EXPERT ADVICE
Should IT Departments Be Worried About the iPhone?

It may be premature to declare the iPhone to be IT's Achilles heel, but there is no doubt that WiFi-enabled smartphones have corporate IT departments on edge. Numerous experts and analysts have observed that the iPhone is not intended to be an "enterprise" device, and very few benevolent CFOs are going to approve the purchase of pricey iPhones for their employees. Yet CIOs know that millions of them are going to be coming into the workplace anyway.

That fact alone points to one of the most profound changes in IT over the past decade. Ten years ago, it was virtually unheard of for employees to bring their own computers and other network devices to the office . Now, it happens in every office, every day. Your VP of Sales declares that he or she cannot live another day without a Blackberry -- and soon every salesperson is carrying a new smartphone.

Different Priorities

From the start, smartphones have been a source of IT headaches. Moreso than computers, mobile phones have become "lifestyle devices" used both for work and personal activities. Employees thus demand a say in the selection of their phones -- and in making the decision about when they will be replaced and upgraded. With nearly half of companies today simply reimbursing their employees' mobile telecom expenses, workers often make their selections with little or no input from IT. The employees' priorities may be quite different than IT's: What does the phone look like? Will it fit in my pocket? What colors are available? What kind of coverage does the provider offer at my lake house? How much music will it hold? One question they rarely ask: How will IT secure and support my phone?

When employees are making these decisions, IT inevitably loses control. To make matters worse, as these phones provide more and more of the functions of a PC (and store almost as much information), they become even more of a security threat since tiny phones are infinitely easier to lose or steal than PCs.

The iPhone (and WiFi-enabled devices from other providers) up the ante even further. Now, employees will want to connect their unmanaged, non-secure WiFi-enabled phones directly to the corporate network -- and expect IT to support them in the process.

IT's first instinct may be to fight back and ban employee-owned WiFi phones from the network. Implementing an outright ban, however, is easier said than done. As of January 2007, the WiFi Alliance had already certified more than 100 different wireless handsets alone. With experts estimating that Apple (Nasdaq: AAPL) may sell 10 million units in a year, short of hiring a security guard to frisk employees in the company lobby, IT cannot stop WiFi-enabled phones from entering the building.

Once they are there, it is going to be hard to keep employees from using them -- especially where the smartphones prove truly useful to employees as they do their jobs. When IT fights its users and tries to prevent them from using the technology they want, IT usually loses in the end -- and simply invites employees to find new, creative and usually non-secure ways to use their devices anyway.

Taking Charge

Many IT organizations will probably end up doing at least one of two things: Buy more company-provided smartphones to make it easier to manage and secure the wireless devices, or provide limited network access (i.e., "guest access") for some or all employee-provided devices while using "best efforts" to provide network and device support. Most IT organizations will likely do both.

No matter how proactive IT is in purchasing and providing corporate smartphones, no IT department can expect to control and manage every last device that connects to the corporate network. With little hope of exercising total control over their employees and the devices they are bringing into the office, IT staff must control the network itself.

With this in mind, it is critical for every IT organization to establish a clear strategy for managing and monitoring its wireless infrastructure before the WiFi smartphone tsunami hits.

Tightening Network Control

If IT's policy is to entirely block all unknown and unmanaged devices from connecting to the network, every wireless access point and controller on the network must be configured to support that policy. Similarly, if IT wishes to restrict these employee-owned devices to a "guest network" with limited Web access only, the configuration of the infrastructure has to comply with that policy, as well.

The cost of failure could be catastrophic -- analysts have suggested that as many as 90 percent of wireless security incidents will result from improperly configured wireless infrastructure and devices. AirWave Wireless data indicates that as many as one out three wireless access points in the average enterprise are misconfigured and do not comply with corporate policy.

As corporate wireless networks grow to encompass thousands upon thousands of wireless access points, the only way to maintain tight configuration control is to automate the configuration and audit processes with a sophisticated network management tool.

Maintaining Device Visibility

When a user calls to say that they cannot connect to the wireless network, the service desk needs tools that put all the necessary information at its fingertips: Where is the user located? Is strong wireless coverage available in that location? What kind of device is the user trying to connect to the network? Has the user successfully authenticated onto the network and are they receiving appropriate network access?

In the early days of wireless, with a small number of employees using laptops to connect, the burden on the service desk was not overwhelming. With thousands of users carrying laptops, handhelds and WiFi-enabled phones, though, the service desk needs fast access to this information and needs to be trained to diagnose common wireless problems. Again, this type of information can only be provided through network management and monitoring products designed specifically for wireless networks.

Accurate Device Inventory

While IT cannot always control what devices enter the building, it can -- and must -- maintain an accurate inventory of devices that connect to its wireless network. The wireless management system should maintain logs of every user session dating back years -- indicating exactly when each device appeared on the network, how the device authenticated, etc. IT must have a system to generate reports showing every new device and a way to review those reports to ensure that any unknown, unmanaged devices are connecting only to a guest network with limited access.

The iPhone is just the beginning. In the next few years, we can all expect to see more and more employee-owned WiFi-enabled devices in the workplace: phones, music players, PDAs , cameras and specialized equipment.

Every IT organization needs a strategy for dealing with these types of devices now and in the future -- and the flexibility to adapt their support tactics and policies to the changing behaviors and needs of their users. Lacking Spiderman's "spider sense" to alert them to every threat, IT must instead develop a network management strategy that provides the control and visibility it needs to maintain a secure, supportable network in a rapidly changing environment.