Addressing Mobile Device Security and Management Requirements in the Enterprise



Similar documents
Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Network Security Trends in the Era of Cloud and Mobile Computing

Mobile Workforce. Improving Productivity, Improving Profitability

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

HIPAA HITECH ACT Compliance, Review and Training Services

RSA SecurID Software Token Security Best Practices Guide. Version 3

Personal Data Security Breach Management Policy

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

GUIDANCE FOR BUSINESS ASSOCIATES

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Avaya Business Continuity Plan Overview

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Chapter 7 Business Continuity and Risk Management

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Magenta HR in partnership with breath ehr

WHITE PAPER. Vendor Managed Inventory (VMI) is Not Just for A Items

MaaS360 Cloud Extender

Learn More Cloud Extender Requirements Cheat Sheet

Integrate Marketing Automation, Lead Management and CRM

In addition to assisting with the disaster planning process, it is hoped this document will also::

Systems Support - Extended

VCU Payment Card Policy

Dec Transportation Management System. An Alternative Traffic Solution for the Logistics Professionals

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

ensure that all users understand how mobile phones supplied by the council should and should not be used.

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Data Protection Policy & Procedure

IT Help Desk Service Level Expectations Revised: 01/09/2012

Remote Working (Policy & Procedure)

WEB APPLICATION SECURITY TESTING

iphone Mobile Application Guide Version 2.2.2

Business Intelligence represents a fundamental shift in the purpose, objective and use of information

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

expertise hp services valupack consulting description security review service for Linux

Key Steps for Organizations in Responding to Privacy Breaches

Gartner Magic Quadrant Salesforce Automation 2009

Session 9 : Information Security and Risk

Integrating With incontact dbprovider & Screen Pops

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Website Design Worksheet

FINRA Regulation Filing Application Batch Submissions

Online Learning Portal best practices guide

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

Data Protection Act Data security breach management

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

The Importance of Market Research

Zscaler Cloud Update NEW FEATURES

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

RECOMMENDATIONS SECURITY ONLINE BANK TRANSACTIONS. interests in the use of IT services, such as online bank services of Société Générale de Banques au

KIK s GUIDE FOR LAW ENFORCEMENT

How Does Cloud Computing Work?

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Serv-U Distributed Architecture Guide

CCPRF. Request for Proposals. Monitoring Services. November 25, 2009

IT Account and Access Procedure

POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES

Solving the Patch Management Dilemma Using SCCM 2007

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Service Desk Self Service Overview

UC4 AUTOMATED VIRTUALIZATION Intelligent Service Automation for Physical and Virtual Environments

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

PROTIVITI FLASH REPORT

Trends and Considerations in Currency Recycle Devices. What is a Currency Recycle Device? November 2003

Helpdesk Support Tickets & Knowledgebase

White. Paper. HP Ethernet Virtual Interconnect: Extending the Benefits of Virtualized Environments Across Geographically Dispersed Data Centers

First Global Data Corp.

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Support Services. v1.19 /

Organisational self-migration guide an overview V1-5 April 2014

Process of Setting up a New Merchant Account

Configuring and Integrating LDAP

IN-HOUSE OR OUTSOURCED BILLING

Junos Pulse Instructions for Windows and Mac OS X

Creating an Ethical Culture and Protecting Your Bottom Line:

Transcription:

White Paper Addressing Mbile Device Security and Management Requirements in the Enterprise By Jn Oltsik Octber, 2010 This ESG White Paper was cmmissined by Juniper Netwrks and is distributed under license frm ESG. 2010, Enterprise Strategy Grup, Inc. All Rights Reserved

Cntents Executive Summary... 3 The Mbile Device Landscape... 4 Mbile Device Use... 5 Mbile Device Security... 7 Analysis and Recmmendatins... 8 The Bigger Truth... 9 All trademark names are prperty f their respective cmpanies. Infrmatin cntained in this publicatin has been btained by surces The Enterprise Strategy Grup (ESG) cnsiders t be reliable but is nt warranted by ESG. This publicatin may cntain pinins f ESG, which are subject t change frm time t time. This publicatin is cpyrighted by The Enterprise Strategy Grup, Inc. Any reprductin r redistributin f this publicatin, in whle r in part, whether in hard-cpy frmat, electrnically, r therwise t persns nt authrized t receive it, withut the express cnsent f the Enterprise Strategy Grup, Inc., is in vilatin f U.S. cpyright law and will be subject t an actin fr civil damages and, if applicable, criminal prsecutin. Shuld yu have any questins, please cntact ESG Client Relatins at (508) 482-0188.

