10 Best IT Practices for Smartphone Security
Treat all smartphones as uncontrolled endpoints. Smartphone users' identities can be stolen, hacked or inappropriately shared. Smartphones can get lost, stolen or borrowed. Device identification technology uses serial number information to allow organizations to associate a specific smartphone to a specific user. This provides a watermark for the device, and allows IT to remotely disable it and erase all sensitive data.
09/15/10 5:00 AM PT
The use of smartphones as business tools has reached a tipping point. Soon, mobile phones will overtake PCs as the most common Web access devices worldwide. As a result, employees will look less to corporate IT as a source for technical leadership. As mobile phones provide cutting-edge smartphone technology, employees will look to consumer-oriented vendors that cater to their own personal needs, rather than those of their employers.
The issue is that consumer smartphone platforms are inherently insecure, as mobile network endpoint devices are exposed to the threats of the Web. Whether corporate-issued or personally owned, smartphones easily move in and out of the network, traversing internal and external firewalls. It is harder for IT to control what users do with their smartphone devices -- and consequently, to keep them from exposing business data to security threats.
A smartphone that can access the network via a wireless access point represents the same kind of threat as any other endpoint. The only difference is that a phone is less likely to be running the very latest (if any!) antimalware security software.
The proliferation of smartphones in corporate environments creates a new and wider potential for data loss and leakage, whether by theft, unauthorized access or unauthorized transmission. As with any mobile endpoint on the network, password and authorization security are paramount to securing network access at the gateway. In addition, a growing amount of sensitive and proprietary data is lost and leaked via smartphone email attachments and FTP uploads -- whether unintentionally or maliciously.
Smartphone content is more vulnerable to loss or theft, as network access codes, usernames and passwords are often unsecured or set for automatic log-on. Consumers who "jailbreak" phones to customize carriers or features often leave themselves open to root password hacks.
Moreover, the same threats that traditionally plague computer operating systems can attack smartphones when they are being transmitted in emails, social media sites, games, screen savers, pictures, text messages, tweets, audio clips, slide shows -- or in some cases, by shady URL-shortening services.
Smartphones can magnify malware distributions that employ email spam, phishing, pharming and pretexting. Because smartphones represent a more intimate communications channel than computers, users are more likely to interact with files masquerading as personal communications.
Likewise, users cannot as easily detect cues that a website is a false front on a handset with a small screen. While the infection may not be apparent, even after the phone has been compromised, the malware file can still propagate into an IP network from the unsecured handset endpoint.
Further, the preponderance of interactive Web 2.0 and streaming media traffic over smartphones can potentially affect wireless network throughput. Some of these applications, such as streaming video applications, constantly evolve to avoid control. In addition, like any Web-facing endpoint device running applications over the network, smartphones present a potential channel for forced denial-of-service attacks.
10 Best Practices
Corporate use of smartphones demands a universal, platform-agnostic approach to security best practices, which treat all smartphones as uncontrolled endpoints. Organizations should strongly consider implementation of the following best practices using currently available technologies such as SSL VPNs and next-generation firewalls with application intelligence and control.
1. Establish corporate smartphone policy. IT should define and communicate a corporate smartphone use policy, even if difficult to enforce on personal devices. For example, a policy might recommend having users set strong passwords to access their devices; require smartphone antivirus and antimalware software installation; require lost or stolen smartphones that connect to the network to be reported to IT immediately; etc.
2. Treat all smartphones as uncontrolled endpoints. Smartphone users' identities can be stolen, hacked or inappropriately shared. Smartphones can get lost, stolen or borrowed. Device identification technology uses serial number information to allow organizations to associate a specific smartphone to a specific user. This provides a watermark for the device, and allows IT to remotely disable it and erase all sensitive data.
3. Establish SSL VPN access to corporate resources. Secure Sockets Layer Virtual Private Networking (SSL VPN) can provide a centralized SSL VPN portal for authenticated and encrypted Web-based access to network resources from multiple smartphone operating systems (e.g., Windows, Symbian, BlackBerry, iOS and Android).
4. Comprehensively scan all smartphone traffic. To protect network resources adequately against sophisticated smartphone-transmitted attacks, IT should deploy a Next-Generation Firewall that conducts deep packet inspection of all smartphone traffic traversing the SSL VPN.
5. Control encryption and decryption of smartphone traffic. IT should ensure encryption of smartphone traffic while in transit between the device and the network gateway using SSL VPN. In addition, IT must be able to decrypt smartphone traffic for comprehensive scanning using DPI SSL, and re-encrypt it for subsequent transmission.
6. Maximize firewall throughput to eliminate latency. To minimize impact upon latency-sensitive applications, such as videoconferencing, voice over IP (VoIP), and real-time interactive Web 2.0 applications, the next-generation firewall platform must be able to comprehensively scan and prioritize smartphone traffic in real-time.
7. Establish controls over smartphone application traffic. Smartphone users rely heavily upon Web 2.0 applications, and are especially prone to their inherent threats and vulnerabilities. Application intelligence and control technology can extend firewall functionality to identify, categorize, control and report upon application usage over the network.
8. Establish smartphone wireless access security. Most consumer smartphones have WiFi functionality and are highly vulnerable to attacks while connected to unencrypted WiFi hotspots. Security for corporate wireless networks has to be at least on par with wired networks that run deep packet inspection, by running traffic through a comprehensive firewall. For employees connecting back to the network over public hotspots, IT should apply SSL VPN connectivity and deep packet inspection at the network gateway.
9. Manage smartphone VoIP traffic. As VoIP is used more frequently as a corporate communications platform, it will play an increasing role in smartphone Web traffic. VoIP traffic is susceptible to quality-of-service issues such as latency, jitter, packet loss and echo. Application-intelligent bandwidth management can dedicate throughput to latency-sensitive smartphone applications such as VoIP, as well as limit bandwidth-consuming traffic, such as YouTube.
10. Manage smartphone traffic bandwidth. Organizations need to protect the converged voice-and-data communications that today's smartphones feature. At the same time, corporations need to continue to optimize quality of service and bandwidth management through wire-speed throughput (low latency) and bandwidth control, as well as prioritization on a per-application and per-user basis.
In summary, corporate use of smartphones demands a universal, platform-agnostic approach to security best practices that treats all smartphones as uncontrolled endpoints. Organizations can implement these best practices using currently available technologies, such as SSL VPNs and next-generation firewalls with application intelligence and control.
Patrick Sweeney is VP, network security business unit, at SonicWALL.