High-spec, high-power and highly compact mobile phones are claiming their place as an alternate mode of enterprise computing. While it's clear that we're not going to get rid of the laptop quite yet, in many instances there's a lot more convenience in using a mobile phone — from web browsing and database transactions to accessing your email and calendar. The mobile phone is right there in your hand and the right tool for the job. While mobile independence has liberated many workers from the confines of traditional PCs, the drawback is that, without appropriate controls, there are some very significant risks.
A study of IT security professionals from Credant Technologies found that a staggering 94 per cent believe that mobile devices pose more of a security risk than mobile storage devices or laptops. This risk is two-fold; the most obvious is that users do not tend to be as careful with their mobile devices as they are with their laptops. The second and more worrying risk is that security solutions and policies are simply not as pervasively deployed on mobile devices as they are on laptops.
More than a decade of R&D has gone into securing PCs and laptops and these security technologies are now commonplace across the enterprise. It's reasonable to assume we can apply the same experience to securing our highly portable smart mobile devices. However, simply porting PC-style security to the wireless arena ignores the very small form factor, extreme portability and vastly different usability expectations that are unique to mobile devices (which are connected wirelessly). Mobile security must encompass a range of capabilities and cross just about every device type and platform.
An obvious example is connectivity. Some of the most prevalent mobile viruses and worms such as Cabir and CommWarrior have used an unprotected Bluetooth connection to get into and spread across mobile devices. Likewise, industry experts are saying that the iPhone, Android, and mobile devices with WiFi, WiMAX, LTE or other broadband capabilities will undoubtedly be rich targets for malware and viruses in the coming years. Hence security professionals should establish and enforce policies that restrict access to these functions under certain circumstances, or at least ensure that users are aware their devices are at risk.
Users still need enterprise-supported backup and restore capabilities, but unlike PCs, mobile devices are, for the most part, always on. Making people turn their BlackBerry or smartphone off for any length of time, or worse, making them leave the device behind at work for service, is tantamount to asking if you could chop their hand off.
This does not mean that the security R&D done in the PC/laptop arena is irrelevant to mobile. There is a case for extending some of that experience into mobile devices, as long as care is taken to ensure that the experience is not negatively affected. For example, as with PCs or laptops, there's a need to enforce the use of “strong” device passwords for unlocking idled phones. Similarly, IT organisations need to be able to distribute, configure, activate and update files for critical security capabilities (encryption, antivirus, etc.). However, in the case of mobile devices, this will need to be done over the air, in many cases silently (with no user interaction) and when the device is in an area of good coverage. In addition, IT staff need remote access to device settings, state and software information so that when something does go wrong, they can resolve problems quickly and accurately, over the air.
There are also security needs that are unique to mobile devices. For example, IT organisations need a way to implement policies for locking and/or wiping high-risk content from mobile devices, as well as for barring or removing unauthorised applications and files. The real trick lies in finding a middle ground, leveraging the R&D done in the PC/laptop arena while keeping the unique needs and the requirements of the mobile device in mind.
Some mobile operators recognise the unique needs of enterprises for robust security and management capabilities, and that most companies need direct control of these capabilities. These operators are offering robust mobile security and management capabilities as managed service offerings using a software-as-a-service model to give IT organisations complete control over the enterprise's mobile assets without adversely affecting the productivity of mobile employees. Working alongside these mobile operators on security and management capabilities that match your specific needs can ensure that the doors aren't closed on employee productivity.
- Matt Bancroft, vice president, Mformation