This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
ENTERPRISE IT SECURITY teams simply can't stop the crop of new mobile devices sprouting up in their environments. From Symbian to BlackBerry, more than 32 million smartphones were sold worldwide in the first quarter of 2008, up 30 percent over last year, according to Gartner. Apple's iPhone is forcing many organizations to rethink how they deal with employee-owned devices. To not just survive but thrive in the age of workforce mobility, enterprises must develop more creative strategies for enabling business use of smartphones and PDAs, including those that cannot be fully managed and secured.
Amrit Williams, CTO at configuration management company BigFix, says attempting to ban cool new mobile devices is a losing battle. "We're finding that IT is no longer in a position to inhibit technology that improves business productivity. These devices are now just too ubiquitous and too indispensable," he says. "Instead of finding ways to stop iPhones from accessing Salesforce.com, IT needs to be thinking about how to extract higher value out of knowledge workers."
But how do organizations protect corporate data while accommodating the mobile device boom? Many secure laptops by deploying carefully crafted images on corporate standard platforms. While that practice has also been applied to mobile handheld devices, notably BlackBerries, doing so can only take a company so far. Smartphones and PDAs are simply too varied and too specialized to support just a chosen
Today's enterprises may no longer be able to ignore mobile device security, but there's no one-size-fits-all strategy. From user education to tiered support to cross-platform management, there are many approaches for dealing with diverse mobile workforces.
FLEXIBILITY AND VISIBILITY
Jack Gold, principal analyst at consulting and research firm J. Gold Associates, recommends building flexibility into any mobile security strategy. "Unlike the PC market, there will continue to be a lot of churn in the mobile device market. Companies are going to have to deal with consumer devices because they can't do an adequate job of picking corporate standard devices," he says. "If you create a standard device list but don't readdress it for three years, that's six generations of mobile products. Your users are never going to have the best mobile devices."
In fact, organizations often have a hard time enforcing a standard device. "IT groups are confronted with innovation driving users to go out and buy their own devices," says Dan Dearing, vice president of marketing at mobility management vendor Trust Digital. "More and more, users have the device that IT mandates and the phone they choose to use. They're creating a huge risk for the enterprise by using [personal devices] without security. For example, if you lose your laptop, you have to go to IT. But if you lose your own smartphone, you can buy a replacement and IT will never even know about the loss."
Williams sees a similar trend at BigFix. "We have people getting their own iPhones now even though we issue them BlackBerries. The reality is that other devices are going to be used," he says. "The first step is to gain visibility--what devices are connecting to my network, what data is floating around on them? You can't begin to implement controls or policies without that."
Williams recommends a three-pronged approach for gaining data flow visibility: "Monitor data at the point of transmission, the application itself, and the endpoint. The No. 1 thing that organizations can do is provide the ability for application interactions to be audited--it's the best way to understand whether data is being used."
This was first published in November 2008