The Consumerization of IT: Preventing a Security Nightmare
We are living in an always-on, always-connected society, where mobile phones have gone from merely a portable telephone to an all-powerful, communications device. Consumers are taking to smartphones and tablets because they appreciate the intuitive and user-friendly way these advanced products deliver access to the Web and communications services. For most of us, it would be hard to imagine life without the instant access to find information, communicate, access entertainment and social networking sites, pay bills and more.
Unfortunately, many of today's most popular mobile phones and tablets weren't designed from the start as business tools and therefore do not offer the level of security comparable to present-day desktop and laptop computers. What is more, the way these devices are used blurs the line between personal and business usage and behavior and this will only continue as cheaper, more powerful devices become available. The potential risks include misuse of the device itself, outside exploitation of software vulnerabilities and the deployment of poorly tested, unreliable business apps. In terms of business usage, the question of who owns the device can also have legal ramifications on mobile device management and the remote wiping of devices should the need arise.
Concerns about security breaches, IP theft and data loss demonstrate that a strategy for addressing mobile devices in the workplace is essential. By putting the right business practices and usage policies in place now, businesses will benefit greatly from the flexibility, increased productivity and reduced costs that mobile devices can bring to today's workplace, while minimizing exposure to potential security risks. Time is critical and businesses need to formulate a response to the growing trend of mobile devices in the workplace with a sense of urgency.
The Information Security Forum (ISF) has conducted detailed research on the "Consumerization of IT" and as a result, we are able to offer real-world guidance on the challenges and solutions, as well as an overview of the consumerization trend and how businesses can plan a response.
We've broken down consumer mobile security on devices in the workplace into four useful components:
With no control over consumer devices, there is little or no visibility of usage and penetration, and poor knowledge of ownership, support requirements, adherence to policies or compliance. In addition, consumer mobile devices and apps are typically sourced from a wide variety of unapproved, non-corporate suppliers, with limited attention paid to service provision contracts.
Businesses need to create a framework for ensuring correct and consistent mobile device security assurance. This involves getting an understanding of the extent of mobile device penetration and identifying the different device user groups, their requirements and the attendant risks. They then need to agree upon a device provision mechanism, define policies around ownership, corporate access and acceptable use and identify any statutory requirements.
With no control over consumer device working practices, users are free to combine work and personal tasks and data, with the risk of working in unsuitable locations and exposure to loss and theft. Users can potentially misuse or abuse the device through jail-breaking or disabling security features. They might also copy data to removable storage devices, or use the device for making inappropriate calls, or for downloading and sending offensive or inappropriate content. Backing up business data along with personal data to insecure or inappropriate locations could easily present a security risk.
Businesses need to ensure employees are aware of what constitutes good working practice for mobile devices. As well as making consumer device security an integral part of awareness campaigns, businesses should also create an Acceptable Use Policy which their employees must sign. In addition, businesses should consider monitoring device usage and enforcing policy through disciplinary or financial sanctions.
Left unprotected and unmanaged, consumer devices are exposed to a range of information security threats. These include exploits by malware targeted at the device's operating system or apps, unauthorized connections, exploitation of software vulnerabilities by malware that exposes data or causes unexpected behavior and compromise or irrecoverable loss of data.
Businesses must put technical solutions in place for securing access to mobile devices and their content. This includes enabling or installing functionality such as malware protection, firewalls and storage encryption, enforcing complex passwords and enabling remote maintenance, upgrades and device wipes through a Mobile Device Management (MDM) system.
4. Applications and Data
Most applications on consumer mobile devices will have been purchased or downloaded from an app store or software vendor. In many cases the provenance of the apps is unknown, and they are unlikely to have undergone formal software development and testing or to be provided with proper documentation and upgrade regime. The apps may also lack activity reporting and logging, and typically provide poor data protection.
Businesses need to make sure that apps used for business, and the types of data they are able to access or generate, are appropriate and properly tested. This might include going as far as developing apps in-house and building an organization app store. This way, apps could be thoroughly tested and secured against malware infection or attack. Businesses could implement data classification to set limits on the type of data that can be accessed or generated by users on consumer devices.
Obviously, no mobile device will ever be 100 percent safe. Businesses cannot afford to stand still and allow mobile device adoption to run its own course as it will create new attack vectors and potential vulnerabilities in corporate networks. Businesses need to stay one step ahead on all of the latest trends, mobile devices and related security risks. By putting in place the right working practices, usage policies and management tools, businesses can benefit from the advantages that these devices can bring to the workplace while minimizing exposure to potential security risks.
Steve Durbin is global vice president at the Information Security Forum.