Security and IT professionals have been dreading this day for years, but it’s time to face the facts. Smart phones and tablets can no longer be kept out of the enterprise.
Let’s take a look at a few stats from a recent 1,009-person survey from Forrester Research Inc. Over 56 per cent of responding IT decision-makers in North America and Europe said they allow personally owned smart phones to access company resources.
When it comes to specific brands, 70 per cent of respondents said they support BlackBerry devices, 41 per cent allow Windows Mobile handhelds, 29 per cent supports Apple-based devices, and 13 per cent allow Android-based phones.
Andrew Jaquith, a security analyst with Forrester, said 2010 will finally be the year that the number of “post-PC” devices, which include tablets and smart phones, surpass traditional desktops and laptops in overall sales. By 2015, half of the devices on the average organization’s network will be a post-PC device, he added.
“In the enterprise market, the iPad has been an inquiry magnet for us,” Jaquith said. Financial service companies, in particular, are starting to see the benefit of devices that “do less, but in more places,” he added.</P.
What this trend means for the average security and IT professional working with a solution provider is clear. No longer will companies have the ability to arbitrarily veto or limit specific mobile device brands and their usage in the enterprise.
Jaquith said the focus must now shift to managing the new risks these devices pose to enterprises and their sensitive data.
Evaluate device specs, not brands
Instead of letting brand decisions drive your support policies, security and IT professionals need to draft mobile policies that focus on device capabilities and the data that resides on them, Jaquith said.
“The key thing that needs to happen when building a device and information control strategy is to think about the type of information that you’re processing,” he said. Jaquith said data falls into three categories: public, internal, and radioactive (basically covering things that should never escape).
For each data category, security administrators need to determine what capabilities a potential device has in relation to the company’s minimum protection, management, and security needs.
To accomplish this, Jaquith said IT and security pros need to procure a multidevice management capability that will allow the business to say “yes” to devices that meet the corporate policy. The MDM tool should be able to determine what functionality users get on their devices and, if necessary, be able to remotely wipe a lost or stolen device.
Chris Christiansen, an analyst for IDC’s security products and services group, approaches the device evaluation process a bit differently.
“I would ban everything and then slowly allow small pilots among trusted users,” he said. “Then you widen the policy to certain business units until you slowly increase the number of different operating systems and apps you support.”
A common pitfall for most mobile security policies, Christiansen said, is that they become either too lenient or too complex. To avoid this, he said, companies need to develop their mobile and device policies relative to the devices and apps employees will be using.
“Most companies do it backwards,” he said. “They buy the technology first and then figure out what the technology is.”
In addition to worrying about devices and apps, security and IT administrators also need to think about their data plans. Christiansen said that many employees will stream video and audio from their smart phones without realizing the data costs or roaming charges they might be incurring.
“You need to develop your plan to address these potentially expensive data charges,” he said.
Consider going thin
As part of Forrester’s recommendations, Jaquith said that organizations might want to implement a thin-client strategy for highly sensitive data. Solutions such as Citrix Receiver can operate on many post-PC devices, he said.
“This is often overlooked by companies,” Jaquith said. “It’s hard to steal data if it’s not there.”
“The simplest and cleanest strategy you can employ for securing devices is to make sure there’s no data on the actual device,” he added.
Whether or not an organization goes thin client, Jaquith said, smart phones and tablets are a lot safer from attacks and security threats than their bigger form-factor counterparts. He said PCs need client security suite, full disk encryption, device control tools and other compliance software, while many smart phone platforms have native equivalents.
But, of course, this isn’t what security vendors are telling you.
Jaquith said vendors are downplaying the improved security of smart phones and tablets and instead continue to push mobile antivirus or other endpoint products to potential clients. The research analyst said IT shops should continue to avoid these types of products.
With the typical PC and laptop threats off the table, Jaquith argued, IT departments need to worry about their theft and lost device policies. “They need to pivot from threat oriented to data loss oriented, Jaquith said.
A solid MDM platform with the ability locate devices by GPS, keep tabs on user installed apps and wipe data remotely is a much better investment mobile antivirus, he added.
Combine security and mobile ops teams
As for who will take responsibility for managing mobile security, Jaquith said that organizations should take a page out of the handset and post-PC operating system makers. These vendors are now taking responsibility for every aspect of the device experience, including security.
Jaquith advised companies to consolidate the teams responsible for device management and security management. “Mobile management brings these functions together so it makes sense to merge them,” he said.
Forrester advises its clients that the most effective mobile device managers will typically be IT infrastructure and operations teams, with security teams serving as close consultants.
There’s an app store for that?
An idea for the not-too-distant-future could be to actually hunker down and create your own corporate app store. Jaquith said it wouldn’t be surprising the see the functionality actually built into MDM products to help distribute approved apps more efficiently and effectively.
“We’re going to see this strategy take hold and find its way into more fully baked products, but this is a work in progress right now,” he said. Jaquith expects this idea to be driven by Apple’s iPad, which he said is generating big interest in custom app development and distribution.
With the difficulty of pulling off such an endeavor aside, Christiansen said companies would probably be better off simply creating a “whitelist” of approved apps for their users to download.
For Rahul Parmar, a research analyst with London, Ont.-based Info-Tech Research Group Ltd., the most important part of a mobile security strategy is getting the end users educated on how to do their part to protect the company.
To train staff on the dangers of forwarding e-mails with secure data and misplacing their devices, Parmar advised IT and security professionals to organize town hall meetings. “Get the users into a room and talk about this stuff,” he said.
Parmar added that “users that aren’t willing to play by your rules, shouldn’t be allowed on the network.”
Christiansen agreed with Parmar, stressing education and acknowledgment as critical best practices.
“Create the policy, make people attest to reading it, repeat the key elements verbally, sharply limit what the device has access to, require a VPN client be downloaded,” he said.
