Smartphones are ubiquitous in corporate life, supplying email and browser access to data whenever and wherever information junkies need a fix. But so far IT has been slow to address the security arising as result of the smartphone phenomenon.
The necessity to remain connected with the business is driving explosive demand for smartphones across all organizations. In their last reporting quarter, Apple announced that it had sold 4.3 million iPhones (almost doubling the unit volume of 2.5 million Macintosh computers sold in the same quarter) and Research in Motion reported selling 6.7 million BlackBerry devices. The use of smartphones for accessing business applications and confidential data is a trend that is here for good.
It is surprising that IT is not giving more attention to securing these devices. There must be a huge number of smartphones containing business data that are lost in airplanes, hotel rooms and , taxi cabs. Smartphones are after all computers with voice communications capability with low power considerations to extend battery life. Beyond that, smartphones possess giga-bytes of perpetual flash memory, installed browsers and applications, and real operating systems in the form of Symbian, mobile Linux, and Microsoft Windows. When it comes to security issues of protecting data and ensuring secure connectivity to applications, a smartphone should be treated the same as a laptop running Skype or Voice over IP.
IT should be putting smartphone security policies in place to protect the sensitive data, access to corporate applications, and software configurations.:
- Disclosure laws, such as CA 1386, apply private information that is stored as "computerized data.". Smartphones are not exempt from disclosure laws if they are lost with consumer data residing in memory. The easiest ways to avoid this is to never allow consumer data to be delivered to a smartphone, clear caches and temporary buffers after a VPN session, or encrypt all data that the smartphone receives.
- All connectivity to business applications and networks should require a password and SSL VPN for secure communications. Every smartphone that is used for business should require a password to be entered before launching a browser, mail agent, or other business application. The last thing IT wants is for a total stranger to turn on a lost smartphone and be given complete network access at the click of an icon. The other great feature of smartphones is the presence of a "kill switch" --– a smartphone reported as lost can be disabled as soon as it is turned on.
- Configuration management will become a greater issue for smartphones as business software becomes more prevalent and malicious code starts targeting these devices. Virtualized approaches, for example keeping the application and data in the data center and using the smartphone for display only may help here.
Security vendors are moving forward to embrace protection of smartphones. There are lots of vendors offering smartphone encryption, including Credant, PGP, and Mocana, which has an interesting collection of security toolkits for developers of smartphone applications. I also believe there is great potential from VMware's acquisition of Trango to be able to dynamically deliver secure applications through the air upon user request. While security vendors embrace smartphone security, IT should focus on keeping secure data off smartphones to avoid the most serious security incidents.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.