Mobile devices and hidden threats
For my first blog around mobility for business, I thought that the basic security experience is a good point to start with.
In this “hyper techno-world" mobility is being promoted in a broad sense, how useful it can be and how it will improve your productivity and reactivity. Many are also predicting the end of traditional ways of working and switch from an 8 -5 job to always being connected.
As we are all “important” ;=)) and require the latest electronic mobile gadgets, a couple months ago I have decided to get a brand new tablet in order to test the promising new applications and capabilities that have been hyped up.
A couple days after installing the only corporate-approved applications (MS Exchange), I started to browse the application store and did install completely non-secured and un-approved applications such as dropbox, google apps, SIP/video applications, games, file-sharing etc.. . and for most of them .. this included the capability for these applications to access sensitive data.
To make this point and by using Netqin security tool, you can see a fairly scary example of taginlineimportapplications accessing various parts of my device:
22 applications accessing my address book
4 applications accessing my SMS and mail
27 applications accessing my location
37 applications accessing my device information
So, even if an application seems to be benign, by giving access to stored on a device, which is sometimes connected to corporate information (such as corporate directory) the user's device -- and thus the enterprise -- is potentially vulnerable to spyware, malware, viruses, etc.
Most people working in IT acknowledge the fact that adding tablets and smartphones, aka a bring-your-own-device (BYOD) policy, to the corporate ecosystem contains a lot of threats that need to be taken extremely seriously without delay before talking about any potential business opportunity.
Some food for thought around security to think about before letting new devices access corporate data:
- authenticated access -- If a tablet is lost, stolen or left unattended, enforcing native, device-level authentication (PINs, passwords) can reduce the risk of a stored data breach or device application and connection misuse.
- anti-loss measures -- Native remote lock, find and wipe capabilities can often be used to recover a lost device or permanently prevent it from becoming a security liability, including devices issued to employees who have left the organization. .
- authorization -- Mobile operating systems support native techniques like code signing, application data protection, and device feature restrictions that enterprises can use to reduce risks posed by mobile malware or inappropriate use. Devices don't come with native anti-virus, anti-spam, or intrusion detection, but these can be obtained from third parties.
- data protection and encryption -- Mobile operating systems provide native support for security data traffic including SSL and selected VPN protocols.
- device management – Various solutions exist (afaria, Mobile Iron, 3LM…) to centrally provision and control tablets and smartphones, enforce their security settings, manage applications and monitor their usage.
To wrap this up, I would reinforce the point that, prior to to seeing mobile devices as an opportunity, top-down mobile security enforcement is becoming a must have for any secured corporate mobile usage.
February 22, 2012Phillipe,
You pose really excellent questions here, especially since mobile devices are being integrated within a work space now more than ever. The uses of tablets and mobile devices are really limitless and we can expect to see the rapid rise become even faster in the future. As new technology arises, there will always be questions of security. Since businesses can not exactly stop this kind of production or even the engagement by consumers, they have to cleverly embrace it. They should provide, rules and regulations, and even try to protect using passwords. There are applications that have been developed that only businesses can access using passwords, in the case that one of these devices are stolen. Measures can be taken as long as the company views this seriously. Thank you for this great post!
January 9, 2012Hello Renaldo,
mobile application are related to business process and the way you reach the corporate information with wish to have "over the air".
In my post, I was just raising the point that the BYOD is, we all agree, a very dangerous thing but we like it or not, coming like tsunami. Now, the question do not turn anymore on the question "shall we accept it or not" but how to manage it" in order to minimize the risk.
have all a nice day.
January 8, 2012Renaldo CatanzaritiHi Phillipe,
Interesting article, especially with the rise of smartphones and tablets (iPad), many people are looking into this area. However the problem with BYOD as you know is that it causes a big strain on IT support and security issues for non-managed mobile devices.
Hence, for enterprises it may well be better for them to develop their own apps and/or deploy IT managed devices. These mobile devices are essential tools in today's business market and cannot be ignored.