Tablet security calls for mobile policy, controlling mobile apps

Tablet security is emerging as a critical issue for IT professionals, as new tablet PCs are announced every week and making their way into the enterprise. Developing a solid mobile policy for tablet security and looking out for dangerous mobile apps should be emphasized in your security strategy, according to Nick Arvanitis, principal security consultant at Dimension Data, a multibillion-dollar global IT solutions and services provider. SearchMobileComputing.com spoke with Arvanitis about the risks that tablet PCs and mobility in general introduce, and his perspective on how enterprises can make mobility more productive while ensuring it is as secure as possible.

Everyone is talking about tablet PCs. Do you see your clients adopting these for business use yet?

Arvanitis: We definitely are. We have existing clients who are being forced into supporting the iPad, specifically, and now a lot of other vendors are coming out with other tablet PCs. Some of them are being forced into support by executives, for example, bringing in their own devices and wanting to access network resources, but a lot of them are also evaluating them as valid business tools. It's definitely becoming a bigger thing.  We're seeing a lot of interest across industries, for example in healthcare, where there are strong business drivers for it.

How do tablet PCs change mobile security strategies for enterprises?

Arvanitis: Mobile devices are computing devices in a very similar vein to a laptop or a workstation, except that the fundamental difference is that the mobile device is usually unmanaged. If you look at a traditional deployment model for a workstation, IT managers will procure the device, have set platforms, standards, operating systems and hardware, and they'll configure the device in a certain way. They issue the device to the user and maintain a lot of control over that device.

That model gets turned on its head when you talk about mobile devices because, in many cases, there isn't necessarily any standard. You may have an employee with a personally-owned device that's getting access to network and corporate resources, and IT doesn't always have management and oversight of that platform. A lot of the systems management tools and processes that enterprises have deployed don't scale to mobile devices.

Is there a difference between managing smartphones and managing tablets?

Arvanitis: Tablets are very close to smartphones; in many cases, they run the same operating system or a slightly different flavor of operating system. Regardless of whether it's tablet or smartphone, you have the same challenges, and the same tools and mobile policies should apply to both of those technologies.

Then why is there so much attention being paid to tablet security right now?

Arvanitis: The view in the security community right now is that the biggest risk to mobile platforms is potentially malicious mobile applications. In a traditional IT model, you'd have users only able to install certain approved applications. It's a completely open marketplace when you talk about mobility. All users have to do to install a mobile app is go to the relevant app store, click a button and download it, and often corporate IT doesn't have any insight into that. The problem's exacerbated by the fact that there's a much smaller barrier to entry. It's much more complex to install software on a workstation or to publish software for workstations, where anyone with a developer account and $99 can publish a mobile app for the app store. The collaboration model and the open model where users are writing applications for other users also introduces other risks, because there's much more opportunity for malicious behavior.

How can IT departments control the mobile apps users are putting on devices?

Arvanitis: It needs to be driven from a mobile device policy standpoint. There are questions an IT department needs to answer when it’s talking about mobility, and the key is to not tackle this from a technology level initially. To approach the mobility space from a security angle, you've got to start out with a governance, risk and compliance perspective. You need to understand, depending on the industry you're in, what data is sensitive, whether there is regulated data or not, and what impact mobile devices will have on that data. From there, things that need to be developed from a mobile policy perspective are questions such as, 'Will I allow users to bring personal devices onto my network, or will I only permit devices we procure and configure and distribute?' Another question is, 'Are we going to allow any platforms, or limit it to certain platforms?'

If an organization is in a position where it knows, from a policy perspective, what the configuration of a device looks like, it can then decide what mobile apps are permitted and what apps aren't permitted. If you're in that kind of position, you can also take additional steps such as evaluating apps before you install them. From a security standpoint, you could review the app's source code or review the app in a running environment. We've got organizations that have expressed a lot of interest in this, and there is technology out there that can do this. But it all goes back to the question of, 'Am I going to allow, essentially, the Wild West, or am I going to have a stricter and more regulated environment?'

What about centralizing corporate resources and restricting access?

Arvanitis: That reflects another trend in the industry called "zero trust," where organizations will take a lot of steps to secure the corporate services that they offer and allow any endpoint. Endpoint security is a nightmare at the moment, not only for smartphones but for workstations, too. Malware attacks are targeting the client, so organizations are saying, 'We'll protect our resources and we'll offer everything to you via a Web browser. Whatever device you've got and whatever happens to it is not our problem, because we don't manage that.' I think that's a very good model. If you've got an organization that is dealing with regulated data, specifically, that's potentially one of the only models, because you never want that data to be sitting on an endpoint device.

Are there any other ways IT can try to ensure security of user mobile devices?

Arvanitis: There is software -- and there are a lot of emerging players because this is a hot area -- that can control mobile devices, from configuration settings that are mandated, like passcodes, all the way through very technical considerations on devices. We're seeing many of the vendors and partners we deal with move toward that space from traditional network access solutions. More and stricter policies are being pushed down by [the software] recognizing the nature of the device that's trying to access the network and then treating it accordingly.

What else do IT pros need to watch out for as far as tablet security?

We're seeing a lot of security research in the Android space. We're going to learn a lot more about mobile platforms this year. At the moment, Android is being raked over the coals by security researchers, and that makes sense because Android is an open platform, and there is open access to the code. On the other hand, you have Apple, whose iOS is closed. Some of the research is almost driven by who paid for it, so you've got the vendors who are telling us devices are secure enough and ready for the enterprise. Then you've got others saying these devices are going to be the end of the world and you've got to put antivirus on them. I think there's a middle ground in between that's the actual reality.

But there are a lot of questions that need to be answered. One of the main countermeasures against theft or loss is remote lock and wipe functionality. It sounds great in theory, but I haven't seen anyone actually try to bypass that remote wipe. If that's possible, it is a massive risk for me.

There are other things, such as passcodes on devices, which have been bypassed already. How robust is that? Can we get around that, and what is the actual impact? In the worst-case scenario, if someone does have an iPad that's connected to the network, and an attacker does manage to run code on the device -- can that attacker use that iPad to attack the rest of the network? These questions will take dedicated security research to answer.

What's the most important piece of advice you give to your customers?

Arvanitis: It's important to understand what the risks are and what can be done to mitigate those. There are risks that are introduced through mobile devices, but any computing device that you choose has risk. There's no one-size-fits-all when it comes to security, and there's no perfect security either. But if you understand what the risks are, and their effects on the business, you can design the appropriate controls and mechanisms that take you to the level that is acceptable. It's understanding the implications instead of rushing into anything. When you're talking about mobility, we have the opportunity to do things from the ground up, and we can do them properly the first time if we think about it.

>>Read more of what Arvanitis has to say about providing mobile security services