MOBILE SECURITY
ENTERPRISE
MOBILE SECURITY
ROCK SOLID OR AT RISK?
Today’s handheld devices
off er remarkable opportunity
along with signifi cant risk.
Sound security practices
are paramount.
— often from public Wi-Fi hotspots — it’s critical to put robust security protection in place and ensure that data doesn’t wind up lost or stolen.
How can an organization maximize the potential of mobile technology while minimizing the risk of a security lapse or data breach? While the solutions vary, one thing is certain. Organizations that adopt a best practice approach — using a wide variety of tools and technologies
ver the last few years, a not-so-quiet revolution in computing has unfolded.
Smartphones and tablets have transformed business and provided ways for employees, business partners and customers to access, manage and use data in new and noteworthy ways.
It’s safe to say that this new mobile order has created enormous
opportunities. However, it’s also ratcheted up the risks to the enterprise – with data increasingly fl owing outside the organization and residing on numerous devices.
To be sure, managing mobility is no minor challenge. As the bring-your-own-device (BYOD) movement takes shape and employees use their own smartphones, tablets and notebooks to access enterprise data
Because the participants may think that they are privately communicating with the other person, they may provide sensitive data. An attacker within range of a Wi-Fi access point can use this method if mutual authentication between the parties hasn’t taken place.
Finally, there’s the risk of insider threats. A March 2012 survey conducted by Ponemon Institute and Trend Micro found that security tools alone cannot protect systems and networks. Only 8 percent of all breaches are caused by external cyber-attacks.
Th e top three reasons for breaches are employees losing notebooks or other mobile data-bearing devices (35 percent), third-party mishaps or errors (32 percent), and system glitches (29 percent). Larry Ponemon, chairman and founder of Ponemon Institute, noted that an increasingly mobile workforce is a key contributor to the problem.
John Kuhn, director of product management for the Enterprise Mobility Group at Symantec, says that the number of platforms and devices an enterprise must support has skyrocketed over the last few years. “What makes things especially diffi cult is that most organizations cannot dictate a device,” he says. “You have people using BlackBerry devices, iPhones, Androids and other systems. You also have them sharing fi les and data through services such as Dropbox and Box.net.” 2011 Ponemon Institute study found
that the average cost of a data breach rose to $214 per compromised record in 2011. Worse, the fi gure hit $258 per record for mobile devices.
Today, it’s estimated that 70 percent of enterprise data resides somewhere on a mobile device. As employees tap into public Wi-Fi networks and exchange data device to device, oftentimes through social media applications, the challenges and risks to the enterprise grow exponentially.
Risk Vectors
Th ese risks come in a number of forms. First, there’s the danger of physical access to information when a device is lost or stolen. Once holding a device, a sophisticated thief can bypass a passcode and circumvent encryption.
In addition to obtaining sensitive enterprise data, the attacker may wind up with passwords to other systems on the network. Physical access essentially renders most security protections — including intrusion detection and antivirus — useless.
Device attacks are another serious concern, particularly on the Windows, Symbian and Android platforms. Th ese may take the form of browser-based attacks as well as viruses or other malware sent through text messages or e-mail. Hackers and thieves may want to gain control of a device or the data residing on it, or they may use the device to get inside the enterprise network.
Once a device harbors a botnet or malicious code, it can also infect other systems. Juniper Networks reported that malware for the Android operating system alone rose by 400 percent from 2010 to 2011.
Th e growing use of public Wi-Fi presents serious risks as well. Hackers may eavesdrop on transmissions or use the network as a way to gain access to devices and use them for more serious attacks on a network. Unencrypted Wi-Fi networks can support so-called are far more likely to succeed.
Connecting to Security
Over the last few years, enterprise IT has changed more profoundly than at any point since the introduction of the personal computer. In the past, organizations held the reins and decided which devices would be used and how they would access data.
Today, employees aren’t just asking to use smartphones and tablets, they’re demanding them — and in many cases bringing their own devices into the enterprise. Corporate executives also demand iPads and other tablet devices. As a result, IT has no choice but to support these consumer devices and incorporate them into the IT infrastructure.
Make no mistake, the BYOD movement has rocked the foundation of enterprise computing. Th e tech analyst fi rm Forrester reports that more than 50 percent of the organizations it surveyed now support employee-owned mobile devices and smartphones.
“Th is empowered workforce uses groundswell technologies such as mobile devices to drive increased productivity, innovation and improved customer services,” it notes in a 2011 report, Managing the Security and Risk Challenges of Personal Devices in the Workplace.
Meanwhile, a 2011 Accenture report, titled Jumping the Boundaries of Corporate IT, found that 87 percent of U.S Millennials decide where they will work based on their ability to use state-of-the-art technology. Moreover, these individuals expect to use their own technology at work and tap into their preferred technology apps regardless of any compliance policy. A staggering 61 percent use social networking services that aren’t supported by their IT department. In addition, 43 percent tap into non-supported IM, 31 percent rely on rogue open source technologies, and 26 percent use
///
35%
AMOUNT OF
BREACHES
CAUSED BY
EMPLOYEES
LOSING
NOTEBOOKS OR
OTHER MOBILE
DATA-BEARING
DEVICES.
