it's all about security: things to know before you open...
TRANSCRIPT
IT’S ALL ABOUT SECURITY:
THINGS TO KNOW BEFORE YOU OPEN THE DOORS TO SMARTPHONES AND TABLETS IN YOUR ENTERPRISE
WHITE PAPER
IT’S ALL ABOUT SECURITY: THINGS TO KNOW BEFORE YOU OPEN THE DOORS TO SMARTPHONES AND TABLETS IN YOUR ENTERPRISE
Mobile devices such as smartphones and tablets used in the enterprise may be putting your corporate information at risk. Lost or stolen smartphones that are not password protected, or information in corporate email or business applications transmitted wirelessly but not encrypted, can all-too-easily expose confidential corporate data. Here are several key strategies to protect your enterprise mobile devices and the sensitive data they contain.
In today’s business world, IT departments are under increasing pressure to support a wide range of mobile devices. iPhone, iPad, and Google Android devices are joining BlackBerry, Symbian and Windows Mobile smartphones in the workplace, and their numbers are increasing exponentially each month.
While some of these mobile devices are provided to employees by the corporation, many are personally owned devices that employees are using to access corporate information. Smart businesses all around the world are embracing this trend and reaping the numerous rewards inherent in increasing mobile access to critical business data.
However, many companies still don’t have a comprehensive security plan in place to handle the influx of mobile devices seeking access to the corporate network. Corporate IT faces numerous challenges in order to provide applications and services that meet the needs of the roving workforce--and provide protection of sensitive corporate data and email stored on the mobile device.
Lost or jailbroken mobile phones, along with viruses and malware sent via mobile mail applications, can pose significant threats to enterprise information security. Mobile phones by nature are highly portable and can store large amounts of data. Since they are relatively easy to steal or lose, an unauthorized intruder can gain access to confidential information on an unprotected mobile device in the blink of an eye. Unsecured wireless transmissions can also be captured without the user ever knowing a security breach has occurred.
This white paper will outline possible mobile device security threats and review how IT can effectively manage and secure a fleet of devices, whether they are personally owned or corporate owned. By following the strategies outlined in this paper, IT managers will learn what the greatest security risks are for mobile devices and how to effectively protect end users, their devices, and the network infrastructure from attack, harm, or lost data.
MOBILITY ADDS PRODUCTIVITY
Mobile devices have invaded the enterprise. For example, within three days of the release of iPhone 4, Apple had sold an astounding 1.7 million devices, making it the most successful product launch in the company’s history. iPhone 4 is now distributed in 22 countries and is undeniably a global phenomenon.
As this mobile revolution occurs, enterprise support of these devices has reached critical mass. IT departments are faced with a variety of handheld units constantly connecting to an internal network that may—or may not—be equipped to deal with the security issues surrounding mobile devices. More importantly, an IT department without a comprehensive security plan has no way to ensure whether these devices are authorized to access network resources.
Whether IT is ready or not, however, users are connecting to the office network. According to a recent study, “Collaboration Needs Will Fuel A Smartphone Surge,” (Forrester Research Inc. study, published January 2010), three-quarters of information workers are using or are interested in a smartphone for work. And those employees are accessing—or want to access—corporate information.
IT departments are starting to open up parts of the corporate network to mobile phones. Based on data from the Forrester Research report, “Market Overview: Smartphone Management,” almost 60% of firms provide some support to personally owned smartphones.1
What these companies are realizing is that if they allow employees with personally owned devices to access corporate email and other resources, these employees will be more productive. In addition, in today’s economic times, enabling personal devices helps companies offload some of the cost of mobility in the enterprise, because users are paying for these devices themselves.
MOBILE SECURITY RISK LIST
While mobile phones have not yet been targeted by criminals to the extent that laptops have been attacked, smartphones are certainly not immune. While actual incidents of attacks on mobile devices in the enterprise are mostly anecdotal, analysts and security experts all agree that the next few years could be very different--especially if IT departments are unprepared or slow to implement mobile security strategies.
While employees don’t hesitate to use smartphones at work, they are seemingly unaware of the risks associated with storing business information, including corporate email, on their mobile devices.
In a Trend Micro survey published by eWeek Security Watch (September 30, 2009), almost 30 percent of the 1,000 mobile workers interviewed believed their smartphones were less likely to be infected than their computers. And 44 percent did not engage security to protect the devices as they browsed the Web, even though 45 percent stated that they had been infected by malware they received over their mobile phone. Additionally, 23 percent of the survey respondents stated that they did not use security on their mobile devices, even though it was preinstalled.
