Addressing Mobile Device Security and Management Requirements in the Enterprise

Transcription

1 White Paper Addressing Mbile Device Security and Management Requirements in the Enterprise By Jn Oltsik Octber, 2010 This ESG White Paper was cmmissined by Juniper Netwrks and is distributed under license frm ESG. 2010, Enterprise Strategy Grup, Inc. All Rights Reserved

2 Cntents Executive Summary... 3 The Mbile Device Landscape... 4 Mbile Device Use... 5 Mbile Device Security... 7 Analysis and Recmmendatins... 8 The Bigger Truth... 9 All trademark names are prperty f their respective cmpanies. Infrmatin cntained in this publicatin has been btained by surces The Enterprise Strategy Grup (ESG) cnsiders t be reliable but is nt warranted by ESG. This publicatin may cntain pinins f ESG, which are subject t change frm time t time. This publicatin is cpyrighted by The Enterprise Strategy Grup, Inc. Any reprductin r redistributin f this publicatin, in whle r in part, whether in hard-cpy frmat, electrnically, r therwise t persns nt authrized t receive it, withut the express cnsent f the Enterprise Strategy Grup, Inc., is in vilatin f U.S. cpyright law and will be subject t an actin fr civil damages and, if applicable, criminal prsecutin. Shuld yu have any questins, please cntact ESG Client Relatins at (508)

3 Executive Summary In late 2009, ESG cnducted a research survey f 174 IT prfessinals in Nrth America. Survey respndents wrked at enterprise rganizatins with mre than 1,000 emplyees. Based upn this research prject, this paper cncludes: Mbile devices have becme missin critical. Organizatins are spending mre n and ding mre with mbile devices each day. ESG s data clearly indicates that mst enterprises regard mbile devices as missin critical tls, nt the latest cnsumer tys. Management and security lag behind. Mbile devices are making emplyees mre prductive frm mre places. This is encuraging large rganizatins t invest further in mbile devices and develp custm applicatins. Unfrtunately, the data als indicates a grwing mbile device security and management gap: mbile devices tend t be managed n an ad-hc basis, increasing IT peratins cst and cmplexity. Alarmingly, mbile devices remain relatively insecure even thugh they are used t access cre applicatins and lts f sensitive data. These issues create a ptential Faustian cmprmise in the future as greater prductivity cmes with a cst f IT peratins fire drills and increasing security risk. CIOs must address management gaps t maximize mbile device benefits while minimizing the risks. Large rganizatins need t address mbile device security and management weaknesses. What s needed? Sund plicies, dcumented prcesses, integrated mbile device management and security tls, and cnstant versight. CIOs must establish a baseline f strng mbile device security as sn as pssible. Why? Mbile devices represent the prverbial weak link in the security chain; therefre, pr mbile device security creates vulnerability fr ALL critical systems n the crprate netwrk. In ther wrds, ne cmprmised mbile device culd lead t a majr data breach. Furthermre, mbile device prliferatin will nly increase in the future grwing mre cmplex, cstly, and risky ver time. Enterprise firms need t get their arms arund mbile device security befre they are buried by verwhelming cumbersme IT peratins r burned by a cstly security event.

4 The Mbile Device Landscape The ESG data clearly indicates that mbile devices have becme pervasive: in 44% f enterprise rganizatins, at least half f all emplyees use their mbile devices t get their jbs dne. Nte that mre than 75% f emplyees use their mbile devices fr day-t-day prductivity at nearly ne-fifth f all large rganizatins (see Figure 1). Figure 1. Mst Emplyees Use Mbile Devices fr Wrk at Large Organizatins Apprximately what percentage f yur rganizatin s ttal emplyees currently use a mbile device fr wrk n a daily basis? (Percent f respndents, N=174) Dn t knw, 1% Less than 25%, 22% 100%, 2% 75% t 99%, 18% 50% t 74%, 26% 25% t 49%, 30% Large rganizatins are als spending mre budget dllars n mbile devices as well as the peple, prcesses, and technlgies used t manage, supprt, and secure them. Eighthly-tw percent claim that mbile device spending is increasing and 37% f all large rganizatins are spending significantly mre n mbile devices (see Figure 2). Figure 2. Enterprise Spending n Mbile Devices Hw wuld yu characterize the general trend with respect t yur rganizatin s annual spending n mbile devices (i.e., fr devices and ther rganizatinal and/rsupprting technlgy csts)? (Percent f respndents, N=174) Mbile device spending is decreasing, 3% Dn t knw / unsure, 1% Mbile device spending is generally flat, 14% Mbile device spending is grwing significantly, 37% Mbile device spending is grwing mderately, 45%

