Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Diverse mobile devices changing security paradigm

Enterprises must develop more creative strategies for enabling business use of smartphones and PDAs, including those that cannot be fully managed and secured.

ENTERPRISE IT SECURITY teams simply can't stop the crop of new mobile devices sprouting up in their environments. From Symbian to BlackBerry, more than 32 million smartphones were sold worldwide in the first quarter of 2008, up 30 percent over last year, according to Gartner. Apple's iPhone is forcing many organizations to rethink how they deal with employee-owned devices. To not just survive but thrive in the age of workforce mobility, enterprises must develop more creative strategies for enabling business use of smartphones and PDAs, including those that cannot be fully managed and secured.

Amrit Williams, CTO at configuration management company BigFix, says attempting to ban cool new mobile devices is a losing battle. "We're finding that IT is no longer in a position to inhibit technology that improves business productivity. These devices are now just too ubiquitous and too indispensable," he says. "Instead of finding ways to stop iPhones from accessing, IT needs to be thinking about how to extract higher value out of knowledge workers."

But how do organizations protect corporate data while accommodating the mobile device boom? Many secure laptops by deploying carefully crafted images on corporate standard platforms. While that practice has also been applied to mobile handheld devices, notably BlackBerries, doing so can only take a company so far. Smartphones and PDAs are simply too varied and too specialized to support just a chosen few. Furthermore, it has become nearly impossible to stop employees from using their own preferred handhelds for business.

Today's enterprises may no longer be able to ignore mobile device security, but there's no one-size-fits-all strategy. From user education to tiered support to cross-platform management, there are many approaches for dealing with diverse mobile workforces.

Jack Gold, principal analyst at consulting and research firm J. Gold Associates, recommends building flexibility into any mobile security strategy. "Unlike the PC market, there will continue to be a lot of churn in the mobile device market. Companies are going to have to deal with consumer devices because they can't do an adequate job of picking corporate standard devices," he says. "If you create a standard device list but don't readdress it for three years, that's six generations of mobile products. Your users are never going to have the best mobile devices."

In fact, organizations often have a hard time enforcing a standard device. "IT groups are confronted with innovation driving users to go out and buy their own devices," says Dan Dearing, vice president of marketing at mobility management vendor Trust Digital. "More and more, users have the device that IT mandates and the phone they choose to use. They're creating a huge risk for the enterprise by using [personal devices] without security. For example, if you lose your laptop, you have to go to IT. But if you lose your own smartphone, you can buy a replacement and IT will never even know about the loss."

Williams sees a similar trend at BigFix. "We have people getting their own iPhones now even though we issue them BlackBerries. The reality is that other devices are going to be used," he says. "The first step is to gain visibility--what devices are connecting to my network, what data is floating around on them? You can't begin to implement controls or policies without that."

Williams recommends a three-pronged approach for gaining data flow visibility: "Monitor data at the point of transmission, the application itself, and the endpoint. The No. 1 thing that organizations can do is provide the ability for application interactions to be audited--it's the best way to understand whether data is being used."

Controlling data flow on multiple mobile devices is one of the biggest challenges facing Rob Marti. As the information security officer at Integris Health, an Oklahoma nonprofit health organization, Marti must secure roughly 400 BlackBerries and 300 Microsoft PDAs used to support approved clinical and administrative processes.

"There are very few people here not impacted by electronic-protected health care information (EPHI). Because of how fluidly that information flows through our organization, it's next to impossible for us to create different classes of users," says Marti. "Any mobile device that accesses email has the possibility of containing EPHI. In that respect, a PDA is no different than a laptop or a desktop."

Integris secures data on BlackBerry devices with native BlackBerry OS authentication and encryption and protects Microsoft PDAs with Credant Mobile Guardian, a centrally managed enterprise encryption platform that installs an agent on each device. While the organization cannot realistically stop physicians from using personal smartphones, it can limit user privileges on all workstations and control ActiveSync and BlackBerry Enterprise Server (BES) access to prevent Integris data from being synchronized onto user-owned devices.

