MOBILE SECURITY ROCK SOLID OR AT RISK?

Transcription

1 MOBILE SECURITY Today s handheld devices offer remarkable opportunity along with significant risk. Sound security practices are paramount. ENTERPRISE MOBILE SECURITY ROCK SOLID OR AT RISK? ver the last few years, a not-so-quiet revolution in computing has unfolded. Smartphones and tablets have transformed business and provided ways for employees, business partners and customers to access, manage and use data in new and noteworthy ways. It s safe to say that this new mobile order has created enormous opportunities. However, it s also ratcheted up the risks to the enterprise with data increasingly flowing outside the organization and residing on numerous devices. To be sure, managing mobility is no minor challenge. As the bringyour-own-device (BYOD) movement takes shape and employees use their own smartphones, tablets and notebooks to access enterprise data often from public Wi-Fi hotspots it s critical to put robust security protection in place and ensure that data doesn t wind up lost or stolen. How can an organization maximize the potential of mobile technology while minimizing the risk of a security lapse or data breach? While the solutions vary, one thing is certain. Organizations that adopt a best practice approach using a wide variety of tools and technologies 10

2 ranging from virtual private networks (VPNs) and virtual desktops to mobile device management (MDM) systems are far more likely to succeed. Connecting to Security Over the last few years, enterprise IT has changed more profoundly than at any point since the introduction of the personal computer. In the past, organizations held the reins and decided which devices would be used and how they would access data. Today, employees aren t just asking to use smartphones and tablets, they re demanding them and in many cases bringing their own devices into the enterprise. Corporate executives also demand ipads and other tablet devices. As a result, IT has no choice but to support these consumer devices and incorporate them into the IT infrastructure. Make no mistake, the BYOD movement has rocked the foundation of enterprise computing. The tech analyst firm Forrester reports that more than 50 percent of the organizations it surveyed now support employee-owned mobile devices and smartphones. This empowered workforce uses groundswell technologies such as mobile devices to drive increased productivity, innovation and improved customer services, it notes in a 2011 report, Managing the Security and Risk Challenges of Personal Devices in the Workplace. Meanwhile, a 2011 Accenture report, titled Jumping the Boundaries of Corporate IT, found that 87 percent of U.S Millennials decide where they will work based on their ability to use state-ofthe-art technology. Moreover, these individuals expect to use their own technology at work and tap into their preferred technology apps regardless of any compliance policy. A staggering 61 percent use social networking services that aren t supported by their IT department. In addition, 43 percent tap into non-supported IM, 31 percent rely on rogue open source technologies, and 26 percent use their own online collaboration tools. Then there s the fact that mobile devices are easily lost and stolen. A 2011 Ponemon Institute study found that the average cost of a data breach rose to $214 per compromised record in Worse, the figure hit $258 per record for mobile devices. Today, it s estimated that 70 percent of enterprise data resides somewhere on a mobile device. As employees tap into public Wi-Fi networks and exchange data device to device, oftentimes through social media applications, the challenges and risks to the enterprise grow exponentially. Risk Vectors These risks come in a number of forms. First, there s the danger of physical access to information when a device is lost or stolen. Once holding a device, a sophisticated thief can bypass a passcode and circumvent encryption. In addition to obtaining sensitive enterprise data, the attacker may wind up with passwords to other systems on the network. Physical access essentially renders most security protections including intrusion detection and antivirus useless. Device attacks are another serious concern, particularly on the Windows, Symbian and Android platforms. These may take the form of browser-based attacks as well as viruses or other malware sent through text messages or . Hackers and thieves may want to gain control of a device or the data residing on it, or they may use the device to get inside the enterprise network. Once a device harbors a botnet or malicious code, it can also infect other systems. Juniper Networks reported that malware for the Android operating system alone rose by 400 percent from 2010 to The growing use of public Wi-Fi presents serious risks as well. Hackers may eavesdrop on transmissions or use the network as a way to gain access to devices and use them for more serious attacks on a network. Unencrypted Wi-Fi networks can support so-called man-in-the-middle attacks, which allow a hacker to intercept communication and relay messages between two parties. Because the participants may think that they are privately communicating with the other person, they may provide sensitive data. An attacker within range of a Wi-Fi access point can use this method if mutual authentication between the parties hasn t taken place. Finally, there s the risk of insider threats. A March 2012 survey conducted by Ponemon Institute and Trend Micro found that security tools alone cannot protect systems and networks. Only 8 percent of all breaches are caused by external cyber-attacks. The top three reasons for breaches are employees losing notebooks or other mobile data-bearing devices (35 percent), third-party mishaps or errors (32 percent), and system glitches (29 percent). Larry Ponemon, chairman and founder of Ponemon Institute, noted that an increasingly mobile workforce is a key contributor to the problem. John Kuhn, director of product management for the Enterprise Mobility Group at Symantec, says that the number of platforms and devices an enterprise must support has skyrocketed over the last few years. What makes things especially difficult is that most organizations cannot dictate a device, he says. You have people using BlackBerry devices, iphones, Androids and other systems. You also have them sharing files and data through services such as Dropbox and Box.net. /// 35% AMOUNT OF BREACHES CAUSED BY EMPLOYEES LOSING NOTEBOOKS OR OTHER MOBILE DATA-BEARING DEVICES. \\\ SOURCE: Juniper Networks >>> 11

