|
 |
|
General Information
|
Add To My Personal Library |
October 23, 2009
• Vol.31 Issue 26
Page(s) 6 in print issue
|
Tightening Mobile Security
Lock Down Employees’ Devices Beyond The Firewall
|
| Key Points
• Mobile devices should be locked down as much as possible, and most protection should largely remain transparent to the user.
• Outline the costs of implementing a security plan vs. the risks associated with compromised data to demonstrate why the investment in data protection makes sense.
• The IT department should constantly be able to maintain tight control over mobile applications. |  Love them or hate them, users want their BlackBerrys, iPhones, and other smart mobile devices, especially when they are on the road. Because they are increasingly used to send and receive sensitive data and are linked to the enterprise network, there are just that many more potential vulnerabilities to worry about. Making sure that mobile devices are secure should thus be part of the overall security plan for the enterprise’s LAN.
“Organizations need to approach wireless device security in a manner similar to how they approach security for wired components but also recognize the inherent differences between a desktop computer and a smartphone,” says Scott Totzke, vice president of the BlackBerry security group for RIM (www.rim.com).
Although security is never easy, here is a look at some simple approaches to take to help keep mobile data from being lost, stolen, or otherwise compromised.
 Balancing Act
Obviously, the safest solution to mobile security is to ban the use of smartphones and other devices for work-related use. But this approach is not feasible, of course, given how users increasingly pack anything from PowerPoint presentations to contact information to emails on their handhelds as they do business outside of the enterprise. Users thus need to be aware of the security risks and what they must and must not do before their smartphones are switched on. Yet, too many restrictions and complicated instructions might go unheeded, especially if security guidelines disrupt workflow.
“With wireless devices, it’s especially important to remain conscious of how the security features will affect the end-user experience,” Totzke says. “While it’s important to implement policies to address concerns around data encryption and malware protection, security policies shouldn’t become so invasive that they take away from the value of deploying the mobile technology.”
For example, although encryption is vital protection for data communications, it is also necessary to weigh how practical the different encryption options are before putting them into use. “It is unrealistic for IT to deploy IPsec clients on every employee, partner, and contractor mobile device,” says Greg Maudsley, senior manager of product marketing for Juniper Networks (www.juniper.net). “However, using SSL VPN, users just need a smartphone Web browser and the security solution should figure out who you are, where you are, and the health of the device you are using.”
Ideally, mobile security should employ Layer 2 through Layer 7 infrastructure-based enforcement. “[This security protection] should follow mobile users wherever they go,” Maudsley says.
The Cost Factor
Security for mobile devices costs money, which can pose yet another hindrance to putting a plan in place. According to research firm Gartner, the average retail solution for mobile data devices that offers endpoint protection retails from $120 per user for 250 seats to $90 per user in the 1,000-seat range.
However, an investment in mobile security is a reasonable price to pay compared to the costs of a security breach. The costs for a company that sees $12 million in revenue per year when 10,000 new business records are compromised can easily total $1.32 million in reporting, containment, and other costs, Gartner says.
“As smartphones have become the new laptop, the risks and costs—financial and reputation-wise—of proprietary information being lost have soared,” says Mitch Berk, director of product management at BoxTone (www.boxtone.com). “So enterprises must make their primary focus the security of their mobile data.”
Mobile Computers Are Computers
The traditional workstation security model can be applied to mobile devices—to a certain extent. Managing mobile security involves approaches that combine both traditional LAN-based practices with those that are specific to mobile devices, says Ruggero Contu, an analyst at Gartner.
“You need to really take a common-sense approach by removing potential vulnerabilities,” Contu says. “Mobile devices are becoming more and more like mini-PCs, which means that you need to keep them properly configured and [make sure] security patches are installed so vulnerabilities are minimized.”
Take Control
The nightmare scenarios are enough to keep any admin awake at night, between lost devices that get in the wrong hands with sensitive customer information to a hijacked iPhone that serves as a portal for a criminal to get behind the firewall. But like any workstation or server behind the firewall, mobile devices should be managed tightly with monitoring and other applications so that the admin remains in control as much as possible.
“Start with tools that monitor not just the security, health, and performance of the mobile infrastructure, but the security, health, and performance of each individual mobile device. A single slip in security can lead to significant legal, regulatory, and reputational headaches,” BoxTone’s Berk says. “Ultimately, the benchmark is to know, for each and every mobile device under management, whether it’s being used for its intended purpose and performing as it should.”
Every mobile device should be locked down with a software-generated security key that users must type for the mobile device to work, and admins should also have the additional possibility to shut mobile devices down remotely in case they get in the wrong hands.
“The IT manager has to know that the mobile end point is password-protected and has a link so it can be killed remotely if it’s stolen so that something zaps it when it connects,” says Roger L. Kay, founder and president of Endpoint Technologies Associates (www.ndpta.com). “IT gets extremely disturbed if it cannot reach or manage assets for which it is responsible.”
Besides how much direct control the IT department has over mobile device authentication, encryption, and endpoint posture, mobile security management is also “about real-time threat defense,” Juniper’s Maudsley says. “If anomalous activity is generated from a mobile device, the solution should take action against the user and device in real time, without human intervention.” 
by Bruce Gain
Top Tip: Mobile Security Should Involve A New Approach
Effective mobile security means not only adopting new policies, but changing one’s mindset about security in general, says Greg Maudsley, senior manager of product marketing for Juniper Networks (www.juniper.net) “In the old world, security was port-based and policies were largely determined by the physical location of the user/end point,” Maudsley says. “That approach is no longer viable. Today’s network security must be identity-aware. It’s not about where you are, it’s about who you are and the fact that your authentication policies, application access policies, acceptable-use policies, and network access polices must follow you everywhere you go.” |
|
|
