In this “hyper techno-world" mobility is being promoted in a broad sense, how useful it can be and how it will improve your productivity and reactivity. Many are also predicting the end of traditional ways of working and switch from an 8 -5 job to always being connected.
As we are all “important” ;=)) and require the latest electronic mobile gadgets, a couple months ago I have decided to get a brand new tablet in order to test the promising new applications and capabilities that have been hyped up.
A couple days after installing the only corporate-approved applications (MS Exchange), I started to browse the application store and did install completely non-secured and un-approved applications such as dropbox, google apps, SIP/video applications, games, file-sharing etc.. . and for most of them .. this included the capability for these applications to access sensitive data.
To make this point and by using Netqin security tool, you can see a fairly scary example of taginlineimportapplications accessing various parts of my device:
22 applications accessing my address book
4 applications accessing my SMS and mail
27 applications accessing my location
37 applications accessing my device information
So, even if an application seems to be benign, by giving access to stored on a device, which is sometimes connected to corporate information (such as corporate directory) the user's device -- and thus the enterprise -- is potentially vulnerable to spyware, malware, viruses, etc.
Most people working in IT acknowledge the fact that adding tablets and smartphones, aka a bring-your-own-device (BYOD) policy, to the corporate ecosystem contains a lot of threats that need to be taken extremely seriously without delay before talking about any potential business opportunity.
Some food for thought around security to think about before letting new devices access corporate data:
- authenticated access -- If a tablet is lost, stolen or left unattended, enforcing native, device-level authentication (PINs, passwords) can reduce the risk of a stored data breach or device application and connection misuse.
- anti-loss measures -- Native remote lock, find and wipe capabilities can often be used to recover a lost device or permanently prevent it from becoming a security liability, including devices issued to employees who have left the organization. .
- authorization -- Mobile operating systems support native techniques like code signing, application data protection, and device feature restrictions that enterprises can use to reduce risks posed by mobile malware or inappropriate use. Devices don't come with native anti-virus, anti-spam, or intrusion detection, but these can be obtained from third parties.
- data protection and encryption -- Mobile operating systems provide native support for security data traffic including SSL and selected VPN protocols.
- device management – Various solutions exist (afaria, Mobile Iron, 3LM…) to centrally provision and control tablets and smartphones, enforce their security settings, manage applications and monitor their usage.
To wrap this up, I would reinforce the point that, prior to to seeing mobile devices as an opportunity, top-down mobile security enforcement is becoming a must have for any secured corporate mobile usage.
Philippe