3 MOBILE SECURITY 8 WAYS TO AMP UP MOBILE SECURITY The complexities of mobile security haven t been lost on enterprise business and IT executives. Here are eight ways to improve protection and reduce risk: Develop an enterprise mobile security strategy. It s essential to understand what returns and risks devices and apps create and how mobility fits into the overall framework of the organization. A comprehensive audit should lead to a security policy that addresses issues as diverse as jailbreaking and what happens when a device is lost or stolen. It should also classify employees and data to ensure that sensitive and confidential information remains in the right hands. Focus on data rather than devices. The ultimate goal for an enterprise is to protect data. The cost of a lost device is minimal but lost data could compromise the entire business. As part of this approach, adopt solutions that provide maximum abstraction between data and specific devices and operating systems. This approach reduces complexity and risk. View each security tool as only part of the overall picture. An effective security strategy incorporates a wide range of solutions to create a security fabric that extends throughout the organization and onto mobile devices. Understand how these tools interact and look for any gaps that could lead to vulnerabilities. Provide education and awareness training. Although today s employees are typically savvy about using mobile devices, they may not be clear on security risks associated with their actions and behaviors. It s critical to provide education and training and understand what practices to avoid. Adopt a robust mobile device management (MDM) solution. MDM greatly simplifies device administration by providing a centralized view of resources and making it easier to use diagnostics, remote configuring and provisioning, apply patches, use backup and restore functions, asset tracking, provide network support, logging and reporting, and GPS tracking. Don t neglect conventional security tools. Understandably, most organizations focus heavily on mobile-specific security such as mobile device management solutions. However, antivirus, web filtering, virtual private networks (VPNs), data loss prevention (DLP), file encryption, authentication and other tools are the foundation of any security strategy. Focus on privacy issues. Security and privacy are deeply intertwined. A data breach could reveal private employee or customer information and lead to legal problems. In addition, the use of personally owned mobile devices in the workplace raises key questions particularly for companies that scan devices to ensure that they do not create risks or contain confidential company data. Stay agile. Conventional three- to five-year technology plans do not work in the mobile arena. It s critical to create an agile framework and continually reevaluate the way employees and others access data, what devices they use and what risks result. A six-month strategy isn t unreasonable. Developing a Mobile Security Strategy Building a comprehensive security strategy begins with an analysis and understanding of how people use applications and data and the role of the network in delivering information to users. It s also important to understand possible theft and loss scenarios and know the value of data residing on devices so that it can be classified accordingly. Best practice organizations typically create data tiers to determine the appropriate defense and level of protection. Security experts say that it s critical to focus on protecting data rather than devices. The cost of a lost device might top $500, but the loss of the data residing on the device could extend into millions of dollars. It could also result in bad press, fleeing customers, fines or lawsuits and a tarnished reputation and brand. Trying to build the ultimate padlock is both impractical and inefficient, explains Clinton Smith, manager of IT risk and compliance for Grant Thornton, LLP. Chenxi Wang, vice president and principal analyst for security and risk at Forrester, points out that basic protection such as enforceable password-based entry, autolock and remote-wipe capabilities are the starting point for a mobile security strategy. These tools allow an enterprise to retain some control over lost or compromised devices. Virtually all mobile devices now support these features and a 12

4 growing array of third party software applications allow IT administrators to remotely wipe data from mobile devices. In many cases, the ability to wipe a device within seconds can determine whether the incident winds up being a minor headache or a major security breach. Other basic considerations include the ability for IT to maintain and control security settings from a single location; have application and data controls, including automatic data encryption and secure transfers through a VPN (the Apple ios platform has built in support for encryption whereas many others, including Android, do not); and deploy other standard security protections, including antivirus, data loss prevention (DLP), web filtering and authentication. In some cases, a virtual desktop interface (VDI) streamlines security by eliminating data storage on a thin client or zero client device and instead keeping the files on a central server. VMware and Citrix are key vendors in this space. However, the primary security focus for many organizations is now mobile device management. Offered by a number of vendors, including AirWatch, BoxTone, McAfee, Microsoft, MobileIron and Symantec, it provides an enterprise view of devices, application rollouts and data use patterns. These applications support different mobile devices deployed across different carriers and service providers. In many instances they provide diagnostics, remote configuring and provisioning, backup and restore functions, asset tracking, network support, diagnostics, logging and reporting and GPS tracking. Symantec Mobile Management (SMM), for example, offers comprehensive visibility and control for iphones, ipads, Androids and other popular mobile devices using a single console and a highly scalable approach. It allows network administrators to establish policy controls that encompass everything from passwords to remote-wipe capabilities. It also offers endpoint management that helps an organization standardize on a single platform across all enterprise applications. For instance, an administrator can switch off a camera or control access to public app stores. The software is also able to separate corporate and personal data on devices to comply with regulatory requirements. Forrester s Wang believes that MDM, while providing a highly useful way to oversee different platforms and devices within a consistent management interface, can sometimes provide a false sense of security. It can distract business and IT leaders from thinking about the big picture, Wang explains. In addition, Forrester notes that a one-size-fits-all approach to device management can create problems and inhibit productivity particularly if classifications and user access issues aren t clearly analyzed and defined up front. Other security management tools also play a key role in thwarting data loss and theft. Websense TRITON, for example, integrates web, and data security in order to provide unified content analysis on a mobile platform. The firm s enterpriseclass DLP works on iphones, ipads and the Android platform over carrier networks and Wi-Fi. What s more, the company continually analyzes mobile apps available for ios, Android and other platforms and provides insights into potential risks. It s crucial to take an integrated approach that addresses mobile applications, data theft and web security, says Tom Clare, senior director of product marketing at Websense. 13

