Rogue mobile devices threaten enterprise security
User demand driving device integration, security concerns
Only two years ago, users got their hardware and devices at the office. Today, however, a growing number of employees are coming to IT with their own tablets and mobile devices demanding network access, and the ability to use those devices in their day-to-day work environments. And, increasingly, their requests are being fulfilled, even in the government sector, since cost savings and user satisfaction are top of mind. According to a November 2010 study from research firm Ovum and the European Association for e-Identity and Security (EEMA), 48 percent of employees are allowed to use their own mobile devices to connect to corporate infrastructures.
While it may be good for users, some IT managers are struggling with this decision, according to the same report. In fact, eight out of 10 CIOs surveyed said the practice of using smartphones in an enterprise increases its security vulnerabilities.
“From a user’s perspective, it’s more freedom because they are picking their own devices, but now, as an employer, you need to figure out how to secure the device. There may also be a legal liability question when you use a device for both personal and work,” explains Sascha Segan, lead analyst for mobile devices at PCMag.com. The worst part, he said, is that many users don’t even ask, going around IT and using their devices to perform job-related tasks, send and receive work e-mails, and access an organization’s data.
And, unlike in the old days when a company owned all the data on a mobile device and could wipe the data clean or remotely disable it, there’s no one silver bullet when it comes to managing these rogue devices, a fact that’s changing the way IT is handling almost everything under its care, including servers, remote access, and data storage.
Reining in Control
It’s fairly clear that allowing user devices to connect to an organization’s infrastructure works only if IT starts two steps ahead of users, taking not just technology but people and processes into account, said Dr. Michael Salsburg, a spokesperson for the Computer Measurement Group, a nonprofit group focused on ensuring the efficiency and scalability of IT service delivery.
“You need to adapt all of the processes and best practices you use in the data center so that — from an end-user perspective — there’s no difference between how I use my laptop and how I use my tablet or smartphone to connect to the network,” he said.
For those organizations that are willing to allow access, standardization can definitely help, said Richard Schum, senior industry analyst at research firm INPUT, since it reduces problems for the IT department. For instance, the National Institute of Standards and Technology (NIST) is, in some cases, working on certifying mobile applications and platforms such as cloud computing as well as device- and operating-system specific security. For instance, BlackBerry devices can be configured using the Federal Information Processing Standards 140-2 (FIPS) protocol. “It makes it easy to set policies, and if something does goes wrong, it takes some of the onus off of IT,” said Schum.
Network connections should also be secured. Anyone accessing the infrastructure via his or her carrier connection or Wi-Fi should do so over an encrypted VPN. “On the IT side of things, the main focus has to be on a secure connection,” agrees Albert Lee, an analyst with Enterprise Management Group. “Everything has to be under the auspices of the IT department, and based on the government labs and agencies I’ve been working with, there’s a different level of security needed due to data sensitivity, so additional planning is necessary.”
Even with a VPN, controls must be in place to make sure each user can access only what’s necessary for him or her to do the job. Unfettered access is a risk, which is why IT should follow the "less-is-more" mandate.
“Certainly, with the advancements in identity access management (IAM), you can use role-based security for any device that you’re using to connect to the Internet,” said Brad Eskind, principle federal technology leader at Deloitte. “This identifies you as an individual and the role you have [within an organization] to give you access to the applications you should have access to as well as to the right subsets of data, cutting down on malicious penetrations.”
Finally, organizations may want to look into mobile device management (MDM) solutions, which help IT distribute software to and configure mobile devices and increase security across the board. In some cases, MDM solutions can remotely lock a device, wiping out any data and proprietary information associated with it. “Allowing use of smartphones affects employee recruitment and retention,” said Schum. “This may not be a popular response, but it’s worth the effort to make it work.”