Smart phones are powerful devices that knowledge workers love because they boost productivity (and keep them entertained on planes and in boring meetings). Devices like the iPhone, BlackBerry Torch and the new HTC Aria are therefore in demand in the workplace.
IT departments and security professionals, however, can be less enthusiastic. The reasons for their reticence are articulated in a Gartner paper titled “Comparing Security Controls for Handheld Devices” which lists as its takeaways the following summary:
“Handheld devices are small versions of desktop computers:
• Devices contain powerful processors, memory, and communications capabilities.
• Enterprises have seen the benefits of deploying handheld devices.
• Employees have interest in using devices for business and non-business functions.
• Devices contain sensitive information if they are used in the enterprise.”
The paper also warns that “...if employees are using handheld devices, sensitive information exists on those devices, and enterprises need to include those devices in their security plans.”
But what do you need to plan for?
SearchSecurity ANZ asked experts for their assessments of the risks you face when deploying mobile devices, and was offered the following issues:
• Accidental transfer of information
The default action of an iPhone when connected to a PC, warns Sybase’s Managing Director Dereck Daymond, is to backup its contents. If that happens on an employee’s home PC and the phone contains corporate data, the IT department has lost control of that data.
• Rogue Apps
Fred Borjesson, Check Point’s Regional Endpoint Manager, Asia Pacific, suggests that another item beyond IT’s control is the provenance of the applications users download to and ruin on handheld devices.
“The security decision is handed over to the end user, who in turn hands over the decision to the application store provider, who in many cases rely on how mobile developer built the application,” he told SearchSecurity ANZ in an email. “Naturally this is a chain with many links that can easily be broken and as a result there are a number of security concerns.”
• Escaping the firewall
Mike Sentonas, McAfee’s Vice President and Chief Technology Officer for, Asia Pacific, points out that smartphones’ email clients may not be connected to applications that prevent access to known sources of malware or other sites established by criminals. “Email received on a smartphone is not immune to traditional phishing scams,” he says. “If a user inadvertently clicks onto a link inside such an email, without any form of security what stops the device connecting to a malicious site?”
Carlo Minassian, CEO and founder of earthwave, believes smartphones can be compromised with attacks that make them hard to use.
“Many smartphones feature GPRS, WiFi and Bluetooth radios,” he says. “All are subject to radio jamming like any other wireless devices constituting a denial of serviceattack.”
• Gaps in data loss prevention tools
Gartner’s Comparing Security Controls for Handheld Devices points out that smartphones contain memory in decent quantities, and can therefore be used to transport data from an enterprise.
“Preventing sensitive information from being sent from a handheld device is much like preventing sensitive information from being sent from any other computing device,” the paper says. “Unfortunately, while vendors have indicated interest in porting DLP tools to handheld devices, the products have not yet materialized.
If that all sounds like a good reason to give up on mobile internet security before you even start, Gartner recommends basing your security plans on an assessment of how your users put their mobile devices to work when devising a response.
“Pay Attention to Context-Aware Computing in Your Mobile Security Strategy” points out that “Mobile security has always been about ‘context,’ because there are so many permutations possible in the ways that users can gain access to and do their work.” The analyst therefore recommends organisations develop an understanding of where and why use their mobile devices, so that responses are appropriate and do not hamper productivity.
“When a company's mobile security decisions are ‘out of context,’” it warns, “security fails for a very simple reason: Security that doesn't match the user's context will interfere with the job and probably won't provide the intended protection. Unfortunately, it is sometimes the case that the IT department invests in security and access technologies without first giving consideration to the real use cases.”
Another Gartner paper, titled “Evaluation Criteria for Smartphone Mobile Device Management” has happier news, as it suggests that products will soon emerge to help you manage diverse fleets of smartphones and other mobile devices.
“Although the mobile device management (MDM) market is fragmented with point solutions, it is evolving toward broader solutions that will eventually integrate support for application, security, policy, device, and service management,” the paper says. “Enterprises should take a strategic view of smartphone management and try to align their choice of MDM solution with their mobility strategy.”