Consumerization Of IT: Security Is No ExcuseAt most companies, you can't just say "no" to consumer devices. Here's a plan to take the lead on information security issues.
Sorry to break this to you, but if you're looking to use security as the reason to keep consumer technologies out of your company, you'll have quite an uphill battle. Not because the security risks aren't real (they are), and not because you can guarantee the data security on the devices (you can't). It's because, as with virtualization, the business benefits significantly outweigh the security risks. As I heard one CIO say recently: "Consumerization is a parade. You can either get out in front of it to stop it and get trampled, or you can grab the baton and lead the parade."
Consumer devices are taking hold quickly in enterprises in part because it's easy to access company data without having to get IT involved. Any employee with ActiveSync access to corporate email can get that email on their personal smartphone or tablet in less than a minute.
The first challenge in securing personal smartphones and tablets is knowing when those devices are being added and removed from the company network, and knowing if they adhere to company policy. Bob the engineer could connect with to his corporate email with a BlackBerry today and a brand new Android phone tomorrow. The problem is your company's email server most likely can only push a security policy to BlackBerry or Windows Mobile devices. Without proper management, you don't even know that Bob is no longer adhering to company policy.
Don't despair. Securing the unknown starts with a tried-and-true technique: default deny. Through the use of mobile device management tools such as MobileIron, you can prevent devices your IT team hasn't researched or approved from connecting to company resources. Heck, you can even make it so that any device needs your mobile application installed on it before it can receive a single corporate email. These mobile device management applications can prevent unwanted applications from being installed, can force removal of certain apps, and can even remotely wipe devices, even if your email platform doesn't support security policies on those devices. If a device is rooted or jail broken, you can prevent it from connecting to your infrastructure altogether.
Oh, great, you're thinking: This guy thinks I'm going to default deny and then spend my life managing a whitelist of every single Android smartphone variation and every firmware variation.
But that isn't the point of this type of whitelisting. The goal of preventing unauthorized devices from connecting isn't about figuring out if the device is capable and secure enough to connect to the company's network; it's about identifying who is connecting that device to the network. Wouldn't you rather focus on whether the CFO, who has critical earnings data in his email, is trying to connect email to his new tablet, instead of worrying whether iOS 4.2.1 is on the approved list? I would. Focus your consumer IT security strategy around people and their roles, not around products.
Focusing on people relates to another major risk of these new devices: the speed at which people replace them.
Think about how many employees are changing or upgrading their smartphones--some as often as twice a year. That can mean the SD cards and internal memory stored on their old phones are sitting at some store or have been resold.
Mobile device management (MDM) software can prevent device churn from affecting security by letting only one device connect per user. When the new device is provisioned--since you have a default deny policy, you'll have to approve it--you can disable and wipe the old device without having your IT team physically touching the device. MDM is gaining steam mostly because it lets companies offer employees a large range of devices, because most MDM technologies implement security policy using a custom-built application that's loaded on the device. You no longer have to plead with Apple or Google to implement a new security feature in the next OS release. Most MDM vendors support BlackBerry, iOS, Android, and Windows Mobile.
Those companies that can't afford MDM software need to look at data flows to these devices and pick the points they can secure. In our experience reviewing mobile risks, the most critical and confidential data is stored within the email app on the device, followed by the calendar, contact list, and any apps the user has to write notes, such as Evernote. Start with the basics: Force devices to be locked when not in use, and encrypt the email stored on the device if possible.
It's unlikely that an attacker will access critical, confidential data in an enterprise application other than email, calendar, and contacts. There are just too many variations of enterprise apps and devices to make it worth most attackers' time to write malicious code to get at data from those other apps.
Value In What You Already Own
Your existing security technologies inside the firewall also can help cope with consumer tech, since the email, calendar, and contacts sync with the corporate infrastructure. You can use capabilities such as data loss prevention and attachment monitoring to keep critical or confidential data from reaching employees' mobile email boxes. Still, that approach isn't as effective as combining data loss prevention with MDM.
When you start looking at the data flow, you'll see that most devices can't access the company's file server or intranet without setting up VPN access. Most of these new smartphones and tablets do support VPNs out of the box, but hopefully your VPN software can prevent access from unauthorized devices. If not, see if you can update the software so that it performs a check before any device accesses the internal network, and then blocks VPN access from devices that don't meet security policies.
However, any time you block access, be sure to also offer ways to let people securely do their work with mobile devices. Otherwise, they're more likely to just download their own apps and work around you. For example, we recommend giving employees remote desktop access to a secure and locked-down desktop via one of the many remote access apps, at the same time you're blocking VPN access from mobile devices. This approach prevents files from being copied to the device but lets the worker read and view documents. If done properly, this approach removes the risk of rogue apps and Trojan horses because company data won't be on the device in the first place.
The companies we have worked with that embrace consumer tech are getting a great side benefit: centralization of security controls. If you take our remote access example, this is actually an opportunity to provide more robust controls on a virtual desktop, while still giving employees what they want. You get the ability to audit, monitor, and prevent data loss without having to worry about the device the user is coming from--the perfect opportunity for a give and take. You give mobile computing and anywhere access, in exchange for more security controls. Remote desktop client apps are available on all major device platforms, including Android, iOS, and BlackBerry.
So get out and lead the parade. Doing so will require some assessment of devices, software security tools, and MDM software. Do these assessments even if you don't have a company policy governing consumer devices, or if your policy is to flat-out ban them. In our experience, when employees feel like IT is embracing change, they're much more likely to work with you rather than against you.
Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago. Write to us at [email protected]