Executive Summary In late 2009, ESG cnducted a research survey f 174 IT prfessinals in Nrth America. Survey respndents wrked at enterprise rganizatins with mre than 1,000 emplyees. Based upn this research prject, this paper cncludes: Mbile devices have becme missin critical. Organizatins are spending mre n and ding mre with mbile devices each day. ESG s data clearly indicates that mst enterprises regard mbile devices as missin critical tls, nt the latest cnsumer tys. Management and security lag behind. Mbile devices are making emplyees mre prductive frm mre places. This is encuraging large rganizatins t invest further in mbile devices and develp custm applicatins. Unfrtunately, the data als indicates a grwing mbile device security and management gap: mbile devices tend t be managed n an ad-hc basis, increasing IT peratins cst and cmplexity. Alarmingly, mbile devices remain relatively insecure even thugh they are used t access cre applicatins and lts f sensitive data. These issues create a ptential Faustian cmprmise in the future as greater prductivity cmes with a cst f IT peratins fire drills and increasing security risk. CIOs must address management gaps t maximize mbile device benefits while minimizing the risks. Large rganizatins need t address mbile device security and management weaknesses. What s needed? Sund plicies, dcumented prcesses, integrated mbile device management and security tls, and cnstant versight. CIOs must establish a baseline f strng mbile device security as sn as pssible. Why? Mbile devices represent the prverbial weak link in the security chain; therefre, pr mbile device security creates vulnerability fr ALL critical systems n the crprate netwrk. In ther wrds, ne cmprmised mbile device culd lead t a majr data breach. Furthermre, mbile device prliferatin will nly increase in the future grwing mre cmplex, cstly, and risky ver time. Enterprise firms need t get their arms arund mbile device security befre they are buried by verwhelming cumbersme IT peratins r burned by a cstly security event.

The Mbile Device Landscape The ESG data clearly indicates that mbile devices have becme pervasive: in 44% f enterprise rganizatins, at least half f all emplyees use their mbile devices t get their jbs dne. Nte that mre than 75% f emplyees use their mbile devices fr day-t-day prductivity at nearly ne-fifth f all large rganizatins (see Figure 1). Figure 1. Mst Emplyees Use Mbile Devices fr Wrk at Large Organizatins Apprximately what percentage f yur rganizatin s ttal emplyees currently use a mbile device fr wrk n a daily basis? (Percent f respndents, N=174) Dn t knw, 1% Less than 25%, 22% 100%, 2% 75% t 99%, 18% 50% t 74%, 26% 25% t 49%, 30% Large rganizatins are als spending mre budget dllars n mbile devices as well as the peple, prcesses, and technlgies used t manage, supprt, and secure them. Eighthly-tw percent claim that mbile device spending is increasing and 37% f all large rganizatins are spending significantly mre n mbile devices (see Figure 2). Figure 2. Enterprise Spending n Mbile Devices Hw wuld yu characterize the general trend with respect t yur rganizatin s annual spending n mbile devices (i.e., fr devices and ther rganizatinal and/rsupprting technlgy csts)? (Percent f respndents, N=174) Mbile device spending is decreasing, 3% Dn t knw / unsure, 1% Mbile device spending is generally flat, 14% Mbile device spending is grwing significantly, 37% Mbile device spending is grwing mderately, 45%

Unlike PCs, mbile devices are brught int the enterprise by individual emplyees. Indeed, they have becme the ultimate cnsumer device frcing IT managers t supprt the trendy phne du jur. While Blackberry and Windws mbile tp the list f supprted devices, Apple iphnes and Ggle Andrid phnes are gaining mmentum (see Figure 3). Of curse, the next challenge will be supprt fr ipads and ther tablet PCs t fllw. Figure 3. Mbile Device Platfrm Supprt Which f the fllwing mbile device platfrms des yur IT rganizatin frmally supprt? (Percent f respndents, N=174) Blackberry 79% 11% 3% 7% Windws Mbile/ CE 62% 9% 9% 16% 3% iphne 43% 18% 14% 1% Palm Web OS 17% 13% 39% 8% Ggle Andrid 8% 16% 22% 43% 11% Symbian OS 7% 14% 11% 52% 15% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% IT currently supprts Plans t supprt Interested in supprting N plans r interest at this time Dn t knw / nt applicable Mbile Device Use As far as mbile device usage ges, e-mail remains the mst ppular applicatin, but 63% f large rganizatins prvide mbile device access t internal netwrks and prtals and 30% f enterprises als ffer CRM, cre business applicatins, lcatin-based applicatins, industry applicatins, and custm applicatins (see Figure 4).