\\\
SOURCE: Juniper Networks
Developing a Mobile Security Strategy
Building a comprehensive security strategy begins with an analysis and understanding of how people use applications and data — and the role of the network in delivering information to users. It’s also important to understand possible theft and loss scenarios and know the value of data residing on devices so that it can be classifi ed accordingly. Best practice organizations typically create data
MOBILE SECURITY
tiers to determine the appropriate defense and level of protection.
Security experts say that it’s critical to focus on protecting data rather than devices. Th e cost of a lost device might top $500, but the loss of the data residing on the device could extend into millions of dollars. It could also result in bad press, fl eeing customers, fi nes or lawsuits and a tarnished reputation and brand. “Trying to build the ultimate padlock is both impractical and ineffi cient,” explains Clinton Smith, manager of IT risk and
compliance for Grant Th ornton, LLP. Chenxi Wang, vice president and principal analyst for security and risk at Forrester, points out that basic protection such as enforceable password-based entry, auto-lock and remote-wipe capabilities are the starting point for a mobile security strategy. Th ese tools allow an enterprise to retain some control over lost or compromised devices.
Virtually all mobile devices now support these features and a
Th e complexities of mobile security haven’t been lost on enterprise business and IT executives. Here are eight ways to improve protection and reduce risk:
• Develop an enterprise mobile security strategy.
It’s essential to understand what returns and risks devices and apps create and how mobility fi ts into the overall framework of the organization. A comprehensive audit should lead to a security policy that addresses issues as diverse as “jailbreaking” and what happens when a device is lost or stolen. It should also classify employees and data to ensure that sensitive and confi dential information remains in the right hands.
• Focus on data rather than devices. Th e ultimate goal for an enterprise is to protect data. Th e cost of a lost device is minimal but lost data could compromise the entire business. As part of this approach, adopt solutions that provide maximum abstraction between data and specifi c devices and operating systems. Th is approach reduces complexity and risk.
• View each security tool as only part of the overall picture. An eff ective security strategy incorporates a wide range of solutions to create a security fabric that extends throughout the organization and onto mobile devices. Understand how these tools interact and look for any gaps that could lead to vulnerabilities.
• Provide education and awareness training.
Although today’s employees are typically savvy about using mobile devices, they may not be clear on security risks associated with their actions and
behaviors. It’s critical to provide education and training — and understand what practices to avoid.
• Adopt a robust mobile device management (MDM) solution. MDM greatly simplifi es device administration by providing a centralized view of resources and making it easier to use diagnostics, remote confi guring and provisioning, apply patches, use backup and restore functions, asset tracking, provide network support, logging and reporting, and GPS tracking.
• Don’t neglect conventional security tools.
Understandably, most organizations focus heavily on mobile-specifi c security such as mobile device management solutions. However, antivirus, web fi ltering, virtual private networks (VPNs), data loss prevention (DLP), fi le encryption, authentication and other tools are the foundation of any security strategy.
• Focus on privacy issues. Security and privacy are deeply intertwined. A data breach could reveal private employee or customer information and lead to legal problems. In addition, the use of personally owned mobile devices in the workplace raises key questions — particularly for companies that scan devices to ensure that they do not create risks or contain confi dential company data.
• Stay agile. Conventional three- to fi ve-year technology plans do not work in the mobile arena. It’s critical to create an agile framework and
continually reevaluate the way employees and others access data, what devices they use and what risks result. A six-month strategy isn’t unreasonable.
devices. In many cases, the ability to wipe a device within seconds can determine whether the incident winds up being a minor headache or a major security breach.
Other basic considerations include the ability for IT to maintain and control security settings from a single location; have application and data controls, including automatic data encryption and secure transfers through a VPN (the Apple iOS platform has built in support for encryption whereas many others, including Android, do not); and deploy other standard security protections, including antivirus, data loss prevention (DLP), web fi ltering and authentication. In some cases, a virtual desktop interface (VDI) streamlines security by eliminating data storage on a thin client or zero client device and instead keeping the fi les on a central server. VMware and Citrix are key vendors in this space.
However, the primary security focus for many organizations is now mobile device management. Off ered by a number of vendors, including AirWatch, BoxTone, McAfee, Microsoft, MobileIron and Symantec, it provides an
mobile devices deployed across diff erent carriers and service providers. In many instances they provide diagnostics, remote confi guring and provisioning, backup and restore functions, asset tracking, network support, diagnostics, logging and reporting and GPS tracking. Symantec Mobile Management (SMM), for example, off ers comprehensive visibility and control for iPhones, iPads, Androids and other popular mobile devices using a single console and a highly scalable approach. It allows network administrators to establish policy controls that encompass everything from passwords to remote-wipe capabilities.
It also off ers endpoint management that helps an organization standardize on a single platform across all
enterprise applications. For instance, an administrator can switch off a camera or control access to public app stores. Th e software is also able to separate corporate and personal data on devices to comply with regulatory requirements.
