Mobile: How to Say 'Yes' Securely

Security Leaders Offer Tips for Securing Employees' Mobile Devices
Mobile: How to Say 'Yes' Securely
When Amazon recently announced the pending release of its Android-based Kindle Fire, pre-sales hit 95,000 orders in a single day. How many of these new mobile devices will end up in the workplace when the Kindle Fire hits the streets on Nov. 15?

From smart phones to mobile PCs, the proliferation of Internet-enabled mobile devices is quickly changing how consumers interact and professionals conduct business.

But the mobile phenomenon raises serious questions about security, convenience, productivity and expense - especially as more organizations consider whether to issue mobile devices or allow their employees to bring their own devices to work. Tom Wills, a senior analyst of risk, security and fraud for Javelin Strategy & Research, says there are no simple answers. The mobile market is diverging, with some organizations leaning toward increased use of personal devices, while others are going the opposite direction.

"You're going to see both scenarios, but your more security-conscious organizations, such as banks and government agencies, are going to tend toward requiring a separate, locked-down device," Wills says. "With a company-issued device, you can issue a policy that says users have no rights of privacy over information entering, leaving or stored on the device."

But with an employee-owned device being used in the workplace? A whole different set of issues.

Response to User Demand

Finding the balance between corporate concern and employee flexibility is one the State of Delaware has worked to find since implementing a new mobile-use program last fall. [See State Battles Data Leakage.]

The Delaware program allows state employees to use personal mobile devices for work-related interactions, such as the receipt and sending of work-related e-mails. The program's policy has one stipulation, however: Employees must agree to seven controls, some of which allow the state to remotely monitor their employees' mobile interactions.

Elayne Starkey, chief security officer for the state of Delaware, says security policies have helped to standardize mobile-enterprise interactivity. Among Delaware's controls for mobile devices:

  1. Strong passwords;
  2. A remote wipe, if the device is compromised or if the log-on attempt fails more than seven times;
  3. Device encryption, if available.

"We're not trying to be difficult," Starkey says. "We are working to secure and to prevent data leakage and data loss out of the state network."

The University of Alabama at Birmingham Health System has found itself in a similar situation. UAB six months ago launched what it calls a hybrid mobile-use model, one that includes a mix of corporate-issued and personal mobile devices. "Now we are looking at endpoint security," says Terrell Herzig, UAB's information security officer.

Employees want the convenience of carrying one device. But from UAB's perspective, security and legal concerns surrounding lost devices and the inability to remotely wipe devices may trump convenience.

"Right now, we are looking at tools that allow us to set security controls that parallel what we use in our corporate model," Herzig says. Things such as password-protection and agreement between the employee and UAB to allow remote control of the device are minimum requirements.

Most employees just want access to corporate e-mail. But some users want deeper mobile access, such as syncing their mobile devices with corporate databases, and that's a bigger security issue. "We don't allow that in our environment," Herzig says. "We want to keep most of that on a server, not on the mobile device."

But it's easy for employees to get around some of the limitations corporations set, and that should be a serious security concern for enterprises, says Mary Monahan, executive vice president and research director of mobile solutions for Javelin. Dropbox, for instance, which allows users to download documents from the cloud, offers an easy bypass.

"The enterprise can be fully protected, but the mobile device can introduce an unprotected door right through the enterprise's walls," Monahan says. "Enterprises should define and limit the type of data to be stored on mobile phones, thus limiting their exposure and liability."

Strong encryption is the most effective way to reduce risk.

A Shift of Burden?

The Delaware and UAB examples illustrate the dilemma organizations face. It's a classic tradeoff between security and usability, says Javelin's Wills.

"You either require separate devices for personal and work-use, enabling stronger security for the company device, or you allow the personal devices, but irritate their owners by seriously clipping their functionality," Wills says.

However, security must be a priority, and organizations can never assume users will have good security habits. "There will always be too many people who jailbreak their phones, write their passwords on the back and fail to update their apps when patches are issued," Wills says.

The other problem: Mobile is a unique technology, and the only entities really equipped to tame it are mobile carriers. It's an interesting conundrum, since mobile carriers have not historically focused on security between mobile users and enterprise networks.

"We're at a crossroads right now," says Mark Grandcolas, CEO and co-founder of FatSkunk, a mobile security startup that's closely watching the evolution of mobile use in the corporate sphere.

Traditional OS patching, which has worked well for PC security, does not translate well to mobile devices. Mobile carriers would have to be charged with distributing patches, and their networks are not set up for patch distribution. "It could take them months to distribute all of that, so you would be exposed for [that time]," he says.

Malware also is difficult to detect on a mobile device. "If you have an anti-virus or malware detection program that is running all the time on your mobile phone, that kills the battery. ...It's a structural difficulty that the existing paradigm has not overcome," says Dr. Markus Jakobsson. [See Mobile Banking: The New Risks.]

A number of emerging mobile security providers are aiming their solutions at carriers as well as corporate enterprises. Overall, these providers offer mobile management solutions that provide an enterprise with a software server that enables tracking employees' phones and phone usage. They also allow enterprises to remotely configure privileges and wipe mobile devices if they are lost or compromised.

Mobile Management Tips

As organizations wrestle with mobile and the question of whether to allow employees to bring their own devices to work, here are some security topics to consider:
  1. Standardize Mobile Options. Securing, supporting, configuring and updating a wide range of mobile devices is difficult and time consuming. It is much easier to designate a standard mobile device or devices for employee use. "Without a standard, it is likely that the administrator will not even know exactly which technologies and software are in use in the organization, making it impossible to take effective action to mitigate threats," Javelin's Monahan says.

    And if a mobile standard is not realistic, organizations should adopt a tiered security structure, which establishes specific levels of access and support for specific devices.

  2. Establish and Enforce Clear Policies. Whether mobile interconnectivity is provided via a pilot, to a small, controlled group or to the entire workforce, once an organization makes the decision to support personal devices, strict policies about data and controls must be set. "Organizations then need to conduct training for employees, to help them understand the risks, and they should have employees sign acceptable-use agreements," says UAB's Herzig.
  3. Malware: Have a Plan B. With mobile malware on the rise, organizations need to be responsive to the risks of certain mobile applications that can infect devices. Mobile carriers can't patch infected mobile devices in timely fashions, so organizations have to ensure they have plans in place for removing compromised devices from connections to networks and databases.
  4. Know the Hidden Costs. Supplying mobile devices to employees is expensive, but organizations shouldn't be too quick to jump on the 'bring your own device to work' bandwagon. Don't overlook the cost of help-desk support, which could increase if more employees use out-of-network devices. "If the user has a device and there's an issue with it, they're not really going to know if it's an app or software problem," Herzig says. "I think your local help-desk will get the call first, and that's an expense."

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network