Mobile devices are spreading to every corner of our lives, even creeping into the enterprise. With the ever-growing cyberthreats that are evolving and multiplying out there, this is creating a whole new challenge for IT to manage. Combine that with the range of products that are available, and the problems start to compound. Once upon a time, an organization could deploy a standard smartphone, for example a Blackberry, and manage that with its tools and even secure it by the same means. Laptops were company issued and managed pretty much like PC’s, with the exception of mobile access to corporate systems and messaging. This was a fairly controllable world, but that is quickly going away.
Let’s start with laptops, there are many different variants out there to start with such as netbooks and Macs. There is an inevitability that employees will start to carry and use a device of their own choice. In one example, despite having standard issue laptops deployed to them, doctors at a series of hospitals have started bringing in their own Mac computers into the environment to use for work purposes. Others have started bringing iPads and other tablet-like devices. Faced with unhappy, non-producing employees, IT has started to veer towards unofficially supporting these devices and further most any device that comes onto the network. The reasons are many.
Other organizations may have a policy to put a stop to outside devices initially, but the burgeoning advances and advantages are undeniable. Resistance to the wave of mobile devices is a giant undertaking because there are many valid reasons for many of these devices. It can also be argued that the task of restricting and its difficulty is a very much like a winding unending road. A different approach needs to come into play.
Going back to smartphones, well that topic is covered extensively here at SiliconAngle. There are so many devices that trying to vet, support and deploy the sum are monumental tasks that require so many resources that it further supports the need to restrategize mobility in the enterprise environment. Some of the leaders of just the basic smartphone platforms are Microsoft’s Windows Phone, Blackberry, Android, iPhone, and Palm. That does not even touch on all the hardware platforms involved. In many cases, employees simply go purchase the device of their choice, on the network of their choice, on the platform of their own choice.
One big change is that many of these devices are personal devices. This is an essential shift in the traditional model of company-deployed gear. Many more applications are now web-based. Many more systems are now available at home, on the run, or in a remote office. Many more people are telecommuting as part of their regular schedule. Like it or not, the personal device has seeped into the paradigm of the IT infrastructure. And depending on the approach, it can be an opportunity as opposed to a challenge.
Critical enterprise planning must address the scope, strategy, management, and security of these devices. There are a number of significant risks from a security perspective. A compromised device can cause major headaches for an organization, such as a lost or stolen phone that a nefarious tinkerer may be able to dump information from. This could include intellectual property, emails, passwords and more. Or for example a malware that is able to screen capture any number of devices. If financial or health data is on that device, well that right there could constitute a serious violation that could cost the company millions. In one example a recent blog post on the Freedom to Tinker blog described a number of security issues with an Android smartphone. Using a sniffer to run Wireshark and Mallory, author Dan Wallach describes in the following summary:
- Google properly encrypts traffic to Gmail and Google Voice, but they don’t encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
- Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn’t really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
- Facebook does everything in the clear, much like Twitter. My Facebook account’s web settings specify full-time encrypted traffic, but this apparently isn’t honored or supported by Facebook’s Android app. Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook’s server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.
- The free version of Angry Birds, which uses AdMob, appears to preserve your privacy. The requests going to the AdMob server didn’t have anything beyond the model of my phone. When I clicked an ad, it sent the (x,y) coordinates of my click and got a response saying to send me to a URL in the web browser.
- Another game I tried, Galcon, had no network activity whatsoever. Good for them.
- SoundHound and ShopSaavy transmit your fine GPS coordinates whenever you make a request to them. One of the students typed the coordinates into Google Maps and they nailed me to the proper side of the building I was teaching in.
Proper approach means an all-encompassing view of the IT infrastructure, including the aspect of mobility. A comprehensive analysis of an organization’s services, structure, applications, and risk must be aligned with the power of the advent of mobility. Accommodating multiple devices in the enterprise and outside the enterprise is a critical strategy point. What results is a change in approach where at one time the device itself was something to protect, but now the curtain is pulled back and we can all see the Wizard for what it is. The enterprise must approach this monster through protecting the data and branch out the strategy from there.
Current methods include using a range of security tactics. Multi-layer authentication, encryption methods, endpoint security, VDI, and several other technologies can and should be implemented in any scenario possible. It very well could be that a certain type of device, such as a “rooted” Android phone or a “jailbroken” iPhone cannot be trusted to open certain applications. There are ways to deal with that. One interesting technology that deals with a number of these security and management issues is Good Technology. Through its construct a growing number of organizations has come to a manageable existence with mobile technology in terms of management and security.
Another important aspect to mobility is user awareness. There are many phishing scams and rogue applications that are as referred in the Freedom to Tinker post, able to disclose data that you should probably think about sharing. That also brings up training. Training your user based on proper security practice, compliance with regulations, proper reporting of lost or stolen devices, and so on mark a significant strategy on mobility in the enterprise.
As an IT department, you must start by identifying and tiering your data in terms of risk, delivery, and user experience. This and proper understanding of this growing world of personal devices is one of the most significant challenges to IT in the enterprise today. With a solid approach and the right technology, enterprise mobility becomes a significant advantage because of its very nature of flexibility and reach into all our lives. Having a well thought out mobile strategy plan is a significant business advantage to any organization.