The shortlist of risks to mobile devices includes:
• Lostorstolenhardware
• Virusesandmalware
• Maliciousorinsecureapplications
• Software/OSpatchesthatareoutofdate
• Spam
• Phishingschemes
• JailbrokeniPhones
• MaliciousMMSorSMSmessages
• MobiledevicesthatautomaticallyconnecttoanunknownBluetoothdevicenearbyortoanopen,unsecuredWi-Fi.
1 “Market Overview: Smartphone Management” written by Benjamin Gray and Christian Kane, with Robert Whiteley, published
August 26, 2010, Forrester Research, Inc.
RISING RISK FACTORS
Smartphone attacks are not commonplace. However, as more mobile workers use them for Web browsing and information distribution, the number of incidents is likely to increase. Running sophisticated mobile applications, smartphones are fostering open application ecosystems that mirror the world of traditional desktop and laptop computers, making mobile devices equally as vulnerable to malware and information theft.
Adding to the risk are the sheer numbers of mobile devices flooding onto the market. Forrester predicts that 2010 will be the first year in which single-year sales of mobile devices—smartphones, tablets, and e-readers—will eclipse PC sales in the U.S. The researchers forecast mobile device sales to be 66 million units, compared to 55 million PCs sold. 2
As the number of smartphones skyrockets, so does the level of concern over security of these devices in the enterprise. A June 2010 survey of enterprises called, “Waves of Change in Enterprise Mobility,” by The 451 Group revealed that two-thirds of respondents were either “highly concerned” (23 percent) or “moderately concerned” (44 percent) about a mobile security breach.
The report notes that smartphones are becoming the primary portal for apps, including mobile banking and email. Therefore, the data stored—and traveling across these devices--will increase in value, moving them higher on the target list for data thieves.
ATTACK BY APPLICATION
While an off-the-shelf iPhone or Android phone is relatively safe, the applications a user chooses to put on the phone can render it unsafe. Security experts predict that iPhone and BlackBerry users will be far less prone to attack than other mobile devices, mostly due to the stringent app distribution requirements enforced at the Apple App Store and BlackBerry App World. Both Apple and RIM do not allow unapproved applications on their respective platforms, and developers’ apps have to be individually approved for distribution.
However, if a user chooses to compromise, unlock or “jailbreak” the mobile device, then the phone is vulnerable to anything the user downloads, which could put all information stored on the phone, including corporate data and email, at risk.
2 “Forrester Research eReader Forecast, 2010 to 2015 (US)” written by Ed Kahn, published June 7, 2010, Forrester Research Inc.
Users need to be very selective on which programs they choose to run on their smartphones. The first security breaches via rogue apps have already occurred. According to SC Magazine For IT Security Professionals (January 11, 2010), applications designed to steal banking credentials from users were discovered in Google’s Android Market online software store in early 2010. Developed by someone with the alias of Droid09, the apps were disguised as legitimate mobile banking apps and used bank names (without permission) to get users to download and install the application. Once loaded, the apps used phishing techniques and enticed mobile users to submit confidential account information to a bogus bank site.
Because smartphone apps pose a risk, IT departments often choose to deny access to corporate applications to mobile devices in the enterprise. In a Zogby International survey, 69.4 percent of respondents felt that they had access to less than 10 percent of work data on their mobile device. And 72.3 percent felt they had less than 10 percent of access to their company’s applications, such as spreadsheets, email, and CRM tools.
In addition to application attacks, MMS and SMS functions have also been sources of harm. The “Sexy View” smartphone worm attacks that targeted Nokia phones in 2009 started with a simple text message inviting user to view pictures. When they did, the worm was able to take over the phones much like a botnet takes over a computer. The users were dialed into a Trojan that captures subscriber, phone, and network information and transmits it to a Website.
While these attacks were documented and mostly eradicated, the incidents demonstrated the vulnerability of unsuspecting smartphone users to application-based as well as MMS and SMS-based attacks.
Security experts still consider the main threat to information as lost or stolen devices. Although estimates vary widely, In-Stat reports that more than 8 million cell phones are lost each year, making mobile phones, especially smartphones with corporate data, a security breach just waiting to happen.
As a starting point, mobile
devices used in the enterprise
contain at least this minimum set
of security features:
• Password enforcement• Password retry limit• Device encryption• Over-the-air remote wipe/kill
capability• Mobile device management tool
PROTECTING DEVICES & DATA
Even though mobile security breaches occur from a variety of causes, the primary challenge for IT departments with mobile devices in the enterprise is consistent: remote management and data protection. Protecting the information on the devices requires IT to understand the many ways security can be compromised. Providing a bullet-proof strategy requires mobile security policies and functions, security-aware employees, and a comprehensive set of mobile device management tools.
MOBILE USAGE POLICY
One of the most important first steps in protecting mobile devices in the enterprise is establishing a mobile governance policy. This begins by IT clearly establishing, documenting, and enforcing a mobile governance and usage policy that encompasses all mobile devices and platforms. Once this is complete, IT must educate staff and help employees understand the mobile device usage policy. IT staff, management, and employees should all know what to do—and how to respond—to security issues and concerns related to their mobile devices.
IT departments are no strangers to creating and enforcing rules and regulations. These can cover everything from how often users need to change their passwords to what software needs to be installed on each workstation. These policies are absolutely critical to protect the physical network and ensure that intellectual property remains safe.
IT departments should be proactive about managing smartphones, tablets, and other mobile devices throughout their lifecycle, from activation out of the box all the way through to when they are taken out of production. If you think of mobile governance as a strategic initiative within your organization, it will more likely be accepted and followed by the users. If you don’t document the policy, users may not understand when—or why—they have restricted access to corporate information.
When writing these policies, consider provisioning by department or group. In today’s workplace, individuals often fill a variety of roles and responsibilities. Depending on their role within the organization, each of these groups will likely have different requirements when it comes to mobile communications; IT therefore needs to recognize very quickly that one size does not fit all.
An approach to mobile governance that marries user education and technical capabilities is absolutely critical to maintain the integrity of enterprise resources, and one way to do this is to get the word out to all workers who touch the network on what exactly they can and can’t do. Organizations need to clearly publicize policies for their users; specifically, IT should create different policies for different user groups. These policies should be given directly to employees, who should then have a chance to review them.
Alongside user education, it’s critical to have the technology to back up the policy governing mobile devices on the network. As mentioned previously, a mobile management platform that supports multiple device types can help IT ensure mobile devices are in compliance with policy.
DEPLOYMENT AND SECURITY CONFIGURATION
To help enforce mobile governance policies among users and platforms, IT departments can set up specific security configurations or device profiles. Using mobile management platforms, IT can control security from the start: during hardware distribution (if the corporation deploys phones to its employees). If the company has a mix of personally and corporate-owned smartphones, IT may assign and rely on configuration profiles for users or a group of users. This allows for bulk provisioning of a mobile fleet, which can save valuable IT resources.
Configuration profiles are a key component of mobile management tools available for most device platforms. RIM’s BlackBerry platform has had mobile device management tools almost from the start, and Apple now has mobile device management (MDM), a set of APIs that third-party vendors can extend to a device management platform. Those functions help IT more easily deploy, manage, and monitor iPhones using iOS 4.
However, different smartphone models and platforms sport very different features and management capabilities. So using a third-party device management platform may be the best way to ensure configuration consistency across multiple platforms and devices in use in the enterprise. While the configuration parameters will vary widely, the goals for the IT department are the same: Set as many parameters as needed to ensure that the known vulnerabilities in the devices are successfully locked down.
When building configuration profiles, IT can specify details about Exchange or POP/IMAP mail servers, VPN settings, Wi-Fi networks (including those requiring authentication), LDAP directories, calendars, carrier settings, and digital certificates. IT can also determine whether a user can remove or in any way alter or change their assigned configuration profile.
To cover all the possible ways information security could be compromised on a mobile device, IT may decide that the configuration profile needs to restrict access to specific device functions. That may include: application installation; the phone’s camera; GPS; Bluetooth; screen captures; automatic mail synch while roaming; or voice dialing while the phone is locked. A strict, high-security policy may also keep mobile users from launching a browser, YouTube, or (if on iPhone) the iTunes Store or App Store.
SECURITY ENFORCEMENT
Once the mobile devices are provisioned and configured for the enterprise, IT may realize not only better policy enforcement, but reductions in ongoing security and support costs. This is especially true if they use a centralized management tool that allows distribution of application and OS upgrades directly to remote users.
For example, Baloise Insurance in Switzerland installed a self-service portal that allows employees to synchronize their mobile device of choice. Around 300 users registered at the portal without any assistance from their IT support department. The project paid for itself in the first week, according to the company.
The portal concept streamlined setup and security configurations and virtually eliminated the need for additional training and support for mobile devices. In fact, Baloise Insurance estimated that by using the portal and allowing employees to use their personally owned devices, the number of calls to the help desk dropped by more than 50 percent compared to previous technology rollouts.
APPROVED, SECURE APPS FOR MOBILE
Since attack by application is an ongoing threat, mobile users in the enterprise may need guidance on which mobile applications might be of greatest use for productivity and are approved by IT. Otherwise, an employee may read numerous reviews in a quest for the perfect calendar or contact management app. Sorting through 100,000 apps and related reviews in the iTunes App Store isn’t really the best use of their time.
