Mobile security: The old ways don't cut it
Establishing a viable and secure mobile device program is about the details: creating the infrastructure and the policies necessary to issue and deploy handhelds and apps — and realizing that mobile security is a different game than traditional network security.
A key place to start is with setting policies, said Jon Oltsik, senior principal analyst of the Enterprise Security Group (ESG), said at an online session with industry experts June 14. Security is an important part of this process because organizations need to think about users, groups, rules and responsibilities.
IT managers need to ask what they want their mobile programs to do, when and where personnel can access applications, and whether the network and tools be accessed via a virtual private network, local-area network or wide-area network, he said.
NASA: Moving to mobile is win-win
IBM development package can boost mobile app security
Managers and administrators have to think about the background enterprise architecture because users don’t. “What’s your business objective and how are you going to measure it?” Oltsik said, adding that the same considerations must be made for mobile security.
Another area that organizations need to consider is the product/software life cycle by setting their mobile policies to support business, IT and security cycles. Many organizations mistakenly think that traditional IT infrastructures can support mobile security, but they need to build the infrastructure and policies from the ground up to support mobile security, Oltsik said.
Measurement techniques are key to determining whether these policies are successful. “Unfortunately, that isn’t easy,” he said.
An ESG survey found that mobile devices made network security more complex and difficult for more than half of the organizations surveyed, Oltsik said. Another issue is that existing IT security control and practices may not be a good fit with mobile devices. “You may have to make some adjustments,” he added.
Device proliferation and complexity can make network access more difficult, said Alex Gray, senior vice president of Juniper Networks. Outdated security policies are another challenge because security based on ports is not applicable to mobile devices. What is needed are policies based on user roles, users and devices, he said.
Security must also be extended to every node (in this case, every device) on the network to cover all users while managing it from a centralized location, Gray said. This approach also requires high levels of automation and consistency. “If it’s not consistent and easy to use, it's going to be rejected,” he said.
ESG’s survey found that organizations’ top challenge is enforcing security policy for mobile devices. One of the more fine-grained considerations for IT administrators is data security for mobile devices. Does data get stored on a user’s device, and what are the vectors to get that information? These are among the questions organizations must ask, Olsik said. Mobile device malware is an overlooked but growing problem that organizations need to address, he added.
Juniper began a mobile threat survey in 2010, Gray said. Since then, the survey has indicated that the amount of mobile malware has tripled. “This is a real and present threat, and it’s got to be dealt with,” he said.
To implement a successful mobile security program, organizations need to think in terms of a comprehensive architecture, with policies enforced and managed centrally, Oltsik said.
Among the things that need to be addressed: Organizations need to have control over a device when it enters their networks, device capabilities and applications should be aligned with individual business groups, and network security controls must be aligned with IP subnets and LANs.
Finally, IT administrators need to know what is going on in their networks to manage activity and mitigate risk, he said.