5 Unlike PCs, mbile devices are brught int the enterprise by individual emplyees. Indeed, they have becme the ultimate cnsumer device frcing IT managers t supprt the trendy phne du jur. While Blackberry and Windws mbile tp the list f supprted devices, Apple iphnes and Ggle Andrid phnes are gaining mmentum (see Figure 3). Of curse, the next challenge will be supprt fr ipads and ther tablet PCs t fllw. Figure 3. Mbile Device Platfrm Supprt Which f the fllwing mbile device platfrms des yur IT rganizatin frmally supprt? (Percent f respndents, N=174) Blackberry 79% 11% 3% 7% Windws Mbile/ CE 62% 9% 9% 16% 3% iphne 43% 18% 14% 1% Palm Web OS 17% 13% 39% 8% Ggle Andrid 8% 16% 22% 43% 11% Symbian OS 7% 14% 11% 52% 15% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% IT currently supprts Plans t supprt Interested in supprting N plans r interest at this time Dn t knw / nt applicable Mbile Device Use As far as mbile device usage ges, remains the mst ppular applicatin, but 63% f large rganizatins prvide mbile device access t internal netwrks and prtals and 30% f enterprises als ffer CRM, cre business applicatins, lcatin-based applicatins, industry applicatins, and custm applicatins (see Figure 4).

6 Figure 4. Mbile Device Applicatin Supprt Please indicate if yur rganizatin currently uses r plans t use the fllwing applicatins n mbile devices? (Percent f respndents, N=174) 89% 3% 5% 3% 1% Intranet access (requires authenticatin) 63% 18% 13% 4% 2% Custm applicatins 39% 30% 17% 9% 5% Industry-specific applicatins 36% 31% 18% 10% 5% Lcatin-based applicatins 31% 32% 18% 15% 5% Cre business applicatins (ERP, HR, etc.) 31% 25% 14% 6% CRM (Custmer Relatinship Management) / Sales Frce Autmatin (SFA) 30% 23% 13% 10% Inventry applicatins 27% 21% 19% 9% Emplyees can als access an assrtment f data frm their mbile devices and sme f this data is classified as cnfidential and/r private. Mre than ne-third f respndents say that emplyees using mbile devices can access, receive, and/r stre cmpany cnfidential data, custmer data, regulated data, and intellectual prperty (see Figure 5). Figure 5. Cnfidential Data Entitlements Using Mbile Devices 0% 20% 40% 60% 80% 100% Already deplyed Plan t deply within 24 mnths N plans but interested N plans r interest at this time Dn t knw / nt applicable In yur rganizatin, can an emplyee access, receive, r stre any f the fllwing n their mbile device? (Percent f respndents, N=174, multiple respnses accepted) Cmpany cnfidential data Custmer data (i.e., financial data, persnallyidentifiable infrmatin, etc.) Regulated data (i.e., data subject t security and privacy regulatins) Intellectual prperty 40% 38% 36% 35% Administratr access t internal IT systems and assets 28% Nne f the abve 16% 0% 10% 20% 30% 40% 50%

7 The data paints a distinct picture: mbile devices are used by mre emplyees fr many types f applicatins and data including cnfidential data then ever befre. Thus, it is n surprise that 38% f respndents said that mbile devices were critical fr business prcesses and prductivity. Mbile Device Security Mbile device prductivity cmes at a price: increased security risk. Mbile applicatins create yet anther path int enterprise netwrks, which culd allw them t prpagate malicius cde, a scenari presented in the recent Cyber Shckwave exercise. Sensitive data stred n a mbile device culd be lst r stlen, leading t data breaches, cmpliance vilatins, and expensive/embarrassing public disclsure. Large rganizatins recgnize mbile device threats and vulnerabilities and understand that they need prper security prtectin. Just what types f security cntrls are needed? Enterprises have a laundry list f imprtant requirements (see Figure 6). Figure 6. Mbile Device Security Pririties Hw wuld yu rate the imprtance f the fllwing features and/r capabilities when it cmes t evaluating, selecting, and implementing mbile security and management technlgy slutins? (Percent f respndents, N=174) Device encryptin 51% 34% 11% 3% Device firewall 48% 37% 11% 3% 1% Strng authenticatin 46% 41% 11% 1% 1% Antivirus/antispam 45% 37% 13% 3% 1% Device lcking 44% 41% 13% 1% 1% Data Lss Preventin r Enterprise Rights Management 43% 39% 14% 4% Device wiping 40% 43% 12% 5% 1% VPN 39% 42% 13% 4% 2% Integratin with existing systems management slutins 30% 47% 17% 4% 2% Integratin with existing backup systems fr data prtectin 27% 45% 4% 1% Integratin with device mnitring systems 26% 47% 20% 5% 2% Integratin with existing asset management systems 25% 45% 23% 5% 2% Sftware distributin 41% 26% 6% 3% Remte cntrl 23% 47% 6% 1% Integratin with cmpliance management systems 21% 49% 21% 6% 3% Applicatin whitelisting and blacklisting 20% 44% 25% 8% 3% Very Imprtant Imprtant Nt very 0% imprtant 20% Nt at all 40% imprtant 60% Dn t knw 80% 100% Enterprises als see that mbile device security ges hand-in-hand with IT peratins. In fact, 80% f rganizatins believe it is critical r imprtant t have integrated mbile device security and management slutins (see Figure 7).

