Employees are bringing smartphones into the office in greater numbers and they expect them to connect to the company network, but experts say IT security professionals are hard pressed to ensure the devices don't pose an additional data leakage risk.
That trend, coupled with predictions that mobile attacks could pose a major threat in 2011, are prompting some experts to point to emerging technologies to protect the devices and the corporate data that flows through them. Smartphones and tablet computers, such as the Apple iPad, have a relatively small footprint and lack the CPU power and bandwidth necessary to apply traditional security technologies, says Winn Schwartau, a noted security expert who sits on the board of directors of Mobile Active Defense, a fledgling security vendor attempting to address corporate use of mobile devices.
"The early testing of how to exploit these devices is well under way," says Schwartau. "Now is the time to really start looking at how you are going to start locking these devices down because the devices are here to stay, the bad guys are here to stay and if you choose to reject the last 30 years of history, it's on you because the bad guys are coming."
Many of the technologies designed to protect mobile devices will focus on network-based security, says Patrik Runald, senior manager of security research at San Diego-based Websense. In addition to device encryption and the ability to wipe devices if they are lost or stolen, many IT security professionals are dealing with the multitude of mobile platforms by forcing corporate data to flow through a VPN, Runald says. The Apple iPad's executive appeal, coupled with the fact that company executives want to access corporate email and servers with the device, make it a prime target.
"I believe that sometime in 2011 we'll see a targeted attack using the iPad as the platform to get into the network," Runald says. "The iPad will be hit using a zero-day via a targeted attack and used to launch a much broader attack on a company network."
The potential threat has forced James Leeder, senior manager of information security at a Michigan-based manufacturing firm to limit access to corporate email and other servers from BlackBerry devices. But Leeder says his company usually takes a cautionary approach to new technology.
"No one has been asking to connect with other devices, but that's because they know the answer is going to be no," Leeder says. "We're not yet comfortable enough to go down that road."
Network security expert Marcus Ranum, CSO at Tenable Network Security agrees that it's only a matter of time before smartphones and other portable devices are used as a launching pad for an attack in the enterprise. An employee is going to lose an iPad and it's likely that some of the information they browsed to will be cached locally, says Ranum. "The big part of the problem is that a lot of these devices being produced don't have security features at all."
"Everyone asks why I'm so cynical and dark about this and I tell them that it's just a probability thing," Ranum says. "If you've got 4,000 employees and you allow people to carry work data around with them, you know that at the very minimum someone is going to lose it."
Companies are now supporting up to five different device platforms, making security policy enforcement difficult, says Ahmed Datoo, vice president of marketing at Fremont, Calif.-based mobile management company, Zenprise.
"It's not out of the question to say a CFO could be using a WiFi network at café to check revenue numbers of his company for that quarter," Datoo says. "All of a sudden the enterprise no longer has control of its security model."
Robert Westervelt is the news editor of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org