By Brian Albright, Field Technologies magazine
The rapid expansion of mobile devices is opening up new security vulnerabilities in the enterprise.
Mobile devices are proliferating in the enterprise, and potential mobile security threats are expanding right along with them. According to Mahesh Makhija, VP of financial services and global head of cards and payments at Infosys, the most common mobile security threats come through text and voice spam, electronic eavesdropping, spyware that can capture mobile data and voice conversations, and cloned phones that can masquerade as approved devices on the network. “The mobile market is not mature enough or streamlined enough to handle virus attacks when compared with traditional PC security,” Makhija says.
At the same time, many companies have allowed employees to bring their own devices into the enterprise under less restrictive policies when it comes to accessing corporate data. “Mobile computing has introduced the concept of self-service, which is an alien concept in the traditional desktop computing environment,” says Carl Rodrigues, president and CEO of SOTI. “Mobile users frequently access unsecured public networks and public application stores, resulting in an explosion of malware.”
According to the vendors interviewed for this story, BlackBerry devices generally provide higher levels of security because they are a “closed” platform. Apple’s iOS is also more rigorously policed by the company. Windows and Android present more vulnerabilities because they are more widely used and subject to more virus attacks. Regardless of platform, all mobile devices present inherent security challenges: Devices can be easily lost or stolen, they communicate over wireless networks that may or may not be secured, the devices may not be authenticated, and users may expose smartphones and other devices to malware when using them for nonenterprise activities. Even rugged devices with Internet connectivity or payment processing capabilities can pose a problem when it comes to securing data.
Mobile Security Has Many Components
“It’s important to analyze each device’s exposure to risks to understand where critical data and systems are and who has access to them before enforcing policies,” says Taylor Smith, director of product management at Honeywell Scanning & Mobility. A successful mobile security strategy involves a variety of components that can include device-level security, intrusion detection systems, and a mobile device management (MDM) and security management platform. Other tools that may be involved in securing mobile data include telecom expense management (TEM), network access control (NAC), data loss prevention (DLP)/rights management, document storage, and managed services for the procurement, deployment, support, repair, replacement, and recycling of devices.
Implementing an enterprise mobility management solution as an additional layer that protects mobile assets can manage the vulnerabilities inherent within the various platforms now available. One capability to look for is the ability to segment users based on the type of device they are using. “In this way, you may have users with limited access to company data and modest support, up to executives and management with varying access to sensitive company information with richer user experience and a higher level of support,” says Marco Nielsen, VP of services at Enterprise Mobile.
Lines Blur With BYOD
The emergence of the bring your own device (BYOD) has left many IT departments struggling with device management and security issues. “The challenges of providing IT as a service anywhere and anytime to a variety of users and devices in real time can detract from the benefits of BYOD,” Rodrigues says. “A device management solution enables seamless management of all aspects of this connectivity at a lower cost while providing a higher degree of secure manageability.”
For companies communicating sensitive data, over-the-air encryption, user authentication, and network authentication are a must, Makhija says. But the variety of platforms (and frequent OS upgrades) presents challenges when it comes to ensuring equal protection. “Maintenance of different versions of antivirus solutions and updating them regularly based on the operating system, patch, or newer service packs could be cumbersome,” Makhija says. “MDM provides the ability to push the policies remotely through the background. It could enable the IT support staff to do application management like white listing, blacklisting, and quarantining.”
“There is an inherent security risk with the BYOD trend,” Smith says. “However, the implementation of a solid mobile security strategy and deployment of secure mobile devices and accessories is helpful in mitigating many concerns. Defining clear policies around ownership of data and what can/cannot be wiped at the discretion of the company and being transparent with employees is critical.”
Mobile Payment Data
With the advent of mobile magnetic stripe card readers, near-field communication, mobile wallets, and other technologies, more and more mobile applications are incorporating payment. There are existing compliance standards required by the Payment Card Industry (PCI), but mobile payment standards are still in development. Mobile point of sale activity should be protected via wireless LANs that support multiple security protocols, secure Web portals or virtual private networks (VPNs) for data transfers, and wireless intrusion prevention systems, in addition to end-to-end authentication and encryption. “Hardware encryption, where cardholder data is encrypted by the reading mechanism itself and not via the main processing unit software, is arguably the most important consideration,” Smith says. “Furthermore, companies should look at point-to-point encryption (P2PE) systems to ensure that the data is encrypted during the swipe, transit, and processing.”
In the future, end users can expect to see more options for cloud-based mobile security, remote lock-and-wipe functionality, and even device-level biometric security features. Mobile content and document management will also play an increasingly important role in security — managing the data generated by mobile devices.