It wasn’t too long ago that installing an application took an IT professional. Now it’s so easy a first grader can do it. If you have an Android, iPhone, or Windows Phone 7 your first grader can search for an application in the marketplace or app store and install it. Not only is it easy it is also convenient. I know I’m not the first person to notice that convenience is a phenomenal sales tool. The more convenient something is the easier it is to make the sale. All companies are driven by revenue and not security. Vendors which offer a device you carry in your pocket have the ultimate convenience. On the flip side, SAP installs have been known to take years and require hundreds of IT people. This is the old model. The new model is to use a cloud solution with a web based interface which requires no install or a mobile app/web install. Floppy disks were replaced by CD/DVDs and CD/DVDs have been replaced by a connection to the internet.
The unfortunate truth about not requiring a disk (yes, I’m showing my age) to install software is it has possibly become too convenient. Ok, there’s no such thing as too convenient, but it helps me emphasize my point. One of the controls which IT savvy people have taught for years is to be careful what software you install. This helps prevent malware from making it onto your computer and is augmented by access control settings within the operating system which prompt before allowing installation. Primary examples are Windows 7 User Account Control (UAC) and OSx/Linux “sudo”. There are some differences between mobile devices and desktops and laptops. These differences primarily include the ability for location based information and additional access layers added by the platform vendors to isolate applications from the hardware.
The extreme convenience of application installation occurring under app store models is blurring the risk and leading to a change in the security model. Mobile device manufacturers are not providing root access by default, whereas desktop operating system vendors traditionally provide administrative access out of the box. Since people are tech savvy and they are used to having admin access on their laptops, they are requesting and even expecting to have it on their mobile devices. This is part of why the jailbreak and root/rom websites/blogs are proliferating. The mobile device vendors have the right idea in not granting root access to the user. It makes it much harder for malicious programs to infiltrate the device.
The question has always been one of trust. Who do you trust? The phone manufacturer or your operating system vendor? Do you trust the marketplace/app store owner? The application author? Device users may need to change their behavior to ensure they read the notifications regarding what information/hardware they are permitting the operating system, marketplace, or application to have access to.
I think we can agree the days of long setup and install times are gone. This is a great thing! Self-service and instant software acquisition is here to stay. However, the ability for users to install apps immediately using an app store is making IT departments across the globe look like they are not agile enough to meet their business’s needs. The ability for the business to execute an instant install is simultaneously increasing the risk tremendously.
To link back to the opening thoughts of this blog article… Do IT departments need to compete with 1st graders? If IT departments can’t create convenient secure installation scenarios to make tools available to business partners, then the business partners will go directly to cloud or mobile vendors. This is an opportunity. We as practitioners need to collaborate with our business partners, vendors and solution providers to create an educational feedback loop which allows the users to knowingly manage their trust relationships and security.