increases.

If I look at my own BYO behavior and computer usage, I would expect that within five years, I will revert to a desktop computer at work from my present laptop. My iPad will either have increased capability or I will switch to a convertible tablet / laptop device that allows for a full keyboard. I will have some sort of corporate-sanctioned cloud storage, and, that convertible device will likely have greater cellular telephone capability (I would expect that there will be some ability to answer calls from your tablet and switch from smartphone to tablet with ease so you don't have to carry around multiple devices). If I need to remotely get on the corporate network, I'll use a virtualization tool via VPN.

It's kind of fun to be an old dog being taught new tricks. Maybe I'll even buy a Mac for my home computer.... nah.

Wednesday, September 5, 2012

OTR: Citizenship

One of the proudest possessions in my home is a piece of paper. It hangs on the wall in a simple frame. The paper is creased and worn, the ink faded, but legible. It is a document 156 years old. It is my great-great-grandfather's Naturalization papers -- his citizenship.

I sit and shake my head when I hear the various arguments about how requiring identification to vote disenfranchises people. I look at that worn piece of paper and see the folds. It is clear to me that my great-great-grandfather carried that document with him from time to time, folded in a pocket. I suspect that he needed it when he applied for a job and likely when he registered to vote.  It was likely a very prized possession, yet one that was frequently carried and used by him. It was so prized that it was saved and framed by a later generation and passed down to today. I don't think that I have a photograph of the man, but I have his citizenship papers. Funny how that old piece of paper can survive, but people today can't seem to be bothered to use modern technology to get a simple piece of identification.

Funny that today, people want to be handed the privilege of United States citizenship just for crossing a line on a map. Or for overstaying a visa. Yes, people want to come to this country. They always have. They want better lives. I'm sure my great-great-grandfather wanted that for himself -- and he worked hard to achieve that life. But today people want to come here and never renounce their allegiance to their former country. They expect driving tests to be given in Polish or Spanish. They expect their children to be taught in their native tongue. It bothers me to ride around the Chicago area on Polish Constitution Day or Mexican Independence Day. I see foreign flags flying more than I see American flags. I can't imagine being free to do the same with an American flag on the Fourth of July in Krakow or Mexico City. People should celebrate their heritage and be respectful of their heritage, but many seem determined to never let go of old allegiances. The beauty of America is the melting pot... that a generation after coming here, the Sullivans and the Schmidts and the Kowalskis and the Perezes and the Roncallis all can speak the same language. They can share the same understanding of what it means to be an American. But I fear that is no longer always the case.

One hundred fifty six years ago, a man named Cunningham renounced his allegiance to Queen Victoria in Geneva, Illinois. He would follow the railroad to Boone, Iowa and be buried less than 20 years later in a prominent place in the Catholic cemetery. His ancestors would carry his family name and hold on to a simple piece of paper. We have pride in our heritage -- a heritage that is Irish and German and French... and likely more than that. But it is first and foremost American. That old creased paper reminds me of that every time I look at it.

Citizenship is a privilege and must be earned. It must be protected and held in high regard. It is not an entitlement or a "right" to anyone who wants to use it. Citizenship, like freedom, is never free.

Saturday, July 7, 2012

OTR: Why are Phishing Messages so Lame?

I was taking a quick troll through my spam folders this morning to make sure nothing of importance got stuck there before I flush them. I find that Yahoo! does a decent job of catching spam and phishing messages with few false positives, but Google seems to catch a lot of legitimate messages (btw, Google, if I have a rule that tags a message, that should override the spam filter,... just sayin'). I'm easily amused by a lot of the more obvious phishing messages. I've been of the opinion that the people writing these things ought to invest in native English speakers for more effectiveness. But they keep coming, so obviously they are working on some people.

I read somewhere recently, that one theory about why lame phishing messages continue to be sent is that they work. If someone actually bites on one of these, they are clearly not too bright and if they aren't too bright (and usually greedy to boot), they won't overthink the messages that come next. I guess that is one theory. I suppose another is that there are more than a few people who are either naive or extremely trusting souls and they get hooked fairly easily. These are generally the same folks who fall in with con artists and withdraw money from the bank in exchange for an envelope full of stacked newspaper.

At the Day Job, we see the more advanced phishing messages. These are targeted and are called "spear phishing" messages because they tend to selectively target individuals with "bait" indicative of some knowledge of the individual. There's another class of phishing messages referred to as "whaling", which targets high value individuals -- we haven't seen much of that. But even some of the best spear phishing messages are lame. Seriously, why would a C-level executive send you an email from a Yahoo! account? But people clicked away on that because it was "signed" by that exec. It was a low number, but still... and the funny thing is that the phisher could have done a few simple things to disguise the message, but didn't. So I have to think that even the spear phishers are looking for people who are either too harried to really look at email or simply aren't bright enough to realize that they are being phished.

