Security and IT professionals have been dreading this dayfor years, but it’s time to face the facts. Smart phones and tablets can nolonger be kept out of the enterprise.
Let’s take a look at a few stats from a recent 1,009-personsurvey from Forrester Research Inc. Over 56 per cent of responding ITdecision-makers in North America and Europesaid they allow personally owned smart phones to access company resources.
When it comes to specific brands, 70 per cent of respondentssaid they support BlackBerry devices, 41 per cent allow Windows Mobilehandhelds, 29 per cent supports Apple-based devices, and 13 per cent allowAndroid-based phones.
Andrew Jaquith, a security analyst with Forrester, said 2010will finally be the year that the number of “post-PC” devices, which includetablets and smart phones, surpass traditional desktops and laptops in overallsales. By 2015, half of the devices on the average organization’s network willbe a post-PC device, he added.
“In the enterprise market, the iPad has been an inquirymagnet for us,” Jaquith said. Financial service companies, in particular, arestarting to see the benefit of devices that “do less, but in more places,” headded.
What this trend means for the average security and IT pro isclear. No longer will companies have the ability to arbitrarily veto or limitspecific mobile device brands and their usage in the enterprise.
Jaquith said the focus must now shift to managing the newrisks these devices pose to enterprises and their sensitive data.
Evaluate device specs, not brands
Instead of letting brand decisions drive your supportpolicies, security and IT professionals need to draft mobile policies thatfocus on device capabilities and the data that resides on them, Jaquith said.
“The key thing that needs to happen when building a deviceand information control strategy is to think about the type of information thatyou’re processing,” he said. Jaquith said data falls into three categories:public, internal, and radioactive (basically covering things that should neverescape).
For each data category, security administrators need todetermine what capabilities a potential device has in relation to the company’sminimum protection, management, and security needs.
To accomplish this, Jaquith said IT and security pros needto procure a multidevice management capability that will allow the business tosay “yes” to devices that meet the corporate policy. The MDM tool should beable to determine what functionality users get on their devices and, ifnecessary, be able to remotely wipe a lost or stolen device.
Chris Christiansen, an analyst for IDC’s security productsand services group, approaches the device evaluation process a bit differently.
“I would ban everything and then slowly allow small pilotsamong trusted users,” he said. “Then you widen the policy to certain businessunits until you slowly increase the number of different operating systems andapps you support.”
A common pitfall for most mobile security policies,Christiansen said, is that they become either too lenient or too complex. Toavoid this, he said, companies need to develop their mobile and device policiesrelative to the devices and apps employees will be using.
“Most companies do it backwards,” he said. “They buy thetechnology first and then figure out what the technology is.”
In addition to worrying about devices and apps, security andIT administrators also need to think about their data plans. Christiansen saidthat many employees will stream video and audio from their smart phones withoutrealizing the data costs or roaming charges they might be incurring.
“You need to develop your plan to address these potentiallyexpensive data charges,” he said.
Consider going thin
As part of Forrester’s recommendations, Jaquith said thatorganizations might want to implement a thin-client strategy for highlysensitive data. Solutions such as Citrix Receiver can operate on many post-PCdevices, he said.
“This is often overlooked by companies,” Jaquith said. “It’shard to steal data if it’s not there.”
“The simplest and cleanest strategy you can employ forsecuring devices is to make sure there’s no data on the actual device,” headded.
Tune out the security vendors
Whether or not an organization goes thin client, Jaquithsaid, smart phones and tablets are a lot safer from attacks and securitythreats than their bigger form-factor counterparts. He said PCs need clientsecurity suite, full disk encryption, device control tools and other compliancesoftware, while many smart phone platforms have native equivalents.
But, of course, this isn’t what security vendors are tellingyou.
Jaquith said vendors are downplaying the improved securityof smart phones and tablets and instead continue to push mobile antivirus orother endpoint products to potential clients. The research analyst said ITshops should continue to avoid these types of products.
With the typical PC and laptop threats off the table,Jaquith argued, IT departments need to worry about their theft and lost devicepolicies. “They need to pivot from threat oriented to data loss oriented,Jaquith said.
A solid MDM platform with the ability locate devices by GPS,keep tabs on user installed apps and wipe data remotely is a much betterinvestment mobile antivirus, he added.
Combine security and mobile ops teams
As for who will take responsibility for managing mobilesecurity, Jaquith said that organizations should take a page out of the handsetand post-PC operating system makers. These vendors are now takingresponsibility for every aspect of the device experience, including security.
Jaquith advised companies to consolidate the teamsresponsible for device management and security management. “Mobile managementbrings these functions together so it makes sense to merge them,” he said.
Forrester advises its clients that the most effective mobiledevice managers will typically be IT infrastructure and operations teams, withsecurity teams serving as close consultants.
There’s an app store for that?
An idea for the not-too-distant-future could be to actuallyhunker down and create your own corporate app store. Jaquith said it wouldn’tbe surprising the see the functionality actually built into MDM products tohelp distribute approved apps more efficiently and effectively.
“We’re going to see this strategy take hold and find its wayinto more fully baked products, but this is a work in progress right now,” hesaid. Jaquith expects this idea to be driven by Apple’s iPad, which he said isgenerating big interest in custom app development and distribution.
With the difficulty of pulling off such an endeavor aside,Christiansen said companies would probably be better off simply creating a“whitelist” of approved apps for their users to download.
Never stop training
For Rahul Parmar, a research analyst with London, Ont.-based Info-Tech Research GroupLtd., the most important part of a mobile security strategy is getting the endusers educated on how to do their part to protect the company.
To train staff on the dangers of forwarding e-mails withsecure data and misplacing their devices, Parmar advised IT and securityprofessionals to organize town hall meetings. “Get the users into a room andtalk about this stuff,” he said.
Parmar added that “users that aren’t willing to play by yourrules, shouldn’t be allowed on the network.”
Christiansen agreed with Parmar, stressing education andacknowledgment as critical best practices.
“Create the policy, make people attest to reading it, repeatthe key elements verbally, sharply limit what the device has access to, requirea VPN client be downloaded,” he said.