Want to surreptitiously share your contacts with your competitors? There's an app for that. Need to covertly keep
tabs on your employees or spouse? There's an app for that. Looking to harvest passwords for mobile transactions? There's an app for that, too.
Kidding aside, with the growth of mobile application download sites, iPhone and BlackBerry users now have an unprecedented number of third-party applications available for their enterprise handhelds. According to a recent study from Jupiter Research Inc., mobile application downloads are expected to reach 20 billion annually by 2014. Network security pros will face mounting challenges from a rising tide of mobile apps touching private networks and information.
As mobile devices and third-party applications proliferate, they pose a number of security risks for the enterprise, perhaps most notably serving as a platform for the distribution of malware and unauthorized access to private information. Since IT shops already report mounting internal pressure to integrate and support third-party apps, their options for defending against related threat vectors are constricted.
"There's no question that as these devices proliferate that there are going to be people wanting to do nasty things -- affect the device, get into the network, steal data, spread malware,"said Jack E. Gold, president and principal analyst at J. Gold Associates LLC, a technology research consultancy in Northborough, Mass.
Since many third-party mobile application downloads can quickly compromise enterprise security -- Apple currently offers apps with the capability to use data directly from enterprise applications including SAP, Oracle and other sales force automation tools; the rapidly changing landscape requires vigilance in both policy and technology.
Gold points out that focusing solely on policy is difficult unless there is an automated policy-management system in place , such as the Unwired Platform from Sybase Inc. or Mobile Management from Symantec Corp., for actively monitoring policies on each phone. However, these products can be costly and complex to implement.
"It's easy for a company to say these are the devices you are going to use, and you will only have these applications on the device. The problem with that is you are limiting the end user's choice and, ultimately, productivity. There aren't any absolutes, and there are a number of variables that are really limited to the individual organization. If the CEO comes in and says, 'I want this', then you either give it to them or you go find another job. It's a balancing act," Gold said.
In order to maintain better control over wireless devices, organizations often choose to deploy their own IT-configured smartphones. While this is undoubtedly a time- and cost-intensive endeavor for enterprises that deem employee mobile device usage a high-risk activity, this makes it much easier to enforce policies regarding the installation and use of third-party apps. Mobile device "hardening" is similar to the wired world in that unnecessary services or those that pose a significant risk should be turned off, disabled or uninstalled.
Larger organizations, such as Kraft Foods Inc., are deploying smartphones and mobile devices in record numbers. Mark Dajani, senior VP of GIS at Kraft, understood that employees were increasingly utilizing smartphones, regardless of corporate IT policy, so his department not only provided iPhones to key employees, but also chose to support personally owned devices.
Dajani took the initiative by providing in-house apps -- email, calendar and contacts -- and having users connect directly with Kraft's Microsoft Exchange Server. Not only did this choice provide corporate access to information, but it also enabled enterprise-grade security. In order to access corporate assets, users must authenticate prior to touching networked resources. Instead of wasting resources trying to keep individual mobile devices at bay, Kraft chose to focus that energy into support instead of prevention.
Thwarting mobile device application threats
The Center for Internet Security has created the Security Configuration Benchmarks, a set of consensus best practice security configuration standards that covers mobile devices, such as the iPhone, and the variety of third-party apps that they support.
At the base level, CIS advises organizations to be "practical and prudent" on policies regarding mobile application security and how users are allowed to use such applications to interact with the network and its data. For instance, Apple has made it much easier for users to configure the iPhone to access corporate email and other back-end systems, like CRM and ERP, creating a scenario in which sensitive corporate data could leak out of the enterprise without proper controls. Just about any of the CIS benchmarks would alleviate this type of data leak scenario. Passcode settings, for example, offer strong protection against data loss, including features and functions like "Required Passcode," "Auto-lock Timeout" and "Erase Data Upon Excessive Passcode Failures."
Another potential threat vector is the availability of a Wi-Fi network or location services (GPS), upon which many devices depend to transfer data. CIS offers explanations and instructions on how to set devices to turn off these services when not needed.
Yet the reality is that today's wireless devices can exchange data over the air with greater ease than ever before. For instance, there are numerous third-party apps that allow for the wireless transfer of files from a PC or laptop to a mobile device. Someone looking to swipe a file from the network no longer needs to plug in a USB drive to grab sensitive data.
To reduce the risk of remote attacks on mobile devices through networked apps, devices such as the iPhone can be set to disable all transceivers and receivers -- referred to as "Airplane Mode." When engaged, the GPS function is turned off and all wireless signals (Wi-Fi, Bluetooth and cellular) are blocked.
Users can also be encouraged to configure employee-owned devices so they don't automatically connect to any available Wi-Fi network. This setting doesn't necessarily hamper access to enterprise apps, such as email or a browser, since both readily connect via cellular, but it does ensure devices aren't left wide open for attackers.
Other organizations delving deeper into the mobile realm secure mobile device applications with third-party products. In the latest iPhone firmware release, there's now support for Cisco Systems Inc.'s VPN as well as Microsoft Exchange. However, IT shops need more options to leverage existing security infrastructure to defend against non-authorized, potentially dangerous mobile apps that also touch corporate networks. Trust Digital Inc.'s enterprise mobility management (EMM) software support for iPhone, for example, allows IT to manage and secure iPhones from a centralized management console.
"There's always that 3-5% of users that causes havoc, but IT professionals now have more options for securing mobile devices against risks from the growing number of third-party apps than previously." Gold said.
About the author:
Sandra Kay Miller is a technical editor for Information Security magazine with 15 years of experience in developing and deploying leading edge technologies throughout the petroleum, manufacturing, luxury resort and software industries, and has been an analyst covering enterprise-class products for 10 years.