Mobile users and personal devices

Who's responsible for ensuring security?

  • alert
  • submit to reddit

Security for virtualized datacentres

Workshop Business today is a very different beast to that of just five years ago, and a world away compared to ten years back. While some of us are undoubtedly still office based, there has been an equally clear trend towards more flexible working which is less dependent on a fixed location. The spread of Wi-Fi in the home and workplace and then in public areas made mobile working feasible and even tolerable. And with increasingly effective connectivity technologies such as 3G, mobility for all its good or ills is here to stay.

The move to mobility has been arguably wondrous for productivity, but has been a difficult transition for security. Just under half of you reported that your workforce has a poor or very poor approach to IT security, which is a difficult situation to resolve, even with the best policies and most comprehensive training. Coupled with the tendency of users to try to connect to any available network and a susceptibility to fall victim to exploits of unpatched vulnerabilities, virus outbreaks and phishing attacks, mobile computing has experienced (more than) its fair share of horror stories.

New technologies aimed at managing and securing the notebook estate have emerged. These include comprehensive group policies, systems & patch management, NAC, advanced end-point protection, intrusion protection and identity protection. Plus there are newer initiatives such as disk or folder encryption to protect sensitive data. While these have been deployed with various levels of success, at least they exist and are available.

Now that notebooks are firmly established as an enterprise workhorse, a new challenge has arisen. The growth of smart devices that act as productivity enhancers and electronic communicators par excellence threatens to take us back to the dark ages of management and security yet again.

At the dawn of the smart phone age the devices were expensive, crude and very corporate. They were generally managed and deployed by IT as part of a controlled rollout, usually to quite small groups of senior users.

The last couple of years, characterised by products such as the iPhone, have seen some fundamental changes in the market and people's expectations. Smart phones became low cost (OK, relatively low cost), more sophisticated and positioned for consumer tastes. Apple's success has spurred on the likes of Nokia, Palm and Microsoft to speed product development and developer ecosystems. Even Blackberry, the enterprise email stalwart, has quickly moved to try and capture the consumer market. But in the case of the new wave of smart phones, it has been employees as consumers, not the IT department, that have driven uptake and use.

Part of the attractiveness of the new wave of smart phones is the blend of both consumer applications and interactivity of the devices, together with the ability to connect to work systems, something that enterprise focused items had spectacularly failed to do previously. This blurring of the lines between personal and professional identities is something that needs to be managed carefully. People cherish their beloved gadgets, but are also spectacularly careless with them as they take them through life's ups and downs. Witness the discovery of a lost iPhone prototype in a San Jose bar after a party. Although the loss has now revealed Apple's potential hardware design, the data and new operating system features were protected from discovery through remotely wiping the device. In the ideal world, the company would specify and provide a (very) limited range of devices to the workforce, and the employee would be happy to be provided with one. These devices could be more easily deployed, managed, supported and secured. The reality is that these are intimate devices, and very personal. If what the company provides is not appreciated or is found to be wanting for functionality or desirability, then employees will look to acquire devices on their own to do their job more effectively. In many situations where companies provide a device such as a Blackberry, the employee will still carry another gadget to get around the restrictions imposed by using the corporate machine.

So this then leads to a dilemma. If the company strictly limits the devices employees are able to use, it may just encourage them to use unsupported ones in secret, allowing a back door to open up. On the other side, should the company be prepared to allow employees to supply their own devices, and what if any restrictions should be implemented? A free-for-all would just be asking for trouble. Considering a shortlist (or not so shortlist) of approved devices may be suitable to give enough choice for general satisfaction without going overboard with coverage.

Once the question of user choice of device is decided, the issue then revolves around management, security and support. If the device is provided by IT, management and policy should not be an issue. But if an employee supplies the device, where should the dividing line lie? The device must be secured, but at whose discretion or expense? Arguably, by tacitly allowing use of a personal device on the network, the company must then provide a list of required software and configuration information or policy. Ideally, the company would also be able to provide the software for the employee. However, issues such as benefits-in-kind tax may be a concern, as may the ability to extend corporate or volume licences to equipment not owned or controlled by the company.

There is also the issue of granularity of protection. What exactly should be covered in a remote wipe? If the user loses the device should everything be reset in a big bang, or only specified applications and data? What if the employee has pictures, personal messages or similar that are not backed up anywhere but are wiped from a lost device that is subsequently found?

Finally there is the thorny issue of identity management and the confidence that the person using the device is the legitimate account holder. Company notebooks and such like are more easily secured by means of complex passwords and multiple authentication procedures, such as smart cards or one-time tokens. Establishing links with domain accounts by means of a SIM card or phone number may help. But the issue remains that smart phones and newer devices still have a way to go to match their notebook cousins for security.

As ever we would be very happy to hear how you tackle these issues. Please let us know in the comments section below.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.