Risk
1/19/2011
04:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

4 Strategies To Lower Mobile Device Risk

Employees want their own phones, and managers want them using apps for productivity. Your problem: Secure all this.

Look around, and you'll likely agree that end-user computing is taking its most radical turn since, well, the introduction of end-user computing.

Smartphones and now the iPad and tablet computers (which create similar challenges for mobile security) are growing like mad. To put some numbers on that growth: Smartphones accounted for 46% of global mobile phone revenue in the second quarter of last year, Infonetics research finds. It estimates that two out of three mobile subscribers in developed countries will use smartphones by 2014.

Mass-market smartphone ownership is creating new expectations from employees. Apple's and Google's offerings trump the BlackBerry platform, the enterprise standard, because people think they can be both serious (for business) and fun (for me).

2010 also brought the first truly practical hyper-mobile computer--something larger than a smartphone but smaller than a PC. The iPad and its tablet followers have obvious appeal to people, many of whom are wondering if they can replace their work computer some of the time, feeding those work-anywhere, play-anywhere fantasies. This month's Consumer Electronics Show illustrates the tablet frenzy Apple ignited with its wildly successful iPad, introduced only a year ago. New tablets are promised from Motorola, Research In Motion, Samsung, Dell, and even newcomers such as TV maker Vizio. Verizon has had the iPad on its network, and now has the iPhone 4 as well.

So the competition for mobile hearts and minds and pinch-and-tap fingers is in full swing, which means your employees will be showing up with more and more new devices. Employees want access to corporate resources and data via these new devices, many of which they personally own. Of utmost concern to any compliance-minded CIO should be: Are these new computing methods putting my data at risk? The answer is likely "yes" if you're leaving device settings up to the users. As we'll discuss, the risks of both smartphones and tablets can be managed in much the same way; it's just a matter of defining your requirements, picking a capable management product, and moving forward. We'll offer four frameworks for managing the risks of these mobile devices.

But first some important context. The megatrend is a shift beyond simple e-mail on these mobile devices. First driven by the iPhone, and now by the iPad, apps are the new frontier, with enterprise examples that include CRM, virtual desktop access (check out VMware's VDI infrastructure), and specialty apps.

Apps fall into two big categories, says Ojas Rege, CEO of mobile device management (MDM) vendor MobileIron. They're either task-oriented with broad appeal, such as those for time sheets, expense reports, and conference room scheduling; or they're specialty apps for a niche audience. Some of those specialty apps are custom-coded for a company's specific business processes.

For example, Customedialabs, an interactive media agency, produces a digital sales app for the medical device and diagnostics industry. Using a client app that regularly syncs with a back-end data repository, the mobile app helps clients cover sales territories using CRM components, while trying to ensure that reps show prospects only the latest medical information. This cuts the risk of providing out-of-date material, a violation of stringent FDA Part 11 rules.

It's just one example of how, with apps, we've left the safe confines of e-mail far behind.


Become and InformationWeek Analytics subscriber and get our full report on reducing enterprise risk from mobile devices.

This report includes practical advice on charting CIO-level strategies for securing mobile devices.
Get This And All Our Reports


Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.