5 MOBILE SECURITY Authentication applications are also a valuable piece of the security puzzle. Vendors such as Symantec, DigitalPersona and Imprivata offer solutions to help control and manage network access, including from mobile devices. For instance, Imprivata s OneSign for Healthcare offers a number of key capabilities, including a single sign-on access management tool for EMR access on personal computers as well as various mobile devices. The solution provides a high level of functionality, flexibility and scalability across an organization. The system is designed to improve clinician workflow and reduce IT administration tasks. Organizations, particularly in healthcare, face enormous challenges, notes David Ting, CTO for Imprivata. Wang believes that it is crucial to balance user needs and security. At the end of the day, both IT operations and security want business owners and business users to see them as partners in their mobility needs. If you take too conservative of an approach to mitigating security and risk concerns on personally owned devices, users will once again see security as just a policy function, she notes. Policy Matters All the leading-edge technology in the world won t guarantee security, Wang says. It s important to develop sound policies that address a wide array of issues, including device standards, IT management and support, acceptable usage guidance, financial responsibilities, operational security and legal implications. Within this umbrella, key issues include: organizational accountability, awareness training and developing solid communication with employees and other system users. Remarkably, a Ponemon Institute study found that 53 percent of companies it surveyed have no mobile policy in place and a mere 16 percent had a policy that encompassed the entire enterprise. One way to mitigate risk, Wang says, is to build an internal app store for distributing software internally. It s a strategy that a growing number of organizations are embracing. This approach can help guarantee the quality and safety of apps distributed to employees. It also creates a viable way to distribute apps internally and let employees know which apps are the most popular and most useful. 14

6 No less important: it s possible to control the apps employees download based on their role and privileges. Ultimately, Wang says, it s critical to recognize that the policies an enterprise deploys affect how it builds out its infrastructure, including mobile support. As a result, it s essential for IT to develop a strategy and solutions with input from different business units and build a framework for agile mobile deployment and change. For each corporate application or resource that users will access via his or her mobile device, you must create a similar checklist, she points out. Regulated organizations, meanwhile, must ensure that additional controls and reporting tools exist. ABI Research Practice Director Dan Shey says that it s important to recognize that there is no such thing as foolproof security. Today s state-of-the-art security systems and processes may prove inadequate tomorrow. In a mobile arena that s evolving rapidly, the risks are ratcheted up further. It s important to create an enterprise-wide security policy and a security governance roadmap that provides an enterprise vision as well as a way to maintain control moving forward, he explains. In the end, organizations must be vigilant about external and internal threats relating to mobile security. There s no simple path to protection and there s no silver bullet. It s essential to incorporate an array of security tools and technologies but also focus on the human factor. Today s business and IT environment requires an entirely different security mindset, including a thorough understanding of how employees factor into overall data use and security. Concludes Symantec s Kuhn: The most successful organizations integrate mobile protection solutions into the overall framework of security. WHAT S IN A SOUND BYOD POLICY? THERE S NO TURNING BACK THE CLOCK ON MOBILITY. Consumers now dictate many of the technologies, tools and solutions that enterprises adopt. As a result, it s critical to have a policy in place for employees using their own smartphones and tablets. Here are several key components: DEVICE USE It s essential to define which devices will be allowed. Today, this usually means Apple s ios, Google s Android and, in many cases, BlackBerry and Microsoft devices. AUTHENTICATION User names and passwords aren t enough to provide adequate security. Devices must have digital certificates installed and support end-to-end encryption through a VPN. What s more, the organization must be able to track the user s identity, device, location and have a record of access. REMOTE WIPE An organization should use remote wipe software in case the device is lost or stolen or the employee leaves the company. USER DATA It s essential to spell out who owns and controls what data, including files, images and audio files. APPS The organization should provide employees with a list of apps that are allowed as well as those that can t be used. The latter should only be apps that pose a clear security risk. AN APPROVAL PROCEDURE It s important to offer a procedure for approving new devices and apps. The mobile environment is changing rapidly. ASSESSMENTS Security Assessment Assists with Data Loss Prevention Our solution architects will conduct a comprehensive security assessment to protect against loss both inside and out. Included is a set of security remediation recommendations that are prioritized by risk, cost and business impact. Stop information and reputation loss with DLP solutions. Call us today to find out how we can help. 15