But doctors are eager to use iPhones for email. "They say, 'Oh, it's just email,' but I have to secure for the possibility that EPHI will live there," says Marti.

"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old."

Given that many new handhelds are not capable of protecting EPHI from day one, Marti believes that users must become more aware of information assets and their value. "People need to accept that protecting the information on mobile devices is part of patient care," he says. "More than anything, it comes down to creating a keen awareness of how powerful these devices can be: When you have a laptop in the palm of your hand, that presents a risk to your organization."

Analyst Gold finds that user education makes security policies far more effective. "Work with users to explain why certain things aren't allowed and they're more apt to accept limitations. It's not hard, but most IT staff doesn't think about [education as strategy]," he says. "Let users know why you don't consider that device up-to-snuff and the compromise you can offer. Most people are willing to move forward with what you offer, but if you just say no, they're going to try to get around you."

Managed Diversity
Separating mobile devices into categories can help enforce security policy.

There are many good reasons to understand where and how data is used, including compliance with privacy regulations and security audits. However, data flow can also be instrumental for mobile device classification. Gartner analyst Ken Dulaney recommends a "managed diversity" strategy that deals with mobile device proliferation by separating them into three distinct classes (listed below) that strike a balance between levels of support, access and risk exposure.

"Managed diversity attempts to replace the single standard approach of many organizations with a framework of choices," says Dulaney. "The key to this strategy is level two--permitting only limited access for some individually purchased [tolerated] devices."

For example, many users can be satisfied with a combination of email, thin client Web access and telephony--applications supported on nearly any unmanaged smartphone. In fact, this frequently occurs without explicit IT approval or oversight. Some employers could benefit by acknowledging this usage and wrapping some type of "tolerated device" security policy around it. After all, employees cannot comply with unwritten rules, nor can IT audit or enforce them.


At Long and Foster Real Estate, CIO Michael Koval copes with a multitude of devices by dividing his workforce into two categories, employees and sales associates. As a large residential real estate firm serving the mid-Atlantic, Long and Foster depends on approximately 15,000 sales associates--independent contractors who carry personal handhelds, including 4,000 Black-Berries, Windows Mobile, Palm and iPhone data-enabled mobile devices. Employees carry another 400 company-issued devices, mostly BlackBerries.

"For employees, when you come on board and you need a mobile device, you're going to get a BlackBerry. If you're a senior executive, you can somewhat specify what you want--most have stuck with our standard, but some have moved to Windows Mobile or iPhone. We have four BES servers to handle that traffic, plus two ActiveSync servers," says Koval.

For company-managed BlackBerries, Koval can offer a full suite of management and security services such as over-the-air provisioning, authentication, data encryption, monitoring and decommissioning. "We go through a process of procuring the device and pushing the core OS and standard applications that we want our management team to have. At certain times we have to pull data from them--for example, to comply with a subpoena. If someone loses a device or doesn't turn a device in, we can just brick [remotely disable] it."

But these operations are not yet feasible for iPhones. "I don't think of the iPhone as an enterprise device--it's a consumer device with a hook into Exchange and Web management," says Koval. "To enter my world as a [trusted] device, Apple would need to build a console to add/subtract and configure those devices from a central location."

However, this does not stop Long and Foster from supporting the iPhone in a limited fashion in order to provide its sales associates with a high level of service. "If they want a Palm or Windows Mobile or iPhone, I need to support them. Google Android will be coming into our organization the second the first agent buys one," says Koval.

Providing support to various devices is expensive and requires a full-time staff, Koval says, in addition to software and hardware and close relationships with all the wireless vendors "We do it because we want to be a good provider to our sales force and give them another reason to work with us," he says.

So how does Long and Foster deal with devices they neither own nor manage? "On agent [owned] devices, we don't get into putting programs on them or taking things off them. We apply a few Web filters, but other than that, we let users go where they want," says Koval. Instead of attempting to secure sales associate devices, the firm focuses on securing the systems they access. For example, most sales associates use thin clients to drill into multiple listing databases protected by SecureMLS token authentication.

