Opinion: iPhone security chatter is only a distraction

Plenty of opinions floating around, but security pros need to get grounded

1 2 3 Page 2
Page 2 of 3

Why, they reasoned, would anyone suffer through the vagaries of remote procedure calls over HTTP, for example, just to enable basic communication? And if one needs connectivity to synchronize with an organizational calendar, why use both a proprietary protocol and a fat client instead of open standards and a small cache?

Protocols, not applications

The obstinate will claim that Exchange is a "standard." Not so. Exchange and Notes are common and pervasive, but these don't qualify as "standard" in a technical sense. A good definition includes the notion that standards are a "universally agreed-upon set of guidelines for interoperability."

Those who use their Windows Mobile phones to access Exchange over IMAP will have little trouble with the iPhone, while those who click through the ActiveSync setup wizard in Exchange will think it's incompatible. No, they just chose incompatibility. The funny thing is that we're still free to use Exchange, Outlook, Notes and the like, but the perceived interoperability problems are already solved if we just care to look for a standard protocol.

This precludes the notion of any particular program as a standard. It's the same concept that makes security administrators wince when access rights are requested for a new hire based on another person rather than a (standard) role. Only a protocol for interactive operation or format for data readability -- a layer of abstraction -- allows the required flexibility without making a mess.

We choose standards because products and platforms change -- and if nothing else, for purely monetary reasons, it's handy to be able to switch technology vendors. An oft-ignored but common situation in many organizations is a change in business and functional requirements without a concomitant upheaval in the security level requirements. For example, a medical products company may choose to become a service company, radically changing its communication-use cases without any decrease in the sensitivity of data handled by the technology. If such an organization's communications infrastructure were tied directly to business function, the company would likely face a major reconfiguration or rip-and-replace event. An organization communicating with open standards such as IMAP and iCal, on the other hand, might only need to reconfigure clients or obtain new endpoint software.

Experience trumps specifications

Much as I rail on about poor decision-making in which opinion is mistaken for requirements, metrics and objectivity, there's always a place for plain old empiricism. Ironically, when the carrier for the iPhone moved corporate offices some years ago, I watched as its new data centers were built and moved into production. There were facilities on the ground floor of each of three adjacent buildings, with large cable conduits between them. As the building completion date approached, the data center construction staff ran the allotted number of copper and fiber cables through the conduits, capped the ends in each building's basement, and filled the conduits with gluey, water-resistant foam.

Needless to say, this didn't seem like such a good idea a few months later as the backhoes rolled over the just-bloomed delphiniums and dug up five figures' worth of now-useless conduits. Anyone who has worked through a data center move or two knows that a new facility isn't mature until you've installed systems and cabling, then ripped them out and reinstalled them -- a couple of times. Only then are capacities stabilized, the techs sure of the right lengths of cable, systems relocated to account for cooling idiosyncrasies, new people drafted to reboot test systems because they're a floor closer to the facility, and so on.

Technology must adapt or die, just as people adapt until they can't. Computer input is a good example of that. DVORAK keyboards never caught on, no matter what key shape or feel; voice recognition is marginalized for text input because most people neither think in complete sentences nor work away from the voices of others. Yet Palm taught us the Esperanto of penmanship with Graffiti, and T9 became the spouse finishing our words. We worried that smart-phone keys would be too tiny, too weird, or that new interfaces would be too flat, but in each case, a little refinement of the implementation worked well as long as the underlying convention -- QWERTY or alphabetic sequences in this case -- wasn't tossed aside. Stray too far from what people expect, and a technology falls off the event horizon. On the other hand, if Apple decides integrate 3G and an iPhone screen for a touch pad in the next batch of iBooks, friends may yet find me filthy and disheveled, camped out for days in line at an Apple store.

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon