Facing up to the mobile revolution
- Article 26 of 33
- SC Magazine, April 2011
Whether companies are actively encouraging their employees to work on the move, or staff are simply using personal mobile devices of their own accord, security professionals face a major new headache in protecting their organisations from threats, writes Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages
Thanks to smartphones and tablets, not to mention the trusty old laptop and the practice of hotdesking, more workers than ever are doing their jobs from multiple locations.
There are, of course, advantages to this. "Many senior decision makers are now embracing mobile a lot more than in previous generations of the technology," says Dimitri Yates, a security consultant at KPMG. "The iPhone looks cool and workers want it for that reason, but it also gives them the ability to work outside of the office. Sure, if you have an idea in the middle of the night you could get out your laptop and fire up the VPN, but reaching for the iPhone removes one more barrier to working."
Using a personal device at work, however, puts corporate data and applications at risk of running outside the enterprise on unsecured devices - which is a potential security nightmare. So how are information security professionals dealing with these problems, and what are the latest technologies available for securing mobile devices? In some cases, the problems are not being dealt with at all. Last November, Check Point surveyed 130 IT managers and senior staff on the use of personal smartphones for work purposes. The results showed that employees use personal devices for work in 55 per cent of the organisations surveyed, yet 39 per cent of respondents said they had no formal process for deploying security to these devices. Only 37 per cent of the organisations prohibited use of personal laptops or smartphones for professional purposes, although 61 per cent did restrict access to their network or data resources. Such an apparent lackadaisical approach to the issue is worrying - in independent research carried out by Damovo last year, 92 per cent of IT directors stated that employee use of mobile devices had led to an increase in security threats to their organisation.
Worker power
"In the modern organisation, end-users are dictating IT priorities by bringing technology to the enterprise, rather than the other way around," says Robert Ayoub, global program director, network security, at analyst Frost & Sullivan. "This is creating a new challenge of balancing openness with security, where the ultimate responsibility for the security of an organisation falls on the shoulders of end-users - because they can more easily than ever put all the systems and data of the organisation at risk." He adds that mobile devices could pose the single most dangerous security threat to organisations in the years to come.
Laptops, to a certain extent, are a known quantity and organisations will have developed ways to secure them. Most companies will have corporate laptops that have been given a standard build and locked down to prevent new software from being installed. They will have the standard anti-malware tools installed to prevent infections as much as possible. For securely connecting to the corporate network, meanwhile, there will be a VPN. Support may be more difficult to deploy, but remote desktop and patch management tools can help.
Things get harder when people want to use their personal laptops, which could have anything installed on them or run an operating system, such as Linux, that the organisation does not support. Smart-phones and tablets take these concerns to new levels, with unfamiliar operating systems that have few of the standard tools and capabilities familiar to IT staff.
The best policy
So what, then, is the best response to consumerisation? The first step, as always, is policy. "Most organisations have security policies, but not for mobile devices," says Yates. "It's best to start from a risk-analysis perspective and focus on the data."
Since data loss is the main concern with mobile devices, any prevention programmes will already have done much of the hard work in establishing what can and cannot be stored on employees' personal kit. If no such programme has already been implemented, then an inventory should be taken of the organisation's data, establishing where it resides, its importance and the likely impact if it is lost or stolen. Decisions can then be taken about which resources employees can access when using their own devices or working remotely.
Various technologies can restrict what remote users can access. JanusGate Mobile monitors all traffic being passed through Microsoft ActiveSync's Exchange. It can filter messages, contacts and calendar information so that emails from or to certain senders or recipients, or those containing particular words and phrases, are blocked from being sent to mobile devices.
Organisations can then look at how they provide remote access for their employees. Partly because of consumerisation, and because many consumer devices are incompatible with standard VPN technology (or its interface is harder to use on smaller screens), many organisations are looking at more lightweight technologies, typically the SSL capabilities of browsers, to provide portals for access to corporate resources. "The focus is more on using mobile devices as entry points into the cloud. You can use Citrix and VNC to control computers at work, for example, and vendors are coming up with more brilliant ways of accessing data in a controlled way," says Yates.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages