If industry analysts are correct, enterprises facing the challenge of creating a bring-your-own-device (BYOD) policy to gain control of Google Android and Apple iOS smartphones and tablets and secure the corporate data flowing to those devices are likely to get an earful at RSA Conference 2012.
There are people with three or four devices trying to get on the network and that’s one of the big issues.
John Kindervag, principal analyst, Forrester Research Inc.
For the first time at RSA Conference, mobile device security this year has its own session track, meaning a whole state of sessions and speakers will be focused on the topic. While plenty of sensational, headline-grabbing mobile malware attacks and malicious applications are areas of concern, enterprises are struggling with the practical challenges of extending corporate security policies to the hordes or personally owned devices accessing the network, said Andrew Hay, a senior security analyst at New York-based analyst firm The 451 Group.
IT security teams want the ability to track down and wipe lost or stolen devices, ensure secure access to corporate resources, and address mobile application security issues, said Hay, who is participating in a panel discussion on whether enterprises are “up for the challenge.”
“There are a lot of organizations that are comfortable with their perimeter demarcation and starting to look at other sources of data exfiltration. Mobile is definitely one of those things,” Hay said in a conference call previewing RSA 2012. “It goes beyond standard mobile device management.”
The BYOD phenomenon has also created a myriad of legal and technical challenges for enterprises, Hay said. How does an enterprise ensure standard security best practices are enforced without putting severe restrictions on an employee’s personally owned device? RSA 2012 offers at least six sessions addressing BYOD issues. A Thursday panel discussion, “BYOD: Securing Mobile Devices You Don’t Own,” will explore ways security pros can address the challenges posed by personally owned devices. Meanwhile, another session, “Mobile Devices: A Privacy & Security Check-In,” will provide insight on BYOD from the perspective of a group of legal and policy experts.
While some organizations are either restricting mobile access to corporate data to only those users with BlackBerrys or not addressing policy enforcement on iPhone or Android devices at all, at some point compliance and governance issues must be addressed, said John Kindervag, principal analyst at Cambridge, Mass.-based Forrester Research Inc.
“We’re going to have to live with it and deal with it,” Kindervag said. “There are people with three or four devices trying to get on the network and that’s one of the big issues.”
RSA Conference 2012 attendees are also likely to be inundated with new security products designed to address mobile concerns. Some enterprises are testing out mobile security software with a limited subset of users; others are waiting for technologies to evolve, said Jason Clark, CSO of Los Gatos, Calif.-based security vendor Websense Inc. Clark said a lot of enterprise CISOs seem to be looking for peace of mind when it comes to mobile.
“I view a laptop as being significantly more risky than I do an iPhone or an iPad, but people view the mobile devices as riskier because there is zero visibility and no endpoint security on them,” Clark said. “The truth is that there’s so much more malware targeted against the laptop, while with the iPhone and iPad you’ve got a much more hardened environment with less data contained in it.”
In an RSA Conference 2012 session about information security in the year 2020, attendees will be asked to predict future threats and data security challenges to the enterprise. Mobile challenges will likely be a part of the discussion, said Pete Lindstrom, research director at Pennsylvania-based Spire Security, who is leading the session on Tuesday.
Lindstrom said the current defense-in-depth or zero-trust models may change because of increased mobility. He said people may look for ways to obfuscate themselves while on the network and only spend a limited time connected. Instead of thinking about how to secure themselves on the network, Lindstrom said people in the future might think about the notion of protecting themselves simply by disconnecting.
“I’ve seen some cool stuff related to network security based on the proximity of mobile devices,” Lindstrom said. “We’re already seeing some innovation with mobility, but I’m hoping to spur some more discussion and innovation.”
View all of our RSA 2012 Conference coverage.