How Does Mobility Change IT Risk Management?Understanding the mobile issues that will measurably affect risk posture
With recent surveys showing the majority of enterprises considering mobile device management (MDM) and other security-related solutions, but a minority having actually deployed them, it is clear that organizations are grappling with exactly how mobility plays into their risk postures.
Unfortunately, rather than trying to first measure how mobility and BYOD increase risk to the enterprise to drive best practices and technology, many enterprises are making harried and clouded purchase decisions. But simply throwing money at a newly introduced security program without taking the time to understand why the budgeted item is necessary is dangerous and costly, experts warn.
"Administrators don't typically have enough information to be able to tell their management, 'This is why you have to buy this or do that' because they aren't able to quantify their mobile risks," says Dan Ford, CSO of mobile risk management firm Fixmo, and a doctoral candidate who's wrapping up a thesis on evaluating the risk of iOS in the enterprise.
Recent statistics on MDM deployments tend to back Ford's beliefs. While Gartner analysts predicted that over the next five years more than two-thirds of enterprises will adopt an MDM solution for their corporate-liable users, many of today's enterprises are having a hard time deciding what kind of solution they need. A recent InformationWeek Reports analysis, "40 BYOD Vendors, One Confusing Market," showed that just more than one-quarter of enterprises have currently deployed MDM.
Ford believes that quantifying different mobile risks could help enterprises decide what kind of technology and practices they need to support policies that would affect the risks they quantify as most important to the business. That means doing the hard work to put numbers to risks rather than the basic qualitative assessments of high, medium, low or red, yellow, green. The problem with qualitative assessments is that when security reduces an already high risk by 10 percent -- a considerable amount -- but the risk still remains high, it becomes difficult to justify expenditures specific changes. And specificity is important when looking at all of the moving parts around MRM, including, for example, something like password policies.
"How much risk is it then when I have a four-digit pin, and what if I have a six-character password?" he says, explaining that these questions need to be asked and organizations should endeavor to attach metrics to the answers.
Organizations that are serious about conducting risk assessments around mobile practices should be asking these questions around three major classes of risk, says Andrew Jaquith, chief technology officer at Perimeter E-Security.
"Mobile risk discussions should center around three areas of risk: technology, policy, and law," he says. "Companies have to address all three of them."
On the technology side, organizations should be thinking about how specific devices, settings, and network configurations affect the overall security posture of the IT infrastructure. In particular, organizations should be looking to measure and reduce risks around things like authentication, data access authorization, and encryption, Ford says.
"One of the important things in evaluating the risk is how is this application you're using in the mobile device and MDM storing credentials, which is the authentication piece of it," he says.
[Want to know the scary stories that keep CSOs up on Halloween night? See Nightmare On Database Street: 5 Database Security Horror Stories.]
For example, organizations that depend on credential storage within the the iOS keychain or Android Password feature could be opening themselves up to an elevated risk due to documentable weaknesses in these mechanisms, he warned. It's even an issue for those organizations that depend on MDM products, many of which depend on the keyring to enforce authentication policies, he says.
When it comes to assessing technology risks around mobility in general, Ford recommends organizations seek out NIST's "Guidelines for Managing and Securing Mobile Devices in the Enterprises," a document that's still in draft but nearly complete and can offer a good framework for deciding which risk factors to consider.
As for policy risks, enterprises need to think about how certain mobile policies will increase or decrease risk, be they policies around allowing employee-owned devices to access network resources, policies that restrict authorization of access based on the device it is coming from, or on-device policies that govern things such as screen lock and application use.
"Do you take your desktop security policy and just plop it right on to your mobile phone, using the same password policy and so forth?" Jaquith says. "Probably not. So there's a definite best practices side of the mobile risk story."
One potential best-practice angle that many enterprises may be forgetting is how their development practices introduce risks to the mobile application environment, be it through customer-facing or internal enterprise apps. If enterprises fail to measure the risk posed by insecure apps, they will have a hard time deciding how much to spend on secure development practices in the creation of these apps.
"One question to ask is what's the amount of risk management that's too much or not enough when you're building the apps," Jaquith says. "How much is too much in terms of effort and how much is inadequate?"
And, finally, risks around the law deal with issues not only around how mobile use affects compliance with regulatory mandates, but also privacy laws that could be tricky when trying to control BYOD.
"There's the legal risk to consider; what kind of legal environment are you in when you're entrusting company data on a personally owned device, and does that data become the employees' and expand their rights to it, for example?" he say, explaining that risk assessments need to consider how legal considerations may affect the kind of control the organization decides to assert over an employee-owned device.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.