At the end of the day, there's one security capability Koval would like to require from every device: the ability to kill it. "Even though they are owned by agents, I need this control, because they're part of our enterprise environment," he says. "We generally don't exercise this control unless an agent loses a device."

IT departments can also turn to cross-platform mobile device managers to enhance security. Cross-platform managers typically push a proprietary agent onto each device, letting them be configured, secured and monitored without depending on native mobile OS capabilities.

Cross-platform management is an in-house requirement and revenue source for Stratapult, a technical services group owned by Inmar and based in North Carolina. Jeff Pack, senior manager of remote systems management, has managed mobiles with Afaria from Sybase iAnywhere for 15 years. "Five years ago, all we saw were Pocket PCs," says Pack. "Now we have Windows Mobile phones and handheld computers like the iPhone. People are asking me to manage all of these devices because they can't restrict their users."

To meet in-house needs, Pack must support 700 Inmar employees who carry laptops, ruggedized tablets, Windows PDAs and smartphones, and BlackBerries. For the past eight years, Stratapult has also delivered mobile systems management, security, database and secure email services to customers like Godiva, Liz Claiborne and the U.S. Navy.

"Depending on what a customer is trying to do, we have a hosted model and turnkey services. We can set up a separate system and let them manage their own day-to-day devices, or we can deploy policies and continue managing them," explains Pack. "Either way, we use over-the-air deployment to install the Afaria client and push policy on first connection."

Pack has seen a wide variety of mobile security policies, but most customers require power-on passwords and disabling of lost, stolen or decommissioned devices."If the user fails to log in a number of times or hasn't synchronized for a given period, we can set a time bomb," says Pack. "For companies using field applications, they need to redeploy those devices efficiently, so that data isn't carried over from one user to another."

However, Pack sees reluctance to remotely kill employee-owned devices. "The justification for managing [employee-owned phones] can be tough. If you're using corporate email there, you have a legitimate argument to encrypt data," he says. "But in terms of doing a kill pill, no one's going there. If an executive owns the device, the ability to kill it is mostly an insurance policy."

Cross-platform management can be challenging. For example, Pack cannot yet manage iPhones. Nonetheless, Stratapult prefers to manage diverse devices instead of relying on thin clients. "We have customers without full-time connectivity in the mountains of Georgia. Here in this building, we have copper-coated windows that interfere with coverage. Some organizations can live with thin clients, but that approach it too limited for us [and our customers]," he says.

Diana Kelley, founder and partner at consultancy SecurityCurve, believes many companies end up trading robust data protection for "anytime, anywhere" access. "The cost of doing business is always pretty high--think of acceptable shrinkage [damage, loss or theft of inventory] in retail," she says. "In today's world, data loss is one of the costs of doing business anywhere, anytime, on almost any [mobile] device. Limiting risk means limiting access; each company has to decide where that line needs to be drawn."

However, establishing a strategy that addresses mobile device diversity appears to be critical. According to Gold, many companies don't really have a strategy--they either ignore non-standard devices or deal with them ad hoc.

"The first step is building a [more comprehensive] strategy," says Gold. "Talk to users about what they want, what they need, and tell them what you can do for them. When there are enough people using a given exception, then you can test it and secure it and bring it onto the corporate standard list. It's an evolutionary process."

Revealing Poll
A survey of 200 consumers released earlier this year by endpoint security supplier GuardianEdge Technologies illustrates some of the issues IT security teams face with the proliferation of mobile devices:

89% Number of respondents who said they are able to access email and other corporate information using their personal or corporate-issued smartphone.

52% Number of respondents who believe companies should allow employees to store and access company data on personal smartphones if corporate-issued devices aren't provided.

82% Number of respondents who said they were open to their company deploying security technology on either their personal or company-supplied smartphone.

Article 1 of 15

Dig Deeper on Endpoint protection and client security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All