Forrester’s Wang believes that MDM, while providing a highly useful way to oversee diff erent platforms
can distract business and IT leaders from thinking about the big picture,” Wang explains. In addition, Forrester notes that a one-size-fi ts-all approach to device management can create problems and inhibit productivity — particularly if classifi cations and user access issues aren’t clearly analyzed and defi ned up front.
Other security management tools also play a key role in thwarting data loss and theft. Websense TRITON, for example, integrates web, e-mail and data security in order to provide unifi ed content analysis on a mobile platform. Th e fi rm’s enterprise-class DLP works on iPhones, iPads and the Android platform over carrier networks and Wi-Fi.
What’s more, the company continually analyzes mobile apps available for iOS, Android and other platforms and provides insights into potential risks. “It’s crucial to take an integrated approach that addresses mobile applications, data theft and web security,” says Tom Clare, senior director of product marketing at Websense.
Authentication applications are also a valuable piece of the security puzzle. Vendors such as Symantec, DigitalPersona and Imprivata offer solutions to help control and manage network access, including from mobile devices.
For instance, Imprivata’s OneSign for Healthcare offers a number of key capabilities, including a single sign-on access management tool for EMR access on personal computers as well as various mobile devices. The solution provides a high level of functionality, flexibility and scalability across an organization.
The system is designed to improve clinician workflow and reduce IT administration tasks. “Organizations, particularly in healthcare, face enormous challenges,” notes David Ting, CTO for Imprivata.
Wang believes that it is crucial to balance user needs and security. “At the end of the day, both IT operations and security want business owners and business users to see them as partners in their mobility needs. If you take too conservative of an approach to mitigating security and risk concerns on personally owned devices, users will once again see security as just a policy function,” she notes.
Policy Matters
All the leading-edge technology in the world won’t guarantee security, Wang says. It’s important to develop sound policies that address a wide array of issues, including device standards, IT management and support, acceptable usage guidance, fi nancial responsibilities, operational security and legal implications.
Within this umbrella, key issues include: organizational accountability, awareness training and developing solid communication with employees and other system users. Remarkably, a Ponemon Institute study found that 53 percent of companies it surveyed have no mobile policy in place and a mere 16 percent had a policy that encompassed the entire enterprise.
One way to mitigate risk, Wang says, is to build an internal app store for distributing software internally. It’s a strategy that a growing number of organizations are embracing. Th is approach can help guarantee the quality and safety of apps distributed to employees.
It also creates a viable way to distribute apps internally and let employees know which apps are the most popular and most useful.
Ultimately, Wang says, it’s critical to recognize that the policies an enterprise deploys aff ect how it builds out its infrastructure, including mobile support. As a result, it’s essential for IT to develop a strategy and solutions with input from diff erent business units and build a framework for agile mobile deployment and change.
“For each corporate application or resource that users will access via his or her mobile device, you must create a similar checklist,” she points out. Regulated organizations, meanwhile, must ensure that additional controls and reporting tools exist.
ABI Research Practice Director Dan Shey says that it’s important to recognize that there is no such thing as “foolproof security.” Today’s state-of-the-art security systems and processes may prove inadequate tomorrow. In a mobile arena that’s evolving rapidly, the risks are ratcheted up further. “It’s important to create an enterprise-wide security policy and a security governance roadmap that provides an enterprise vision as well as a way to maintain control moving forward,” he explains.
In the end, organizations must be vigilant about external and internal threats relating to mobile security. Th ere’s no simple path to protection and there’s no silver bullet. It’s essential to incorporate an array of security tools and technologies but also focus on the human factor.
Today’s business and IT environment requires an entirely diff erent security mindset, including a thorough understanding of how employees factor into overall data use and security. Concludes Symantec’s Kuhn: “Th e most successful organizations integrate mobile protection solutions into the overall framework of security.”
THERE’S NO TURNING BACK THE CLOCK ON MOBILITY. Consumers now dictate many of the technologies, tools and solutions that enterprises adopt. As a result, it’s critical to have a policy in place for employees using their own smartphones and tablets. Here are several key components:
| DEVICE USE | It’s essential to defi ne which devices will be allowed.
Today, this usually means Apple’s iOS, Google’s Android and, in many cases, BlackBerry and Microsoft devices.
| AUTHENTICATION | User names and passwords aren’t enough to
provide adequate security. Devices must have digital certifi cates installed and support end-to-end encryption through a VPN. What’s more, the organization must be able to track the user’s identity, device, location and have a record of access.
| REMOTE WIPE | An organization should use remote wipe software in
case the device is lost or stolen — or the employee leaves the company.
| USER DATA | It’s essential to spell out who owns and controls what data,
including fi les, images and audio fi les.
| APPS | Th e organization should provide employees with a list of apps
that are allowed — as well as those that can’t be used. Th e latter should only be apps that pose a clear security risk.
| AN APPROVAL PROCEDURE | It’s important to off er a procedure for
approving new devices and apps. Th e mobile environment is changing rapidly.
ASSESSMENTS
Security Assessment Assists with Data Loss Prevention
Our solution architects will conduct a comprehensive security
assessment to protect against loss both inside and out. Included is a set of security remediation recommendations that are prioritized by risk, cost and business impact.