Managing mobile devicesMOBILE DEVICES

Computer Fraud & Security April 200918

However, as is usually the case, with every positive there is a negative. The amount of data stored on mobile devices means that if the device becomes com-promised, the average financial cost is £47 per record breached. In addition to this, 36% of breaches result from mobile devices going missing or being stolen.2 By 2012 it is estimated that almost three quarters of the global workforce will be mobile, which means millions of mobile devices will be used to access corporate networks outside the safety of the corpo-rate perimeter.

“Businesses must keep using mobile devices to remain competitive, but they also need to have more con-trol over both the data and mobile device itself”

Businesses must keep using mobile devices to remain competitive, but they also need to have more control over both the data and mobile device itself. With figures recently released by the UK Government indicating that more than 50 mobile devices were lost in 2008, it is clear that a more proactive approach to securing mobile devices is needed.

Whilst most enterprises do take proactive steps to protect their PCs, mobile devices are often not treated with the same due diligence. This is surprising considering the mobile handset has become one of the most valued possessions at a personal and professional level. In fact more than 80% of executives are constantly connected via mobile devices, according to executive

research firm Korn/Ferry International. There has been huge uptake of new

mobile devices such as the iPhone, initially for personal use but increasingly for business use. With its recognised lack of basic security standards, such as VPN, encryption, passwords, security manageability and remote-kill capabilities, it really begs the question: is mobile device security being considered early enough in today’s mobile driven professional world?

The rapid evolution of mobile devices means that as they become more complex, the job of trying to secure them also becomes more difficult. For example, smart phones are built on more common and open platforms, and a single handset can work across multiple networks, requiring relevant security applications to deal with them.

Well-known PC security vendors have launched mobile security products and whilst such products do provide some protection, the reality is that traditional PC security cannot simply be transferred to the mobile world, where the challenges are very different and often much more convoluted.

Complex threat landscape The threats in the mobile device space are not usually traditional viruses, which are highly virulent and can easily be detected. Instead, rogue and incorrectly-written applications can cause significant revenue loss, but do not meet the PC security vendors’ definitions of viruses and so are excluded from their AV clients.

The very nature of mobile devices means that one of the biggest threats enterprises are exposed to is the threat of insiders or trusted individuals with access to the corporate network. This can be malicious or accidental. Mobile devices can be lost or stolen, and authorised users who send out sensitive information can also disregard security policies (if they are in place), regardless of controls such as NAC and DRM.

“Smart phones are built on more common and open platforms, and a single handset can work across multiple networks, requiring relevant security applications to deal with them”

Therefore, encryption is not effective on its own as the insider already has the password key to disable the encryption cipher. Mobile devices left unmanaged can become vulnerable to corporate data leakage, compliance issues and a complete downturn in confidence.

Protecting sensitive information on mobile devices is a complex task. Keeping track of what files are being accessed, what company materials have been downloaded and managing third parties who may have access to your corporate network through a mobile device all add up to become quite a headache for IT directors.

Administrators without direct access to mobile devices is an ongoing issue - being able to audit devices remotely is vital to meet various regulation, including BS 7799/ISO 27001. Security features to distinguish device-management, with the ability to enforce passwords and remotely lock and wipe devices are also important for this reason.

John Fitzgerald, CEO, Beyond Encryption

Mobile working is on the rise. The number of mobile workers is set to exceed one billion by 2011, and this is because mobile working makes workforces more flexible, efficient and has even been credited with boosting morale. 1Mobile working also helps businesses boost competitive advantage as devices are used to increase collaboration by providing third parties such as partners and consultants with access to the corporate network.

MOBILE DEVICES

April 2009 Computer Fraud & Security19

Weapons to combat mobile security threatsEnterprises must make sure they are on the offensive to combat the secu-rity threats posed by mobile devices. Managing these devices should be looked at in the same way as managing a network. If enterprises can control what people are plugging into their network, then they can control the security of their overall network.

Ensuring VPN and authentication or authorisation software for remote access is correctly configured is just one way of addressing lost or stolen mobile devices. To manage mobile devices effectively and securely, setting policies include security authentication through VPN, the use of WPA2 for wireless authentication, and remote termination and encryption/decryption using AES 256 cipher. These are necessary for all handhelds accessing the corporate network.

Defending against the unknown may not seem like a priority, but sensitive infor-mation taken from a secure corporate envi-ronment to a mobile device is somewhat like water in a container - it will seek the easiest means to leak out. The Ministry of Defence has lost over 650 laptops over the last four years, so it’s not surprising to see the likes of IDC predicting that the infor-mation protection control (IPC) market will grow to £2.1 billion by 2011, which is probably a conservative estimate.

“The most effective way to mitigate mobile security threats is to deploy a network-level security solution to pro-tect their infrastructures. Users do not want the extra expense and headache of managing the security on their handset”

The most effective way to mitigate mobile security threats is to deploy a network-level security solution to protect their infrastructures. Users do not want the extra expense and headache of managing the security on their handset. Enterprises must take responsibility for keeping sensitive information on mobile devices safer. After all, their reputations are on the line if the data becomes compromised. Taking a proactive approach will keep mobile handsets free from power-hungry handset security clients, mobile malware and the rogue applications that cause user frustration and dissatisfaction.

“Whether we like it or not, de-perimeterisation is happening, and the business and operational drivers for this are already in existence”

Filtering unwanted Service Set Identifier (SSID) networks gives administrators more control, which is useful in areas where there are multiple wireless networks. Also, enforcing wired access during software client configuration in automatic mode eliminates bridging or packet data storms between wired and wireless networks.

Locking down perimeter securityIt’s a constant worry to see that today’s security strategies rely on enabling policy-driven data. The hassle of compli-cated passwords is a nuisance to employ-ees. Enterprises look to encryption as the solution to protect data from the exter-nal threat, and this can work if deployed and used correctly. Devices need to be shut down, however for the technology to engage and be effective, and of course

there is the need for stronger password authentication. Two-token authentica-tion is a popular choice for enterprises today.

Whether we like it or not, de-perimeterisation is happening, and the business and operational drivers for this are already in existence. The growth of mobile devices means enterprises are burdened with applications bypassing perimeter security, in addition to the number of shared applications across the business. The focus now needs to be on how enterprises can proactively defend their sensitive data from both the internal and external threat. The endpoint is now a critical security vec-tor because so much sensitive data resides there.

While managing mobile devices may seem like an insurmountable prob-lem, solutions do exist that can take the pain away, but also ensure flexible working can remain a core strategy for businesses. To sustain control over mobile devices without disrupting employees, the solution lies within endpoint technology. Allowing secure management of mobile devices enables enterprises to terminate, freeze or track data with pinpoint accuracy, regard-less of location – providing powerful ammunition in the fight against man-aging mobile device threats.

References

1. IDC Predicts the Number of Worldwide Mobile Workers to Reach 1 Billion by 2011, IDC, Jan 2008. <www.idc.com/getdoc.jsp?containerId=prUS21037208>

2. 2007 Annual Study: UK Cost of a Data Breach, Ponemon Institute, http://www.encryptionreports.com/>