Diverse mobile devices changing security paradigm

EASIER SAID THAN DONE
Controlling data flow on multiple mobile devices is one of the biggest challenges facing Rob Marti. As the information security officer at Integris Health, an Oklahoma nonprofit health organization, Marti must secure roughly 400 BlackBerries and 300 Microsoft PDAs used to support approved clinical and administrative processes.

"There are very few people here not impacted by electronic-protected health care information (EPHI). Because of how fluidly that information flows through our organization, it's next to impossible for us to create different classes of users," says Marti. "Any mobile device that accesses email has the possibility of containing EPHI. In that respect, a PDA is no different than a laptop or a desktop."

Integris secures data on BlackBerry devices with native BlackBerry OS authentication and encryption and protects Microsoft PDAs with Credant Mobile Guardian, a centrally managed enterprise encryption platform that installs an agent on each device. While the organization cannot realistically stop physicians from using personal smartphones, it can limit user privileges on all workstations and control ActiveSync and BlackBerry Enterprise Server (BES) access to prevent Integris data from being synchronized onto user-owned devices.

But doctors are eager to use iPhones for email. "They say, 'Oh, it's just email,' but I have to secure for the possibility that EPHI will live there," says Marti.

"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old."

Given that many new handhelds are not capable of protecting EPHI from day one, Marti believes that users must become more aware of information assets and their value. "People need to accept that protecting the information on mobile devices is part of patient care," he says. "More than anything, it comes down to creating a keen awareness of how powerful these devices can be: When you have a laptop in the palm of your hand, that presents a risk to your organization."

Analyst Gold finds that user education makes security policies far more effective. "Work with users to explain why certain things aren't allowed and they're more apt to accept limitations. It's not hard, but most IT staff doesn't think about [education as strategy]," he says. "Let users know why you don't consider that device up-to-snuff and the compromise you can offer. Most people are willing to move forward with what you offer, but if you just say no, they're going to try to get around you."

				Managed Diversity
				Separating mobile devices into categories can help enforce security policy. There are many good reasons to understand where and how data is used, including compliance with privacy regulations and security audits. However, data flow can also be instrumental for mobile device classification. Gartner analyst Ken Dulaney recommends a "managed diversity" strategy that deals with mobile device proliferation by separating them into three distinct classes (listed below) that strike a balance between levels of support, access and risk exposure. "Managed diversity attempts to replace the single standard approach of many organizations with a framework of choices," says Dulaney. "The key to this strategy is level two--permitting only limited access for some individually purchased [tolerated] devices." For example, many users can be satisfied with a combination of email, thin client Web access and telephony--applications supported on nearly any unmanaged smartphone. In fact, this frequently occurs without explicit IT approval or oversight. Some employers could benefit by acknowledging this usage and wrapping some type of "tolerated device" security policy around it. After all, employees cannot comply with unwritten rules, nor can IT audit or enforce them. --LISA PHIFER

USER PROFILES
At Long and Foster Real Estate, CIO Michael Koval copes with a multitude of devices by dividing his workforce into two categories, employees and sales associates. As a large residential real estate firm serving the mid-Atlantic, Long and Foster depends on approximately 15,000 sales associates--independent contractors who carry personal handhelds, including 4,000 Black-Berries, Windows Mobile, Palm and iPhone data-enabled mobile devices. Employees carry another 400 company-issued devices, mostly BlackBerries.

"For employees, when you come on board and you need a mobile device, you're going to get a BlackBerry. If you're a senior executive, you can somewhat specify what you want--most have stuck with our standard, but some have moved to Windows Mobile or iPhone. We have four BES servers to handle that traffic, plus two ActiveSync servers," says Koval.

For company-managed BlackBerries, Koval can offer a full suite of management and security services such as over-the-air provisioning, authentication, data encryption, monitoring and decommissioning. "We go through a process of procuring the device and pushing the core OS and standard applications that we want our management team to have. At certain times we have to pull data from them--for example, to comply with a subpoena. If someone loses a device or doesn't turn a device in, we can just brick [remotely disable] it."

But these operations are not yet feasible for iPhones. "I don't think of the iPhone as an enterprise device--it's a consumer device with a hook into Exchange and Web management," says Koval. "To enter my world as a [trusted] device, Apple would need to build a console to add/subtract and configure those devices from a central location."

However, this does not stop Long and Foster from supporting the iPhone in a limited fashion in order to provide its sales associates with a high level of service. "If they want a Palm or Windows Mobile or iPhone, I need to support them. Google Android will be coming into our organization the second the first agent buys one," says Koval.

