Smartphone wave challenges enterprise security

FRAMINGHAM, Mass. — With ever more employees clamoring to use smartphones for both personal and business purposes, IT and security managers are forced to answer tough questions:

First, will there be sanctioned enterprise adoption of Apple’s iPhone — not to the mention the iPad — as well as smartphones based on Google’s Android operating system, if not even more varieties?

And, if employees want to use their own smartphone or iPad in business, will that be allowed?

Finally, how will the enterprise prepare to exert management and security controls in a multi-operating system smartphone environment, or figure out how to secure data on a device that the employee, not the enterprise, officially owns?

“It’s coming,” says Terrell Herzig, data security officer at UAB Health System, a hospital and medical research organization based in Birmingham, Ala. “The iPhones, the iPads, the Droid.”

Herzig says medical professionals and staff just bring in the devices and expect to get onto clinical systems. They call the help desk, which reacts with bewilderment before calling the security team. And the demand is so mighty, UAB’s CIO has set up a special task force to tackle the issue and figure out whether UAB, which already makes official use of the BlackBerry, should become a multi-smartphone environment, or approve use of personal devices.

“We’re telling them hold off on buying these devices while we figure it out,” Herzig says.

Just this week, UAB completed its security and configuration measures for the iPad, which will now be officially used with Good Technology’s management and security application.

“The new generation of devices have the capability to do the things we want them to do,” Herzig says. “A lot of people will want to remote desktop from the Droid, which is this week’s big request.”

The prospect of supporting management and security in a multi-operating system smartphone environment, or letting the employee use his or her own device instead of buying one for them, is now hotly debated among consultants and analysts.

“Most of the security can’t scale to the number of devices the users will bring,” says Kalani Silva, director of business transformation enablement at Presido Network Solutions in Greenbelt, Md. Silva believes trying to support multiple smartphone types in the enterprise will put demands on IT and security — and add costs — that just aren’t worth it.

The BlackBerry, long established in the enterprise, can be reasonably controlled, Silva says, but that’s not the case today with iPhone and the Android mobile devices. And allowing what’s brought in as a consumer personal device to be used in business suggests there should be some way to securely partition it, which could be a practice in the future, but it’s not today.

Other analysts acknowledge there are risks but it should be considered.

“It’s a devil’s bargain,” says Andrew Borg, analyst at the Aberdeen consultancy. RIM’s BlackBerry has long been the smartphone staple in the enterprise, and is marketed for that purpose. But the pressure is huge to allow in the stampede of ever-smarter smartphones that are mainly marketed for consumers.

Aberdeen suggests limiting the number of smartphones tested, perhaps to just iPhone or Android, such as the Motorola version. The main consideration is the mobile device management software and whether it extends into the type of management and security controls that are warranted, such as the functions of device lock and device wipe, encryption and being able to lock down access remotely.

Good Technology, Zenprise, Trust Digital (recently acquired by McAfee Inc.), MobileIron, Tangoe and Box Tone are possibilities in what’s called enterprise mobility management for multi-OS smartphone management and security, according to Aberdeen, which is publishing “The Enterprise Mobility Management Solution Landscape” report on this topic next week.

As to whether the employee-owned smartphone should be welcomed into official enterprise use, knowing it will be used for personal use, is something each enterprise has to determine based on risk factors, cost advantages and whether access to the device can be adequately controlled. But according to Aberdeen, the phenomenon, started by executives wanting to have the cool devices their kids have, is spreading.

“Heterogeneity is real and enterprises are saying, ‘I have to learn to deal with it,'” says David Goldschlag, McAfee’s vice-president of mobile technologies. Goldschlag says Trust Digital’s own research on what large corporations are doing suggests about a third want to “enable users’ personal smartphones for business.”

Gartner analyst John Pescatore says the IT department’s response to the smartphone wave should be nuanced based on risk and regulatory-compliance factors. However, “our starting point is, for most enterprises, it’s almost impossible to fight this wave.”

Pescatore says that enterprises need to “set a minimal bar” in terms of management and security. There should be enforceable mandatory start-up password, enforced time out, enforceable encryption and an over-the-air kill capability at a minimum for any smartphone. Active synch support is also preferred.

The key is building those controls around mobility management agent software, but not supporting multiple vendor packages to do that. While these applications and the iPhone and particularly the Android cannot today support every desired security function, or desired functions such as audit and logging, it’s safe to think they will in the foreseeable future next year, Pescatore says.

Pescatore adds that security functions such as browser-based filtering and whitelisting will eventually come for smartphones, and carrier-based cloud security services are likely to present many more options in the future for security services. In fact, Pescatore says the traditional methods of loading up PCs and laptops with security software simply “hasn’t worked” to really ward off trouble such as botnets and he hopes that as the new wave of smartphones keeps coming. “Let’s not do things the way we did them on the Internet,” he says.

Forrester Research just published a report “Apple’s iPhone and iPad: Secure Enough for Business?” in which analyst Andrew Jacquith ardently argues, “‘No’ is no longer the automatic answer.”

Although the Forrester report calls BlackBerry “the gold standard for secure mobile devices,” Jacquith indicates the time has arrived to let Apple’s iPhone and iPad, including employee-owned ones, into the enterprise for official use under certain restrictions. Desired controls include including autolock, autowipe, remote wipe, e-mail session encryption and more.

About employee-owned gear, the enterprise CISO should ask, “in terms of what we’re looking for, what capabilities does that device have? You’re not going to care what brand it is or who owns it,” Jacquith says. “You want the ability to define certain capabilities, such as wiping the device.”

Certainly among the thorniest issues in sanctioned employee-owned devices will be policy restraints, such as confiscation.

There will be times the enterprise will want that device, such as for e-discovery purposes. Jacquith says he’d advise any enterprise to come up with a specific contract binding the employee to relinquish their personal smartphone, if need be. “You have to be very explicit, especially about privacy,” he concluded.

(From Network World U.S.)

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now