So for today's lesson: Stop. Think. Connect.

Tuesday, June 5, 2012

ATR: BYO Mobile

It's been a while since I posted last. The iPad experiment continues with varying degrees of success. I haven't completely given up bringing the laptop home, but it certainly stays in the office a lot.

I'm now looking at my cell phones. As some of you know, I'm seldom found without two phones on my hip. One is the personal phone; the other is the work phone. Some of you likely have heard me talk about why I carry two phones, with the punch line being, "I know what my forensics guys can do." My stance to this point has been that I wanted to keep my personal life apart from my work life. Problem is, in this day and age of smartphones, it is quite hard to do. Android phones prefer a Gmail account in order to function properly and that means the work phone has my personal Gmail account on it. And with smart phones, even a couple short generations apart, there is a lot of redundancy. That said, my personal phone is newer and more capable. And with two phones, I have to buy Bluetooth devices that come with dual pairing capability so I can use both phones in the car.

The work phone is about two and a half years old. It is the first Droid. In cell phone terms, it is geriatric. It is somewhat flaky, and periodically needs a factory reset to behave. I keep taking apps off that phone since my personal phone is more useful to me. Now I could go and have the company buy me the latest and greatest, but I'm finding that I don't use the work phone much for phone calls and it seems like a waste of resources simply to have that quasi-separation of personal from corporate. I'm always going to carry my personal phone around with me, so why have to carry two? Just carrying the personal phone also means carrying one phone charger and only having to find a single outlet in a hotel room. It makes for a little less spaghetti in the computer bag.

We're in the process of looking at our BYO policies and the associated risks. My mindset is changing as I spend time thinking about the issues. For quite a while, the concern has been that litigation would mean turning over a phone for forensic examination. That would mean that personal data could get exposed. In some cases, that might be embarrassing and disruptive. But it seems that cell phones are seldom requested in our litigation. And honestly, I would expect that an opposing attorney determined to take a look at a cell phone is also going to subpoena all mobile devices for examination and likely manage to convince a judge that even the target's personal devices should be examined.

The next risk area is loss of corporate intellectual property. While cell phones and tablets can hold a remarkable amount of data, I can go buy a two terabyte hard drive and walk out the door with much more data that I could manage to get from a mobile device. There is certainly a risk, but the risks from other portable / concealable devices are much greater. That said, mobile devices that contain Active Sync enabled email can generally be wiped by the user or a corporate email administrator with a couple of mouse clicks. So if a device goes missing, it is a relatively simple matter to delete the email from the device (although in most cases, the device will be subject to a factory reset, wiping all personal data from the device as well). That is a significant difference from other portable storage devices. For organizations with a much lower risk tolerance relative to theft of data, they will likely ban cell phones and tablets, as well as other storage devices.

Our focus right now is on risks associated with malware. As the hackers out there seek softer targets, they will write more malware designed for cell phones and tablets. The risks here are several-fold: 1) loss of credentials -- loss of your login ID and passphrases that would enable a hacker to get access to your accounts; 2) eavesdropping -- the concern here being the ability for a hacker to listen in on phone conversations or use the phone as an eavesdropping device (while the average employee is not likely to be a target, executives are the biggest concern); 3) leveraging a trusted account -- an attacker taking control of a cell phone or tablet could use the email accounts, IM, or other communications to contact other employees and pass along malicious links or malware-infected attachments that look authentic.

At the same time, I'm not real keen on nuking an employee's phone when they leave, regardless of what the employee agreed to when they signed up for BYO. It seems a little excessive to be that disruptive when all we want to do is kill off the email account. That said, software that creates separate "containers" for corporate and personal data is not inexpensive, and given many competing priorities, is it worthwhile to invest in this software simply to not tick off a former employee? Certainly one argument would be that if the employee is saving the company the cost of the device and service, perhaps the company could deploy some software to preserve the employee's data.

Clearly, every organization has different risk tolerances. Many organizations will find it inconceivable to consider ever allowing a personally-owned device to hold corporate information, regardless of protections, software implementations, policies, and agreements. That's understandable. Certain geographies with restrictive data privacy laws will also find use of personal devices to access corporate data problematic. But I would expect that many organizations will move quickly down this path, with some less thoughtful than others. Point being, of course, that the organization needs to think the issue through and consider their risk tolerance thoroughly.

In my case, I've moved the email container (Touchdown) to my personal phone, along with my RSA soft token. I understand the risks personally, but I'm ok with them. That may change. But the Droid will get nuked in the next few days. And I'll let my forensic guys see what they can do with a nuked cell phone.

More thinking on this topic to follow.

Saturday, January 21, 2012

ATR: Changing the Way We Certify

I've been thinking a lot about certifications lately. On my goals for this year, I'll probably try to get a CISSP via the "boot camp" method, as that certification is more relevant to what I do now than the CRM or the CIP. I'm now 20 years a CRM and I plan to mothball that certification. Records Management isn't my primary job responsibility and the annual dues and hassle of doing certification maintenance paperwork isn't necessarily yielding a benefit to me at this stage of my career. I suppose some will rail against me for this stance, but with my job much more focused on information risk and information security, the CRM doesn't quite measure up. Be that as it may, I'd like to throw into the wind some thoughts that I have about certifications.

You've seen some of my concerns about the CIP. I also raised some issues earlier about the CRM. For the former, the bar is probably too low. For the latter, too high. And that got me to thinking... what about a gradated series of records management certifications. It would be an interesting change, but would provide some differentiation for candidates.

I think the CRM is the best candidate for some disassembly.

Level 1: We'll call this the "RRM" or "Registered Records Manager". Candidates who successfully complete the five multiple choice sections of the CRM exam would have this status conferred upon them. This would reduce cycle times and enable candidates to walk away with a designation more quickly. In some respects, this is like the "ABD" (All But Dissertation) that a PhD candidate can post to a CV. Ideally, the candidate would move on, but some might find it a comfortable stopping point wherever they are in their career. This is still differentiated from the CIP by the number of questions and the depth of the questions, but it enables the candidate who isn't ready for the essay exam to walk away with something after a fair amount of work to pass exams one through five.

Level 2: The existing CRM.

Level 3: I'd call this "FRM" or "Fellow in Records Management". That probably needs work, but it is a higher level distinction. It's also going to be very hard to judge. My thinking is that, in lieu of the essay portion of the CRM exam, the candidate would need to write a proper scholarly research paper on some aspect of records management. That means a minimum page length, proper citations, and so forth. It would have to be juried by records managers with advanced degrees and, like a dissertation, I think it would also need to be defended. Probably not as rigorous as a dissertation, but we'd want to see that the candidate did the work. Perhaps the defense could be a session at ARMA where the candidate defends his or her research for an hour with a distinguished panel, and then the audience gets an hour. I'm not sure there are many folks who would run that gauntlet, but I think it would be interesting to try out. I would also suggest that given the rigor of the process, this level of designation would be permanent. The benefit here would be advancing the profession with proper research that would be published.

In addition, the CRM process needs additional specialty designations. At present, there is only the "/NS" for candidates working with records relating to nuclear energy. I'd suggest that there needs to be a "/LS" for the legal profession, "/FS" for financial services (mainly to cover the specialized regulatory environment), and perhaps a "/DP" for a round of questions dealing with Data Privacy. While the last designation would not substitute for the CIPP, I think it could be a nice warm up or even something that the IAPP and the ICRM collaborate on.

Friday, January 6, 2012

ATR: Rant On, Rant Off

A colleague forwarded a job ad to me the other day. Not because he thought I needed a job, but because I suspect that he knew it would initiate a launch sequence in me. Houston, we have liftoff...

I'm going to name names because this job posting is a matter of record and frankly, the institution should be ashamed. The B&O Railroad Museum in Baltimore apparently needs an archivist. However, they seem to have very low regard for archivists. The position pays between $25,000 and $27,500.

Yes, annually. But you do get benefits. To quote another blogging colleague, "Are you kidding me?"

However, you do need to, " able to stoop, bend, reach, crouch, climb ladders and lift up to 40 pounds to retrieve, store, and work with objects." And bring a Master's degree and three to five years of experience with you. And just in case you think this is really something of an intern's job, nope -- plan to manage a budget and train and manage interns, docents, and volunteers. And be ready to scrounge up some money by writing grant requests.

I was paid that sort of money in 1988 by the Archdiocese of Chicago with similar experience and responsibilities.

Now we are talking about a non-profit here. I get that. But this is a non-profit organization with over $20 million in assets, a lot of which is physical plant. They have, however, modestly grown their over $9 million in cash and investments each of the past several years. Seeing positive investment growth over the past couple years is something remarkable. I'm sure they work at that. I'm sure that their budgets are relatively tight. But I fear that those results come at the expense of their "professional" staff. I doubt that someone earning the sort of money being offered could afford a decent rental unit in a safe neighborhood in the Baltimore area. How do you pay back the loans for your Master's degree? How do you even try to get ahead? Twenty-some years ago it was difficult to live on that money, even with two adults in the household working.

The problem is that the archival profession is glutted with unemployed and underemployed professionals so there are plenty of people who are archivists who will take any job to build their resume for the "big" job some day. Supply, meet demand. But for a profession that prides itself on generally exclusive requirements for the positions that become available, AND usually require an advanced degree, this pay is insulting.

This is why I shifted from archives to records management. The pay is better. And we have cookies.

I'll also point out that some archivists "get" this. They are embarrassed as well. And they do their best to embarrass institutions that do this sort of thing. This job hasn't made it to the blog yet, but I suspect it will.