Eliminating the Mobile Security Blind Spot
Locking down enterprise systems that remain in the office is one thing. Securing mobile devices like laptops that workers frequently take outside of the office is another matter entirely. An effective mobile security management system goes further than just encrypting the data, writes Alcatel-Lucent's Dor Skuler.
Mar 24, 2009 4:00 AM PT
Office-bound workers at most companies today have a significant amount of IT security available to them when best practices are followed. Their computers are physically secure; their hard drives are hopefully encrypted; secure Web gateways, intrusion-prevention systems and firewalls block dangers from the Internet. Audit trails are in place. Passwords and policies are enforced. Data protection is comprehensive.
Take that computer outside of that office, and much of that protection is not available or much less effective -- creating a "mobile blind spot," when mobile control is in the hands of the employee and no longer in the hands of IT. It's like a driver changing lanes on a busy freeway -- there's often a blind spot where another car might be hiding outside of the driver's field of vision. No matter what precautions the driver takes, the blind spot presents a potential for danger because the driver simply cannot see what's there. This mobile blind spot is an issue because when a laptop leaves the office, it oftentimes takes with it very sensitive data, and the IT department loses visibility of that data. Additionally, IT has no control over the laptop or its usage, and that punches a hole in its security integrity.
2009 is expected to bring even greater security threats, as industry watchers anticipate more attacks via the Web, increasingly dangerous social networking threats and more effective botnets. Add to this an anticipated slew of cyber-laws that will push companies to prove compliance on all computers and restricted data, and it's easy to see the impact the mobile blind spot can have on an enterprise.
The real issue with getting visibility into the mobile blind spot is the comprehensive nature of the solution needed. It must emulate all of the protections offered to office users -- protecting the data on the hard drive, protecting the laptop itself, guarding the connection, providing network access control and facilitating laptop management. Let's address each of these issues individually.
Protecting Sensitive Data
The value of the data on many remote computers makes encryption of the data on a laptop one of the first solutions that many companies implement for remote worker data security. Too frequently, it is often the only solution they implement, leaving the laptop vulnerable in other ways.
The primary solutions needed to protect data on a mobile computer are encryption as well as "remote kill" capabilities. Encryption has evolved in the past few years from file- and folder-based encryption to full-disk encryption (FDE). This is an important advance because it protects swap space and temporary files that can reveal sensitive information. Also, full-disk encryption eliminates the need for the user to differentiate which location on the drive is encrypted; FDE solutions automatically encrypt every file on the hard disk.
In addition to FDE, "remote kill" capabilities are important in the event that the laptop is misplaced or stolen. Given enough computing power, or the right social engineering, a hacker can break an encryption key and gain access to data. With a remote kill capability, once IT learns of the loss of a laptop, it can delete all of the encryption keys/access to the encrypted drive, making it virtually impossible to decrypt the data. The best of these solutions also have the ability to reinstate access if the laptop is recovered. Strong "remote kill" capability will work whenever IT needs it to, regardless of the end user actions -- i.e. even if the laptop is offline or physically turned off. Such solutions leverage out-of-band networks to initiate the kill feature.
Protecting the Device
According to a survey by the Ponemon Institute, nearly 637,000 laptops are lost each year in large to medium-sized U.S. airports. The survey notes that 76 percent of companies surveyed reported losing one or more laptops each year and that 53 percent of people surveyed said that their lost laptops contain confidential company information. Getting these laptops back is a cost-effective way to manage assets, especially in the case where the laptop is misplaced and regaining possession of it would both keep the remote worker productive and would eliminate a security issue.
GPS tracking is an emerging capability built into many new laptops and available as a security add-on for existing laptops that provides the ability to track the whereabouts of the computer if it is stolen.
Data encrypted on the hard drive is not always protected if it's being sent via email or transmitted across an unprotected Internet link. Virtual private networks (VPN) are an essential tool for connectivity protection, encrypting data while it is being transmitted. However, many mobile workers are given the choice of whether to use a VPN by their enterprise.
With so many Web-based threats, an effective VPN solution is always up, any time a user connects to the Internet, regardless of the intended use or the interface over which they connect.
Facilitating Laptop Management
Providing patch management protection to remote devices has always been difficult because of bandwidth limitations or other policies. In fact, many companies measure the time it takes a patch to be implemented from the time it's made available by IT in weeks or even months. Naturally, the need for fast patching is now even greater due to faster vulnerability development and too many patches, with simply not enough time between the time an exploit is in the wild and when IT can send out the patch.
The speed of these viruses can be scary. For example, in early January 2009, the Downadup, aka Conficker, virus began spreading to computers at an unusually fast pace. The virus jumped from 2.4 million to 8.9 million infections in only four days, according to F-Secure. Despite Microsoft's issue of a patch in October, users continued to become infected by the fast-moving virus because they neglected to install the patch.
According to the SANS Internet Storm Center, an unpatched Windows XP system connected to the Internet can be infected in an average of four minutes. This is a troubling fact, considering a sizable amount of remote users routinely neglect necessary patch downloads.
A strong solution targeting mobile users will proactively push patches to the laptop upon the availability of the patch and not rely on the endpoint to pull the patch from the patch management servers.
Another management issue is data backup. Most enterprises implement systematic backups to alleviate the potential loss of data from a computer malfunction. However, these backups rely on frequent transfers of large amounts of information. An employee faced with inconsistent access speeds or only a few minutes a day to log on to the enterprise network may not wait for the daily backup to complete before taking control of the access connection. Employees commonly postpone imminent backups. As a result, overdue backups may build up to the point where large amounts of critical information are exposed to potential risk.
Software update distributions and inventory collections streamline computer management in enterprises with a large base of managed computers. However, this can be difficult to sustain when a sizable number of laptops are assigned to mobile employees.
Even while on the road, the remote worker will need to tap network resources -- with the potential to bring outside viruses to the enterprise network. One of the most popular approaches to restricting network access is with endpoint policy enforcement applications based on network access control (NAC) or network access protection (NAP). These mechanisms restrict network access for hosts with software that does not comply with current corporate policies. When a policy violation is detected while connecting to the enterprise network, the protection mechanisms validate the host software and quarantine the host to a restricted portion of the enterprise network.
Eliminating Mobile Blind Spot
To fully eliminate the mobile blind spot, IT must do its best to emulate the full protection offered to office-bound worker to those in the field. That means putting together a solution that implements all of the functionality mentioned above. This raises management and updating questions for the IT department, so finding as many of the functions as possible in an integrated solution helps to cut down on management and helpdesk calls.
The cost benefit can make the effort worthwhile, as an effective mobile blind spot solution not only makes mobile computing more effective, but also ensures that customer information is protected and any unfortunate hardware losses have a minimal impact on the business.
Dor Skuler is general manager of mobile security at Alcatel-Lucent.