Mobile security threats come in many forms, and they are rapidly evolving. Many enterprises now have mobility at the center of their IT strategy, and it will serve you well to put new emphasis on your mobile device security strategy. In this two-part series, Craig Mathias explores the security threats to your mobile devices and offers suggestions for building the right mobile security toolkit to prevent them from doing harm.
Mobile device security threats
This is perhaps easier said than done, however. There are a good number of issues within mobile device security that require consideration which take on new relevance when the device of choice isn't a PC, but rather a handheld device. Today's smartphones really are PCs, with operating systems, storage, applications, and wireless access to enterprise networks. IT is actually replacing some of its users' PCs with a smartphone equipped with wireless broadband, a desktop-class browser, the ability to read and even edit office-suite files, and lots of storage for any kind of data. Getting the security element right the first time is more important than ever in this mobile environment.
Let's consider how mobile security threats figure in the world of smartphones by looking at a few common threats:
- Mobile malware and viruses: Given the complexity of modern mobile operating environments, the same criminal apps that we've seen for many years on PCs can now plague handsets. Fortunately (so to speak), the socially challenged techno-nerds that produce this nonsense have seen fit to focus mostly on Windows. But as mobile device platforms become more common, this threat is clearly real. And it's not just a question of platform stability – the real issue for the enterprise is theft of sensitive information. In this era of Sarbanes-Oxley, the challenge here should give pause to everyone, from users in the field to the CEO.
- Eavesdropping: Carrier-based wireless networks have good (but not, of course, perfect -- there is no such thing) link-level security, but, as is the case with PCs, end-to-end, upper-layer security is required for sensitive data. This means that data that an enterprise wants to protect should appear in the clear only to authorized users. Given that data on smartphones is seldom encrypted, and few actually secure (authenticate) access to their devices, this is another threat that needs to be taken very seriously.
- Unauthorized access: This isn't a problem unique to wireless, of course, but as an ever-greater number of enterprise users make access from the road their primary means of staying connected, careful attention needs to be paid to AAA – authentication, authorization, and accounting. But setting up this capability on smartphones can be daunting, and two-factor authentication, which we always recommend, is not widely available today. And yes, even firewalls and intrusion-prevention techniques are important on today's smartphones.
- Physical security: Finally, while many notebook computers are indeed lost or stolen every year, it's a lot easier to simply misplace a mobile device. Just for starters, hundreds of thousands of these have been left in the back of taxis around the world. A few unauthorized offshore phone calls could really irritate your CFO, to say nothing of the potential for the compromise of corporate secrets.
And all of these are further complicated by the double-duty personal/business use that is typical of today's smartphones. More often than not, in fact, enterprises allow -- perhaps most often by not explicitly prohibiting -- the use of personal devices for corporate functions. Since a personal smartphone isn't managed by the enterprise, it is clearly an invitation to trouble. As the saying goes, you can't manage what you can't secure, and you can't secure what you can't manage.
Fortunately, the tools for dealing with these threats are finding their way to the smartphone. Again, your work is never done when it comes to mobile device security, but it is possible to define and deploy the elements necessary to make handsets as secure as their PC counterparts. Next time, we'll look at the key classes of solutions to these mobile security threats.
Building the right toolkit for protecting your mobile devices
In the first section of this series on mobile device security, we looked at the key mobile security threats plaguing the highly mobile world and discovered, not surprisingly, that these are pretty much the same as we find in computing in general. The implication is clear -- you need strategies and tools that are remarkably similar to those you've been using on desktop and notebook PCs for some time. Let's review the key requirements for building your mobile device security toolkit and examine the solutions available.
- Viruses and malware: Antivirus software for the mobile device operating system (OS) is available from a few vendors today, but it's hard to recommend. Viruses aimed at the mobile OS are rare, and most mobile users take the "Macintosh" approach: "Hey, I've got a Mac, viruses are aimed at PCs, so the risk is low." That is in fact currently the case, but it's still best to educate your users in the basics here -- don't visit arbitrary websites, don't download anything that's not authorized by IT, and use mobile device management capabilities from your carrier or implemented within the enterprise to verify and control the configuration of your mobile devices.
- Encryption: Carrier networks have good encryption of the airlink in every case, but the rest of the value chain between client and enterprise server remains open unless explicitly managed. Always use a VPN connection when dealing with sensitive data. Since I'm a Web services guy, I'm personally partial to SSL as the preferred solution here, but there are many good mobile VPN strategies available. Ditto for file and volume encryption -- sensitive data should be available only to authorized users.
- Authentication and authorization: These requirements fit in nicely with the RADIUS or similar solution that you're already using (right?) for remote access. You might also look into obtaining -- or enabling (if your mobile OS is already equipped) -- firewall functionality, just as you already do on your laptops and notebooks.
- Physical security: Mobile devices will get lost; that's why authentication and encryption are so important. Mobile device management can handle the "phone home" or "remote wipe," depending upon your preference. But plan for device loss; it will happen much more often than you think it will.
Tying IT all together -- the key to any successful networking (or IT) operation is management. Mobile device management is rapidly gaining awareness and popularity, with a good number of vendors now providing solutions for both carriers and enterprises, and there are more on the way. The key is to extend operational, real-time network management out to the very edge of the network, even if that edge is a mobile device being used, for the moment, in rural Asia.
With all these options and requirements, where should you start in building the right mobile security strategy and arsenal for your organization? Believe it or not, the place to begin is with your carrier. Sit down with representatives from your carrier's enterprise or data groups, and outline your objectives. Carriers are actually strongly motivated to provide the most reliable services to their customers and of course to maintain the integrity of their own networks. Many have implemented anti-spam technologies, for example, at least in part to cut traffic loads on the precious bandwidth they provision. Many are also implementing mobile device management capabilities, provided as a value-added service to their customers. No carrier, of course, will have all of the pieces you need, and I recommend that file and network encryption and authentication be handled by the enterprise. We have a long way to go in terms of ease of use, but the pieces are indeed now falling into place. Within just a very few years, I believe, the mobile security solutions required by even the most demanding applications will be commonplace, and very cost-effective in the bargain.
A couple of final points: Make sure your security policy and acceptable use policy and your training, help desk, and support plans are up to date and appropriate to your workforce and mission. And it's a good idea to audit or otherwise spot check how well things are working on a regular basis -- as I said last time, when it comes to security, mobile or not, you've never done.
About the author: Craig J. Mathias is a principal with Farpoint Group, a wireless and mobile advisory firm based in Ashland, Mass. The company works with manufacturers, network operators, enterprises, and the financial community in technology assessment and analysis, strategy development, product specification and design, product marketing, program management, education and training, and the integration of emerging technologies into new and existing business operations, across a broad range of markets and applications.
Craig is an internationally recognized expert on wireless communications and mobile computing technologies and has published numerous technical and overview articles on a variety of topics. He is a well-known industry analyst and frequent speaker at industry conferences and trade shows, and he is currently a member of the advisory boards for the Interop (Las Vegas and New York) and Mobile Internet World conferences. Craig is also the program chair for the Mobile Business Expo (MBX) conferences. He serves as a monthly columnist for SearchMobileComputing.com and Computerworld.com and is an ardent blogger ("Nearpoints") for networkworld.com. He holds a Sc.B. degree in applied mathematics/computer science from Brown University.