Figure 4. Mbile Device Applicatin Supprt Please indicate if yur rganizatin currently uses r plans t use the fllwing applicatins n mbile devices? (Percent f respndents, N=174) E-mail 89% 3% 5% 3% 1% Intranet access (requires authenticatin) 63% 18% 13% 4% 2% Custm applicatins 39% 30% 17% 9% 5% Industry-specific applicatins 36% 31% 18% 10% 5% Lcatin-based applicatins 31% 32% 18% 15% 5% Cre business applicatins (ERP, HR, etc.) 31% 25% 14% 6% CRM (Custmer Relatinship Management) / Sales Frce Autmatin (SFA) 30% 23% 13% 10% Inventry applicatins 27% 21% 19% 9% Emplyees can als access an assrtment f data frm their mbile devices and sme f this data is classified as cnfidential and/r private. Mre than ne-third f respndents say that emplyees using mbile devices can access, receive, and/r stre cmpany cnfidential data, custmer data, regulated data, and intellectual prperty (see Figure 5). Figure 5. Cnfidential Data Entitlements Using Mbile Devices 0% 20% 40% 60% 80% 100% Already deplyed Plan t deply within 24 mnths N plans but interested N plans r interest at this time Dn t knw / nt applicable In yur rganizatin, can an emplyee access, receive, r stre any f the fllwing n their mbile device? (Percent f respndents, N=174, multiple respnses accepted) Cmpany cnfidential data Custmer data (i.e., financial data, persnallyidentifiable infrmatin, etc.) Regulated data (i.e., data subject t security and privacy regulatins) Intellectual prperty 40% 38% 36% 35% Administratr access t internal IT systems and assets 28% Nne f the abve 16% 0% 10% 20% 30% 40% 50%

The data paints a distinct picture: mbile devices are used by mre emplyees fr many types f applicatins and data including cnfidential data then ever befre. Thus, it is n surprise that 38% f respndents said that mbile devices were critical fr business prcesses and prductivity. Mbile Device Security Mbile device prductivity cmes at a price: increased security risk. Mbile applicatins create yet anther path int enterprise netwrks, which culd allw them t prpagate malicius cde, a scenari presented in the recent Cyber Shckwave exercise. Sensitive data stred n a mbile device culd be lst r stlen, leading t data breaches, cmpliance vilatins, and expensive/embarrassing public disclsure. Large rganizatins recgnize mbile device threats and vulnerabilities and understand that they need prper security prtectin. Just what types f security cntrls are needed? Enterprises have a laundry list f imprtant requirements (see Figure 6). Figure 6. Mbile Device Security Pririties Hw wuld yu rate the imprtance f the fllwing features and/r capabilities when it cmes t evaluating, selecting, and implementing mbile security and management technlgy slutins? (Percent f respndents, N=174) Device encryptin 51% 34% 11% 3% Device firewall 48% 37% 11% 3% 1% Strng authenticatin 46% 41% 11% 1% 1% Antivirus/antispam 45% 37% 13% 3% 1% Device lcking 44% 41% 13% 1% 1% Data Lss Preventin r Enterprise Rights Management 43% 39% 14% 4% Device wiping 40% 43% 12% 5% 1% VPN 39% 42% 13% 4% 2% Integratin with existing systems management slutins 30% 47% 17% 4% 2% Integratin with existing backup systems fr data prtectin 27% 45% 4% 1% Integratin with device mnitring systems 26% 47% 20% 5% 2% Integratin with existing asset management systems 25% 45% 23% 5% 2% Sftware distributin 41% 26% 6% 3% Remte cntrl 23% 47% 6% 1% Integratin with cmpliance management systems 21% 49% 21% 6% 3% Applicatin whitelisting and blacklisting 20% 44% 25% 8% 3% Very Imprtant Imprtant Nt very 0% imprtant 20% Nt at all 40% imprtant 60% Dn t knw 80% 100% Enterprises als see that mbile device security ges hand-in-hand with IT peratins. In fact, 80% f rganizatins believe it is critical r imprtant t have integrated mbile device security and management slutins (see Figure 7).