A smart IT department makes the choice easier—and the employee more productive. IT can create self-help tools, such as internal user groups or FAQs that provide quick, and trusted, answers to common questions. IT can also narrow search times for apps by setting up a corporate app store or proactively controlling application deployment to user’s devices. Applying restrictions to application downloads—which ones are allowed and which ones might pose a significant risk—will help secure the mobile enterprise.
CONCLUSION
Threats to enterprise data are an ongoing occurrence. With the burgeoning number of smartphones and other devices connecting to the enterprise, these mobile tools may be the easiest entry point for criminals to gain access to confidential corporate information.
To lessen the threat of security breaches or loss, IT departments need to:
• Be aware of all types of threats to mobile devices, including device loss, malware, bugs, and out-of-date mobile OS software
• Create mobile governance policies that emphasize security; educate employees on how to adhere to those rules• Use a mobile management platform that allows IT to centrally deploy, configure, and manage a fleet of multi-
platform mobile devices (whether personally owned or company-purchased)• Use mobile management tools that offer IT visibility into device status, so security breaches can be quickly and
automatically shut down• Restrict or limit known vulnerabilities, including application download, camera, Bluetooth, or Wi-Fi• Implement a portfolio of device security tools that include alphanumeric passcodes, authentication, encryption,
and remote wipe• Control download and installation of any apps that give users access to corporate information.
By following these strategies, IT managers can effectively protect end users, their devices, and the network infrastructure from attack, harm, or lost data.
www.sybase.com
Sybase, Inc. Worldwide HeadquartersOne Sybase DriveDublin, CA 94568-7902U.S.A1 800 8 sybase
Copyright © 2010 Sybase, an SAP Company. All rights reserved. Unpublished rights reserved under U.S. copyright laws. Sybase, and the Sybase logo, are trademarks of Sybase, Inc. or its subsidiaries. ® indicates registration in the United States of America. SAP, and the SAP logo are the trademarks or registered trademarks of SAP AG in Germany and in several other countries. All other trademarks are the property of their respective owners. 11/10 L03305
AVOID SECURITY BREACHES WITH A MOBILE MANAGEMENT PLATFORM
Sybase Afaria provides remote wipe functions and wireless delivery of updates and patches to protect information, apps, OS, and hardware.
Afaria helps IT with remote management as well as data protection for a multi-platform fleet of mobile devices. By running Afaria, IT can ensure that data and content accessed in the mobile environment is backed up. IT can also delete that data if a device is lost or stolen. Sensitive data on devices is encrypted with Afaria, and security policies are not left to user discretion; they are centrally enforced by IT. With device management tools in place, IT can be confident that sensitive company information is secure outside the office.
Since mobile OS upgrades require consistent—and timely—fixes and patches, IT needs the ability to deliver fixes and refreshes to mobile users wherever they may be, in or out of the office.
Mobile device management platforms also provide application reliability. With Afaria, IT can add, update or remove applications, data and content without the users’ involvement. Mobile workers will have the correct software and data in the field, which can be critical in industries such as utilities or healthcare where mobile workers may be responding to outages or emergencies that require real-time information. For employees to maximize their mobile devices, they have to be confident that the data is up-to-date and the platform and OS is reliable.
And most importantly, in the instance of a security breach, companies that use Afaria can perform a full device wipe remotely, which is critical in the case of lost devices. By using a mobile management platform, IT can also separate “work and play” information on user’s mobile device.
ADDED LAYERS OF PROTECTION
Device management tools can extend security beyond the minimum requirements, which can be critical to mitigate security breaches that occur due to user error or outside attacks. For instance, with Afaria, IT managers who have iPhones in the enterprise can enforce encrypted backups to iTunes. Even if sensitive data is backed up to a personal computer (vs. a corporate PC), that information will be encrypted.
Afaria also allows IT to mandate strong password policies on the mobile devices, so unauthorized users cannot easily access information, apps, or an address book that may have client or customer contact information. IT can make the decision whether a simple or alphanumeric passcode with special characters is required for login, how long a passcode can be used, and the length of time before automatic locking on the device takes place. IT can also control the number of failed passcode attempts allowed before the device is automatically wiped.
Afaria also provides key reporting tools that give system administrators insight into the state of individual devices. With these reports, an administrator can determine which devices are hardware encryption-enabled, so they do not distribute valuable corporate assets to non-encrypted mobile devices. Those reports also show if any smartphones have been unknowingly compromised, or worse yet, jailbroken by the user. In that case, IT could take remedial action, including automatically blocking access to corporate email or mobile CRM applications. Reports also keep a log of device usage, so IT managers can look for, and identify abnormal usage patterns.