Recent trends in enterprise mobility have made mobile device security an imperative. IDC reported in 2010 that for the first time smartphone sales outpaced PC sales. Faced by this onslaught of devices and recognizing the productivity and cost benefits, organizations are increasingly implementing bring-your-own device (BYOD) policies. Research firm J. Gold Associates reports that about 25%-35% of enterprises currently have a BYOD policy, and they expect that to grow to over 50% over the next two years. This makes sense as mobility evolves from a nice-to-have capability to a business advantage.
But the competitive edge and other benefits of mobility can be lost if smartphones and tablet PCs are not adequately protected against mobile device security threats. While the market shows no sign of slowing, IT organizations identify security as one of their greatest concerns about extending mobility. The purpose of this Learning Guide is to help assuage some of those concerns by arming you with knowledge of mobile device security threats and how to implement protection measures.
Table of contents:
Mobile device security threats
Mobile devices face a number of threats that pose a significant risk to corporate data. Like desktops, smartphones and tablet PCs are susceptible to digital attacks, but they are also highly vulnerable to physical attacks given their portability. Here is an overview of the various mobile device security threats and the risks they pose to corporate assets.
Mobile malware – Smartphones and tablets are susceptible to worms, viruses, Trojans and spyware similarly to desktops. Mobile malware can steal sensitive data, rack up long distance phone charges and collect user data. High-profile mobile malware infections are few, but that is likely to change. In addition, attackers can use mobile malware to carry out targeted attacks against mobile device users.
Eavesdropping – Carrier-based wireless networks have good link-level security but lack end-to-end upper-layer security. Data sent from the client to an enterprise server is often unencrypted, allowing intruders to eavesdrop on users’ sensitive communications.
Unauthorized access – Users often store login credentials for applications on their mobile devices, making access to corporate resources only a click or tap away. In this manner unauthorized users can easily access corporate email accounts and applications, social media networks and more.
Theft and loss – Couple mobile devices’ small form factor with PC-grade processing power and storage, and you have a high risk for data loss. Users store a significant amount of sensitive corporate data–such as business email, customer databases, corporate presentations and business plans–on their mobile devices. It only takes one hurried user to leave their iPhone in a taxicab for a significant data loss incident to occur.
Unlicensed and unmanaged applications – Unlicensed applications can cost your company in legal costs. But whether or not applications are licensed, they must be updated regularly to fix vulnerabilities that could be exploited to gain unauthorized access or steal data. Without visibility into end users’ mobile devices, there is no guarantee that they are being updated.
Mobile device policies
A mobile device policy is a written document that outlines the organization’s strategy for allowing tablet PCs and smartphones to connect to the corporate network. A mobile device policy covers who gets a mobile device, who pays for it, what constitutes acceptable use, user responsibilities, penalties for non-compliance, and the range of devices and operating systems the IT organization supports. In order to make these decisions, it is important that management understands what data is sensitive, whether data is regulated and the impact mobile devices will have on that data.
Encryption for mobile devices
Encrypting data at rest and in motion helps prevent data loss and successful eavesdropping attempts on mobile devices. Carrier networks have good encryption of the airlink, but the rest of the value chain between the client and enterprise server remains open unless explicitly managed. Contemporary tablet PCs and smartphones can secure Web and email with SSL/TLS, Wi-Fi with WPA2 and corporate data with mobile VPN clients. The primary challenge facing IT organizations is ensuring proper configuration and enforcement, as well as protecting credentials and configurations to prevent reuse on unauthorized devices.
Data at rest can be protected with self-protecting applications that store email messages, contacts and calendars inside encrypted containers. These containers separate business data from personal data, making it easier to wipe business data should the device become lost or stolen.
Authentication and authorization for mobile devices
Authentication and authorization controls help protect unauthorized access to mobile devices and the data on them. Ideally, Craig Mathias, principal with advisory firm Farpoint Group, says IT organizations should implement two-factor authentication on mobile devices, which requires users to prove their identity using something they know–like a password–and something they have–like a fingerprint. In addition to providing robust authentication and authorization, Mathias says two-factor authentication can also be used to drive a good encryption implementation. Unfortunately, two-factor authentication technology is not yet widely available in mobile devices. Until then, IT organizations should require users to use native device-level authentication (PIN, password).
Remote wipe for mobile device security
Authentication and encryption help prevent data loss in the case of mobile device theft or loss, but physical security can be further fortified with remote wipe and “phone home” capabilities. Native remote lock, find and wipe capabilities can be used to either recover a lost mobile device or permanently delete the data on them. Be careful, however, if you choose to use these functionalities. Experts recommend defining policies for these technologies and asking users to sign a consent form. Remote wipe could put the user’s personal data at risk and “phone home” or “find me” services can raise privacy concerns.
Mobile device management
When experts and IT professionals talk about securing mobile devices, the conversation often turns to mobile device management systems, and for good reason. Most mobile device management products include basic security functionality. They also enable centralized visibility, policy configuration, application provisioning and compliance reporting for any mobile device that accesses network resources – regardless of who owns it. These functions are key security controls and their centralized management makes them practical. For example, most mobile device management systems feature Exchange ActiveSync policies, which allow you to deny corporate mail access by unencrypted devices. Others offer more extensive and transparent control to enable IT organizations to enroll and secure iPads, for example, without relying on iTunes or Exchange.