Figure 7. Mbile Device Security Pririties Hw imprtant is it t yur rganizatin t have an integrated management and security slutin fr mbile devices (i.e., cmmn management, cmmand and cntrl, and reprting fr mbile device security and ther administrative tasks)? (Percent f respnd Nt at all imprtant, 1% Dn t knw, 2% Nt that imprtant, 2% Smewhat imprtant, 15% Critical, 28% Analysis and Recmmendatins Large cmpanies are buying mbile devices, prviding mbile devices applicatin access, and even develping new mbile device applicatins. CIOs must quickly recgnize the grwing value f mbile devices and supprt these missin critical business tls with IT best practices fr management, administratin, and security. T achieve these bjectives, large rganizatins shuld: Address specific needs fr mbile devices. ESG believes that Figure 6 can be used as a guideline fr mbile device security and management pririties as fllws: Imprtant, 52% Address mbile data security. Since users can access and stre sensitive data with lcal devices, data security must take precedence. ESG suggests that large rganizatins review and update data privacy plicies t include mbile devices; train users n plicies, security threats, and penalties; and lck dwn devices with strng authenticatin, data encryptin, and device/user behavir mnitring. Dn t frget mbile device remte lcking, data wiping, and backup/restre since it is likely that lst devices pse the greatest security risk. Address device security. Since these devices will access crprate netwrks, they shuld be treated as a ptential threat vectr. ESG recmmends that enterprises cnfigure devices fr security, apply patches in a timely fashin, train users n risky behavir and scial engineering attacks, and install endpint security that includes antivirus, firewall, Web threat prtectin, and applicatin white listing. Cnsider mbile VPN needs. The last thing the VP f Sales wants is cmplex netwrk access cntrls that preclude field reps frm uplading purchase rders n the last day f the mnth. T satisfy security and business needs, mbile security slutins shuld prvide fr secure cnnectivity t specific netwrks assets while remaining transparent t end-users. Establish gd prcedures and tls fr device management. This includes IT best practice framewrks like ITIL, COBIT, and NIST-800. It als means gd management tls fr device prcurement, cnfiguratin, change management, remte supprt, and retirement.

White Paper: Addressing Mbile Device Security and Management Requirements in the Enterprise Lk fr integrated mbile device management and security tls. As Figure 6 clearly indicates, large rganizatins want integrated slutins fr mbile security and management, nt a bunch f tactical pint tls. Lk fr integrated slutins that 1) integrate with netwrk access cntrl and VPNs, 2) prvide a ptpurri f security/management features and rich functinality, and 3) supprt all ppular mbile devices with a brad range f functinality fr each. Think in terms f lifecycle management. Large rganizatins shuld think f mbile device lifecycles frm cradle t grave. This lifecycle will require mbile device prcurement, cnfiguratin, change management, patch management, security event management, and cnstant health and security mnitring. In this way, IT managers can ensure that devices and users are prductive, up-t-date, high perfrming, and safe. Remember t plan fr these lifecycle requirements up frnt befre investing in any mbile device management r security prducts. The Bigger Truth The business value f mbile devices really dictates that IT executives create an enterprise-class mbile device management and security strategy built arund well-understd IT best practices. The ESG data suggests the need t priritize security, chse integrated management and security tls, and lean n existing IT peratins and management mdels. Wrking with established vendrs will certainly help IT executives accmplish these bjectives. CIOs must internalize the ESG data presented in this paper and then act quickly t address risks. Remember that: Mbile explits are already happening. Fr example: In late 2009, researchers at several security firms reprted that an iphne wrm called "Ikee.B" r "Duh" was prliferating using the default passwrd fr an applicatin. Once an iphne is cmprmised, the wrm grabs text messages and searches fr banking authrizatin cdes used by at least ne bank befre sending the cdes t a central server. In September 2010, Adbe annunced a vulnerability in the Flash 10.1 runtime engine that culd allw an attacker t take cntrl f affected systems, including mbile devices running the Ggle Andrid perating system. A high percentage f mbile devices access and/r stre sensitive data. This means that a lst r stlen device wrth a few hundred dllars culd lead t a multi-millin dllar data breach. Smart rganizatins will recgnize that security issues like these will nly get wrse and seek ut mbile device security and management slutins in rder t lwer risks and streamline IT csts as sn as pssible. Laggard firms that delay implementatin f mbile device security will face higher risks and peratinal verhead if they are lucky. Unlucky rganizatins may als experience security events emanating frm nce inncent cell phnes and PDAs.

20 Asylum Street Milfrd, MA 01757 Tel:508.482.0188 Fax: 508.482.0128 www.enterprisestrategygrup.cm

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information