Who Watches the Watchmen, Part 4: The Mobile Device Maelstrom
Smartphones are no longer the exclusive domain of the geek IT set. As the devices become more mainstream, a growing number of employees at enterprises and government organizations desire to use their personal smartphones to conduct official business. Failing to manage private data on these devices can result in a security nightmare.
Jun 6, 2011 9:07 AM PT
Enterprises and other large organizations have already begun riding the wave of the consumerization of IT, and the voice of the mobile device user is being heard through the land.
Even the U.S. federal government is reportedly letting staff bring in their own mobile devices to use at work, leading to a shift away from BlackBerry devices and toward iPhones and Android smartphones, and some agencies are testing the use of iPads at work.
But what are the risks related to the increasing penetration of mobile devices into the enterprise and government fields?
According to McAfee's Q1 threat report, Symbian and Android are the most popular environments for mobile malware.
Apple's iOS won't necessarily get a pass; hackers have already begun targeting the Mac OS X platform, and they might soon look at iDevices as well.
This move toward mobile devices "has fundamentally shifted the way that technology and, thus, security is being deployed and managed," Vincent Liu, managing partner at Stach & Liu, told TechNewsWorld.
"Think of it as establishing a new B2B connection to every user with a smartphone," Liu added.
Slouching Towards Federal IT Security Mayhem?
The Research In Motion BlackBerry platform has long been the mobile device of choice for federal agencies because it's perceived to offer a high degree of security.
"BlackBerry smartphones were built as government-strength devices and therefore came with built-in encryption capabilities as well as a management tool that enabled an organization's IT team to remotely wipe the phone or administer any patches," Torsten George, a vice president at Agiliance, told TechNewsWorld.
Most consumer devices don't measure up and "often, the built-in security is limited to the password-protected login screen," George said.
Further, mobile management software is not available for all smartphone vendors, and if it is available, enterprises would have to run multiple instances of that software to manage the devices the way they manage BlackBerries.
The Other Side of Smartphone Midnight
However, other security experts hold that moving off the BlackBerry platform and onto other smartphone platforms may not be so bad and, in fact, may be beneficial.
"While BlackBerries have a good record for security, they provide a monoculture for attackers," Mike Murray, a managing partner at MAD Security, pointed out.
"An attacker who was able to compromise the organization's BlackBerry infrastructure had access to all the information," Murray told TechNewsWorld.
Diversity in the mobile devices used in an enterprise might improve security, although it will come with increased operational complexity and cost, Murray said.
"BlackBerry devices have never been secure; they've only been less insecure than other devices in that they've had more security features than other platforms," Liu of Stach & Liu declared.
Encryption technologies and software for iOS and Android devices has improved to the point where they have "quickly closed the gap," and will eventually provide the same level of security as BlackBerries, Liu suggested.
Further, the federal government carries considerable clout because of its size, and that might make a difference.
"Whatever the federal government moves towards becomes a market in and of itself, so I would predict that there will be many companies that will be moving to fill the need [for more security on other smartphone platforms]," Liu said.
Leveraging the Web
Moving to other smartphone platforms will let federal agencies "leverage the latest Web application development technologies, including HTML 5, in order to deliver their applications in a platform-neutral way," Darren Platt, chief technology officer at Symplified, suggested.
New client applications should be written as Web apps so they can be accessed from the widest variety of client devices easily, and the feds can work with the private sector on device and network security, Platt told TechNewsWorld.
Federal agencies can use Web application architectures that don't store sensitive data on the client mobile device, Platt remarked.
Riding Herd on Mobile Devices
One of the biggest worries for enterprises and federal agencies is the potential for security breaches and loss of data, either through users' mobile devices being hacked or their taking sensitive data home with them on their devices.
Organizations that write new mobile client apps as Web apps should implement single sign-on so users don't have to cope with multiple usernames and passwords for the different applications they use, Symplified's Platt suggested.
They should also require multi-factor authentication and audit their uses' access to the applications they provide to ensure they don't exceed the scope of their permissions.
"Too many organizations assume that their controls are working," Platt stated. "It's important for them to also do the auditing to validate that they are."
Are All Your Data Belong to Us?
Managing data on employee-owned devices won't be difficult, MAD Security's Murray contends.
Employers just have to create and enforce policies on the handling and conveyance of data.
"This is no different from policies stating that employees can't take paper copies home or leave them on their desk," Murray opined.
"Enterprises and government organizations will always own control of their data," Murray stated. "Whether the employee owns the device or not, they don't own the ability to say how the organization can steward their data."
The question of what employers can and can't put on employees' devices is a legal gray zone, Agiliance's George thinks.
"Can or should an employer have the right to determine what can be loaded onto an employee-owned device?" George asked. "For privacy purposes, the answer will always be no."
Therefore, consumer devices "will have to evolve into devices that clearly distinguish the use cases and apply specific security methods when the user connects to an enterprise network," George said.
However, achieving this state will take some time because security tools for mobile devices are still fairly nascent, George pointed out.