Mobile Security: Smaller Devices, Bigger Threats
Wes Simonds 120000EFD6 firstname.lastname@example.org | | Tags:  mobile smaller ibm simonds jeff endpoint devices wes crume business-agility device manager security bring your threats own software smarter bigger capabilities
0 Comments | 6,514 Visits
Mobile is a whole new ballgame for IT security. I've written before about my cordial dislike for the phrase ‘paradigm shift.’ Here's my objection in a nutshell: there aren't very many paradigms and they don't tend to shift. As in all things, however, there are exceptions.
Pen-and-ink ledgers giving way to spreadsheets? Single-app servers giving way to virtualization? Yeah. Paradigm, check. Shifting, check.
We are, I think, currently living in the middle of another such shift, and as paradigm shifts go, this one is arguably bigger and more significant than either of the two I just mentioned. It involves far more people, far more transactions, and creates, as a result, far more change.
I'm talking, of course, about the rise of mobile technology. In one generation, we've gone from landlines to cell phones to smart phones. And the new smart phones are so much smarter than the old ones, the old ones can now be called stupid.
Recently I was reading Jeff Crume's blog, Inside Internet Security, and I discovered there a video interview of Jeff holding forth on the subject of mobile security and everything it implies for organizations today.
This quote in particular stood out for me:
‘Whereas we used to have the data in some glass house, in some controlled environment, now it's sitting in somebody's pocket. Or worse yet, it's sitting in the back of a taxi cab that you took an hour ago. And it's still riding around New York City. And you aren't.’
You see what I mean about paradigm shift being justified in this case. Spreadsheets and virtualization, you have just been dethroned.
Successful security strategies acknowledge social realities
Jeff is a Distinguished Engineer, Master Inventor and IT Security Architect for IBM, so it struck me as a good idea to talk to him a little more on these topics. So that's what I did.
As it turns out, we have many of the same opinions. One in particular is that the mobile computing paradigm shift is multiplied because it involves not just a technological, but a social, dimension.
If you move from ledgers to spreadsheets, or from single-app servers to virtualized hosts, you generally (unless you're a complete freak) only do so at work, and only for business reasons.
But for mobile devices like smart phones and tablets, the appeal is far wider. The utilization is far greater. And from a security standpoint, the upshot is that mobile devices have now often become a sort of path-of-least-resistance for employees who want to conduct work activity offsite.
Having bought the browser-equipped device largely for personal reasons, they now want to use it for business purposes, too -- even though it was never originally designed for that job, and isn't particularly secure.
And the fact is that this will happen whether anybody in IT likes it and approves it or not. As far as the user is concerned, the convenience to him flat-out trumps any abstract logic, however correct it may be, that security-poor mobile devices shouldn't be used for business purposes.
‘When it comes to BYOD (Bring Your Own Device), we as IT security professionals have to learn to say 'how' rather than 'no,'’ said Crume. ‘Because if we don't, users will do it anyway, and in a far more insecure manner.’
Let me give you an example of the kind of thing he means.
Imagine that Employee Joe buys an iPhone, which of course has as browser pre-installed in it (Safari). Joe travels a lot for work and wants to use his iPhone to check company e-mail. The company supports a browser interface for e-mail, so Joe's goal can actually be accomplished.
Problem is, the company IT policy forbids him to do it. And the company backs this up by seeing to it that browser-based e-mail is only available over a secure VPN-based connection, such as Joe has from his security-rich laptop.
Joe, however, has other ideas. Maybe he loves his laptop (which weighs a few pounds and is portable), but he loves his iPhone more (because it weighs a few ounces and is far more portable). So he's determined to find a workaround to this e-mail issue. And it occurs to him that he can simply set his corporate e-mail to forward automatically to an off-site service such as Gmail... which has no such prohibitions on how it's used.
So now the enterprising Joe is, indeed, using his iPhone to send and receive his company e-mail. This, needless to say, is a security disaster for his employer. Not only does all that e-mail travel over relatively insecure networks to a relatively insecure device, but its full contents are also donated to Google (a company whose business model revolves around milking the world's information for everything it's worth).
The root cause of this increasingly common situation is simple: Personal and business devices and services are getting stirred together into a melting pot which is, to an IT security professional, overflowing with sinister potential.
Or as Crume puts it: ‘Mobile devices typify the blurring of lines between our work and non-work personas.’
Applying familiar security best practices in unfamiliar ways
You can also interpret this situation from a technical standpoint, if you like.
Think about potential security exploits and what can be done to stop them, for instance. If organizations are going to support the use of personally owned mobile devices, the platform may have changed, but the security goals and challenges haven't.
Just as with laptops/desktops, IT will have to pursue key tasks like
Accomplishing all that is a bit of a puzzler given that most mobile devices typically aren't based on robust, security-rich operating systems like UNIX.
They're based on... well, let's be diplomatic and call it ‘something else.’ And if you happen to be a malware hacker interested in easy exploits, that something else is awfully tempting.
Crume's opinion, which I share, is that organizations need to wake up to these realities -- creating and pursuing a strategy that allows employees to use mobile devices, albeit in a fashion that is as secure as possible.
‘The form factor has shrunk, but the threat has not. We can either learn how to surf the tsunami of mobile devices or be crushed by it,’ he said. ‘And since the waters are shark-infested with hackers, the risks of getting it wrong are significant.’
All of this context is, no doubt, directly responsible for IBM's recent, very notable interest in mobile computing -- and it's plain to me that IBM means to get it right.
Consider, for instance, the launch of IBM Endpoint Manager for Mobile Devices. This solution specifically targets BYOD security for the enterprise, providing security that's as comprehensive and robust as the underlying platform allows it to be.
On Joe's iPhone, for instance, Endpoint Manager for Mobile Devices can leverage Apple's management API (given approval from Joe). This gives the company new power to reach across the carrier link and actually remove key data from the phone, no matter where that phone goes.
If it is, to use the Crume for-instance, sitting forgotten in the back of a NYC cab, that's a shame, but at least it's free of sensitive company e-mail, not to mention all those personal photos of Joe's house and children that Joe would prefer strangers not have.
And on platforms like Google's Android, that support agents, the Endpoint Manager agent can simply be installed -- providing an even greater range of management options, such as device configuration and application updates, that make the device even more secure.
These many security capabilities thus benefit not just Joe's employer, but Joe himself -- a critical point that Joe will probably need to have explained to him before that agent's going to get installed.
See what IBM offers for Enterprise Mobility Management
Achieve smarter, faster endpoint management
Read about how to secure mobile devices in the enterprise
Discover how to safely embrace ‘Bring Your Own Device’ in the workplace
Gain insight from this webcast on mobile device management
Guest blogger Wes Simonds worked in IT for seven years before becoming a technology writer on topics including virtualization, cloud computing and service management. He lives in sunny Austin, Texas and believes Mexican food should always be served with queso.