Reducing risk in a post-BlackBerry world

Raimund Genes asks, If even Obama's ditching the BlackBerry, what hope does the IT department have?

Reducing risk in a post-BlackBerry world
Reducing risk in a post-BlackBerry world

Earlier this year the Wall Street Journal reported that the White House was actively testing Android-based handsets from LG and Samsung for use by the Obama administration. Now, senior government remains one of the last strongholds for BlackBerry – a sector where the security of device and communications is paramount – so such a loss would be a huge symbolic blow for the firm. But it would also be a sign that consumerisation is sweeping now even into the hallowed halls of power; a further sign if any were needed that the balance has very much shifted today from IT department to user.

In the end a White House spokesperson hastily denied reports it was in any kind of testing programme for non-BlackBerry devices. But elsewhere in government departments and boardrooms around the world you can be sure the influence of the Canadian smartphone-maker is waning, almost in tandem with that of the IT boss. Employees are dictating what devices they want to use and organisations are being forced to let them.

Allowing staff to use their own device at work makes sense from a TCO point of view – removing not just the outright cost of the phone but also tech support, maintenance and repair and any other corporate expenses. But it also means happier, more productive staff – an almost unquantifiable but equally important benefit. Security comes way down the list of priorities. If it were number one, Android phones would never even be allowed at work.

Malicious mobile apps have reached two million since tracking began in 2004, and passed the one million mark just six months ago, with the vast majority belonging to the Android platform, according to Trend Micro research. Android's open ecosystem is its Achilles heel. Unlike iOS, BlackBerry and Windows Phone it's incredibly easy to write apps for the platform, but also to repackage existing ones with added malware. It's as simple as getting an app's manifest file, adding a different module, compiling it and uploading the new version to an online store.

Yet while its openness is a major weakness, it does give Android an advantage over the other platforms in that you can buy and install third party security software on it. Apple is notoriously inflexible and won't grant security firms access to the kernel. So too, Windows Phone and BlackBerry – although the latter is using Trend Micro to scan Android apps, now that they're allowed to run on BlackBerry OS. You may argue that the inherently superior security built-in to these other platforms removes the need for a third party tool, which to an extent is true. But for those who want more transparency and control over their mobile security environment, Android could prove a better option.

Sadly, that's about where the Google platform's superiority ends. Hardware compatibility problems mean it can be extremely difficult to get the latest and most secure versions of Android (4.X) running on a phone from one of Google's partners produced even one to two years ago. If you think about it, there's no incentive for these hardware makers to get a patch out to your device quickly – they're more focused on getting you to buy a new device.

Contrast this with the closed, controlled iOS ecosystem where patches fly out promptly from Cupertino and new features stimulate the majority of users to download the latest version of iOS as soon as it's available. As far back as November 2012, even the UK government information assurance arm CESG gave the green light for iOS6 device use for data categorised as Level 1-3, with Level 6 the maximum security rating.

The truth is that if you're running Android you'd better budget for additional security, or force your users to do so as part of risk profiling before they can access the corporate network. That's not to say that Google isn't listening to the industry and 4.X does include some security enhancements including on device encryption. However, it's baseline technology which will only offer users a limited level of protection.

A more advanced option being trialled by some early adopters at the moment involves IT investing in a virtualised Android server set-up. This allows employees to log-on to corporate controlled virtual Android sessions during work hours, thus keeping work and leisure ‘profiles' on the device completely separate and secure.

It's another option at least. We need to accept that security isn't a primary focus for users in today's BYOD world – if it was, your employees wouldn't be so ashamed to be seen using a BlackBerry. All we can do in the meantime as IT professionals is work within these constraints and enhance the mobile environment as much as possible with the right security tools and policies.

Contributed by Raimund Genes, CTO, Trend Micro