8 Figure 7. Mbile Device Security Pririties Hw imprtant is it t yur rganizatin t have an integrated management and security slutin fr mbile devices (i.e., cmmn management, cmmand and cntrl, and reprting fr mbile device security and ther administrative tasks)? (Percent f respnd Nt at all imprtant, 1% Dn t knw, 2% Nt that imprtant, 2% Smewhat imprtant, 15% Critical, 28% Analysis and Recmmendatins Large cmpanies are buying mbile devices, prviding mbile devices applicatin access, and even develping new mbile device applicatins. CIOs must quickly recgnize the grwing value f mbile devices and supprt these missin critical business tls with IT best practices fr management, administratin, and security. T achieve these bjectives, large rganizatins shuld: Address specific needs fr mbile devices. ESG believes that Figure 6 can be used as a guideline fr mbile device security and management pririties as fllws: Imprtant, 52% Address mbile data security. Since users can access and stre sensitive data with lcal devices, data security must take precedence. ESG suggests that large rganizatins review and update data privacy plicies t include mbile devices; train users n plicies, security threats, and penalties; and lck dwn devices with strng authenticatin, data encryptin, and device/user behavir mnitring. Dn t frget mbile device remte lcking, data wiping, and backup/restre since it is likely that lst devices pse the greatest security risk. Address device security. Since these devices will access crprate netwrks, they shuld be treated as a ptential threat vectr. ESG recmmends that enterprises cnfigure devices fr security, apply patches in a timely fashin, train users n risky behavir and scial engineering attacks, and install endpint security that includes antivirus, firewall, Web threat prtectin, and applicatin white listing. Cnsider mbile VPN needs. The last thing the VP f Sales wants is cmplex netwrk access cntrls that preclude field reps frm uplading purchase rders n the last day f the mnth. T satisfy security and business needs, mbile security slutins shuld prvide fr secure cnnectivity t specific netwrks assets while remaining transparent t end-users. Establish gd prcedures and tls fr device management. This includes IT best practice framewrks like ITIL, COBIT, and NIST-800. It als means gd management tls fr device prcurement, cnfiguratin, change management, remte supprt, and retirement.

9 White Paper: Addressing Mbile Device Security and Management Requirements in the Enterprise Lk fr integrated mbile device management and security tls. As Figure 6 clearly indicates, large rganizatins want integrated slutins fr mbile security and management, nt a bunch f tactical pint tls. Lk fr integrated slutins that 1) integrate with netwrk access cntrl and VPNs, 2) prvide a ptpurri f security/management features and rich functinality, and 3) supprt all ppular mbile devices with a brad range f functinality fr each. Think in terms f lifecycle management. Large rganizatins shuld think f mbile device lifecycles frm cradle t grave. This lifecycle will require mbile device prcurement, cnfiguratin, change management, patch management, security event management, and cnstant health and security mnitring. In this way, IT managers can ensure that devices and users are prductive, up-t-date, high perfrming, and safe. Remember t plan fr these lifecycle requirements up frnt befre investing in any mbile device management r security prducts. The Bigger Truth The business value f mbile devices really dictates that IT executives create an enterprise-class mbile device management and security strategy built arund well-understd IT best practices. The ESG data suggests the need t priritize security, chse integrated management and security tls, and lean n existing IT peratins and management mdels. Wrking with established vendrs will certainly help IT executives accmplish these bjectives. CIOs must internalize the ESG data presented in this paper and then act quickly t address risks. Remember that: Mbile explits are already happening. Fr example: In late 2009, researchers at several security firms reprted that an iphne wrm called "Ikee.B" r "Duh" was prliferating using the default passwrd fr an applicatin. Once an iphne is cmprmised, the wrm grabs text messages and searches fr banking authrizatin cdes used by at least ne bank befre sending the cdes t a central server. In September 2010, Adbe annunced a vulnerability in the Flash 10.1 runtime engine that culd allw an attacker t take cntrl f affected systems, including mbile devices running the Ggle Andrid perating system. A high percentage f mbile devices access and/r stre sensitive data. This means that a lst r stlen device wrth a few hundred dllars culd lead t a multi-millin dllar data breach. Smart rganizatins will recgnize that security issues like these will nly get wrse and seek ut mbile device security and management slutins in rder t lwer risks and streamline IT csts as sn as pssible. Laggard firms that delay implementatin f mbile device security will face higher risks and peratinal verhead if they are lucky. Unlucky rganizatins may als experience security events emanating frm nce inncent cell phnes and PDAs.

10 20 Asylum Street Milfrd, MA Tel: Fax: