A study on the requirement for a mix of well thought out policies and up-to-date technologies to protect digital infrastructures and their data in a mobile or portable context
by Kaspersky Lab, CDW
Mobile devices (notebooks, smartphones and tablets) represent the new norm for staff and managers in all kinds of enterprises. It has become increasingly common to walk into a meeting and find at least one participant with a notebook, two mobile phones (for work and home) and a tablet. And likely all of these devices would have Wi-Fi and 3G or 4G data service. Organizations are changing — some rapidly, some slowly — to accommodate new ways of working as bandwidth, computing and accessibility evolve. For network and security managers, these devices represent the worrisome prospect of organizational data flying around — unsecured — in easy-to-lose and easy-to compromise packages. Mobile devices are small and valuable, making them favorite targets of thieves. But, in fact, the content on the devices is likely more valuable than the device itself. So security awareness needs to extend to the content itself. Keyboards are hard to use or nonexistent on phones and tablets, often causing users to auto-save their passwords for e-mail and virtual private network (VPN) access — passwords that can open up organizational resources to anyone who picks up the device. For these reasons, the security techniques that work for desktops are not enough for mobile devices.
Policies
Any approach to mobile security must start with establishing a mobile-device policy. Without a policy, network and security teams will be adrift from both a technical and administrative point of view. Policies are a critical first step, for three reasons:
- policies set limits – without a policy, the organization falls into an ‘anything goes’ mode, which can result in security problems and staff conflict
- policies create efficiency – although many IT managers find that setting policies is a tedious process, the result is greater efficiency. A stable organizational context for mobile devices, when it properly involves IT support, removes the inefficiencies of ‘self-service IT’
- policies support compliance – in an environment where nearly every organization fits into some compliance or audit regime, policies for mobile devices and mobile security are part of the process of getting and staying compliant. These policies should cover four areas: device selection, deployment, use and recovery.
Device selection defines which devices are allowed on the organization’s network and which can store sensitive organizational data. It also answers the most important and difficult question: Who owns the device? The word owns here should be taken loosely, because discerning the physical owner of the device — that is, who paid for it — is not nearly as important, from a security point of view, as understanding who controls the device. Generally, the amount of access and information that the IT group grants to a device should be proportional to the amount of control the organization has over it. An uncontrolled device, one owned and managed by the employee, represents a huge security risk if improperly configured.
On the other hand, a device completely managed and configured by the organization is nearly as secure as a desktop at headquarters, and thus can be granted greater access to sensitive information. The issue of control, and the relationship between different levels of control, risk and access, must be front and center at the beginning of any mobile-device policy. There’s been a great deal of talk in the information security community for some time regarding ‘bring-your-own device,’ or BYOD, initiatives. The thinking goes: If a staffer pays $750 for a tablet device that increases information access and improves productivity, then somehow the organization should find a way to allow that device onto its networks. But it’s not as easy as it might seem. The BYOD issue comes back to ownership. If an organization can control and manage the device — regardless of who paid for it — then the risks associated with BYOD can be reduced significantly.
The mass adoption of powerful smartphones and tablets, especially by executives, is having a healthy effect on ossified IT security policies and procedures. When the CEO shows up in the office with a tablet and says, ‘Make this work,’ the IT team is forced to focus on the clear benefits of mobile devices and find creative solutions to provide secure mobility.
The trend toward supporting BYOD within organizations is reducing interest in the ‘walled garden’ approach to mobile security (or what Gartner calls the ‘heavyweight approach’). In this model, the IT group adds redundant applications to mobile devices (such as a second e-mail client) in the name of security.
But because this fails to deliver the experience that end users imagined when they bought their new smartphones or tablets, it is unpopular with BYOD adopters. Still, device selection cannot be a free-for-all, and every device that accesses enterprise resources must fall under a policy.
Deployment and use
Provisioning mobile devices, deploying them to end users and managing configurations can be accomplished using software and services that the organization controls. However, there may be limitations based on the diversity of management platforms. Obviously, tools that work well for managing Windows notebooks, such as Microsoft’s Group Policy Objects and a variety of patch management and configuration products, won’t work for notebooks running anything other than Windows. The sheer diversity of options, including two popular notebook operating systems (Windows and Mac OS X) and five major smartphone or tablet platforms (Microsoft Windows, Apple iOS, Nokia’s Symbian, Research In Motion’s BlackBerry and Google’s Android), is one reason that it is important to define a device selection policy.
The device deployment section of a mobile security policy should acknowledge that different devices might have different capabilities when connecting to the enterprise network, and that these capabilities may be driven by the deployment and configuration platforms selected by the organization. For example, an organization that has selected the BlackBerry as its preferred smartphone will gain significant configuration control and mobile-device management through the platform itself. So devices may be granted greater access to organizational applications because the tools to reduce risk are built into the BlackBerry product line. But when a worker shows up with an Apple iPhone or an Android tablet, RIM’s tools do not apply. In this scenario, these devices may be granted a much more restricted view of the organization’s network and applications.
Saying ‘yes’ to every type of mobile device may be desirable. However, the real answer should be ‘yes, but …’ This is because of each device’s unique security capabilities and risk controls. Not every device can or should be given the same access. This issue has to be covered in the device deployment policy.
Device use section needs to cover what is and is not permitted for devices that access corporate data. For organizations that have embraced BYOD, this can be touchy because they are, in effect, telling staff members what they can and cannot do with their personal devices. However, experience has shown that most workers care about security and will make an effort to comply with usage policies if they receive proper training.
Recovery
Finally, the mobile-security policy must address recovery. It will need to address at least these four questions: who is responsible if a device is lost, and what needs to happen? How will devices be upgraded and maintained? (And what happens to unmaintained devices?) Who determines when a device should be replaced? What happens to devices when they reach end of life? The answers to these questions will also affect the organization’s AUP.
Mobile devices can represent a significant capital and maintenance expense, especially when product lines and pricing make them attractive to staff at every level of the organization. Because mobile devices take a lot more abuse than desktops, they need to be replaced more frequently. A policy that spells out when a device should be replaced will guide users expectations and limit confusion.
Management tools
Mobile-device management (MDM) tools offer a dizzying array of options, which make picking the right tool a daunting task. Once an organization’s mobile-security policy is written and the requirements are in place, a dozen products may fit the bill for handling mobile-device management tasks. The first step is to narrow the field by deciding on a delivery method: either through cloud-based software as a service (SaaS) or an on-premise solution. Smaller organizations may lean toward SaaS as a cost-effective approach. When an on-premise solution is appropriate, MDM vendors can deliver preloaded appliances as well as applications that can be loaded on normal enterprise servers. With on-premise solutions, large organizations may want to add scalability and high availability to their evaluation criteria. Several MDM vendors have included these features in their products to help support the growing population of mobile users.
Encryption
Mobile devices are meant to be taken out of the office and on the road, where some are bound to be stolen or misplaced. The rates of loss are staggering — 10,000 cell phones lost each month in Chicago taxi cabs, 50,000 notebooks lost each month in major U.S. airports — which means the odds are pretty good that someone in the organization is going to lose something important. So encryption is a must-have for any mobile device that might hold enterprise data. Although individual applications can encrypt and protect data on hard drives, best practices call for the operating system itself to enforce encryption. This avoids the possibility of an application glitch resulting in failed protection measures and gives IT staff the ability to control encryption across an entire device. Unfortunately, individual devices have different encryption styles and characteristics.
Notebooks running recent versions of Windows and Mac OS X can easily take advantage of whole-device encryption. However, not all smartphones and tablets have the same capabilities. Generally, recent versions of Android and Apple iOS include whole-device encryption. In Apple’s case with iOS (in version 4.0 and above), the encryption is enforced by the hardware and is running all the time. So enabling encryption is just a matter of flipping a few preference bits. For Android devices (in version 4.0, although some devices running 3.0 also have built-in encryption), manufacturers’ settings vary, but most devices come with their encryption turned off. Turning it on may require a wait of an hour or more, depending on how much data is on the internal drive.
Authentication
Much of mobile security’s focus is keeping devices and data safe. But the mobile endpoint isn’t the only system that needs to be protected. When networks are opened so that mobile devices can connect (even using a VPN), they need appropriate controls to make sure only authorized staff members have access. The Trusted Computing Group, an industry standards organization, has designed vendor-neutral architectures to help link mobile devices, authenticated users and network access controls. These product standards are often aimed at LAN users, but they are also ideal for mobile clients, where access control, authentication and endpoint protection enforcement all come together. The most common form of authentication is the password. Although passwords are familiar technology, they are nor good at authenticating remote users. Passwords are easily shared and stolen. When combined with other authentication methods or access control restrictions, passwords may do the trick.