Providing support to various devices is expensive and requires a full-time staff, Koval says, in addition to software and hardware and close relationships with all the wireless vendors "We do it because we want to be a good provider to our sales force and give them another reason to work with us," he says.

So how does Long and Foster deal with devices they neither own nor manage? "On agent [owned] devices, we don't get into putting programs on them or taking things off them. We apply a few Web filters, but other than that, we let users go where they want," says Koval. Instead of attempting to secure sales associate devices, the firm focuses on securing the systems they access. For example, most sales associates use thin clients to drill into multiple listing databases protected by SecureMLS token authentication.

At the end of the day, there's one security capability Koval would like to require from every device: the ability to kill it. "Even though they are owned by agents, I need this control, because they're part of our enterprise environment," he says. "We generally don't exercise this control unless an agent loses a device."

MANAGING ACROSS PLATFORMS
IT departments can also turn to cross-platform mobile device managers to enhance security. Cross-platform managers typically push a proprietary agent onto each device, letting them be configured, secured and monitored without depending on native mobile OS capabilities.

Cross-platform management is an in-house requirement and revenue source for Stratapult, a technical services group owned by Inmar and based in North Carolina. Jeff Pack, senior manager of remote systems management, has managed mobiles with Afaria from Sybase iAnywhere for 15 years. "Five years ago, all we saw were Pocket PCs," says Pack. "Now we have Windows Mobile phones and handheld computers like the iPhone. People are asking me to manage all of these devices because they can't restrict their users."

To meet in-house needs, Pack must support 700 Inmar employees who carry laptops, ruggedized tablets, Windows PDAs and smartphones, and BlackBerries. For the past eight years, Stratapult has also delivered mobile systems management, security, database and secure email services to customers like Godiva, Liz Claiborne and the U.S. Navy.

"Depending on what a customer is trying to do, we have a hosted model and turnkey services. We can set up a separate system and let them manage their own day-to-day devices, or we can deploy policies and continue managing them," explains Pack. "Either way, we use over-the-air deployment to install the Afaria client and push policy on first connection."

Pack has seen a wide variety of mobile security policies, but most customers require power-on passwords and disabling of lost, stolen or decommissioned devices."If the user fails to log in a number of times or hasn't synchronized for a given period, we can set a time bomb," says Pack. "For companies using field applications, they need to redeploy those devices efficiently, so that data isn't carried over from one user to another."

However, Pack sees reluctance to remotely kill employee-owned devices. "The justification for managing [employee-owned phones] can be tough. If you're using corporate email there, you have a legitimate argument to encrypt data," he says. "But in terms of doing a kill pill, no one's going there. If an executive owns the device, the ability to kill it is mostly an insurance policy."

Cross-platform management can be challenging. For example, Pack cannot yet manage iPhones. Nonetheless, Stratapult prefers to manage diverse devices instead of relying on thin clients. "We have customers without full-time connectivity in the mountains of Georgia. Here in this building, we have copper-coated windows that interfere with coverage. Some organizations can live with thin clients, but that approach it too limited for us [and our customers]," he says.

STRIKING A BALANCE
Diana Kelley, founder and partner at consultancy SecurityCurve, believes many companies end up trading robust data protection for "anytime, anywhere" access. "The cost of doing business is always pretty high--think of acceptable shrinkage [damage, loss or theft of inventory] in retail," she says. "In today's world, data loss is one of the costs of doing business anywhere, anytime, on almost any [mobile] device. Limiting risk means limiting access; each company has to decide where that line needs to be drawn."

However, establishing a strategy that addresses mobile device diversity appears to be critical. According to Gold, many companies don't really have a strategy--they either ignore non-standard devices or deal with them ad hoc.

"The first step is building a [more comprehensive] strategy," says Gold. "Talk to users about what they want, what they need, and tell them what you can do for them. When there are enough people using a given exception, then you can test it and secure it and bring it onto the corporate standard list. It's an evolutionary process."

				Revealing Poll
				A survey of 200 consumers released earlier this year by endpoint security supplier GuardianEdge Technologies illustrates some of the issues IT security teams face with the proliferation of mobile devices: 89% Number of respondents who said they are able to access email and other corporate information using their personal or corporate-issued smartphone. 52% Number of respondents who believe companies should allow employees to store and access company data on personal smartphones if corporate-issued devices aren't provided. 82% Number of respondents who said they were open to their company deploying security technology on either their personal or company-supplied smartphone.