Mobile users and personal devices

Who's responsible for ensuring security?

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Workshop Business today is a very different beast to that of just five years ago, and a world away compared to ten years back. While some of us are undoubtedly still office based, there has been an equally clear trend towards more flexible working which is less dependent on a fixed location. The spread of Wi-Fi in the home and workplace and then in public areas made mobile working feasible and even tolerable. And with increasingly effective connectivity technologies such as 3G, mobility for all its good or ills is here to stay.

The move to mobility has been arguably wondrous for productivity, but has been a difficult transition for security. Just under half of you reported that your workforce has a poor or very poor approach to IT security, which is a difficult situation to resolve, even with the best policies and most comprehensive training. Coupled with the tendency of users to try to connect to any available network and a susceptibility to fall victim to exploits of unpatched vulnerabilities, virus outbreaks and phishing attacks, mobile computing has experienced (more than) its fair share of horror stories.

New technologies aimed at managing and securing the notebook estate have emerged. These include comprehensive group policies, systems & patch management, NAC, advanced end-point protection, intrusion protection and identity protection. Plus there are newer initiatives such as disk or folder encryption to protect sensitive data. While these have been deployed with various levels of success, at least they exist and are available.

Now that notebooks are firmly established as an enterprise workhorse, a new challenge has arisen. The growth of smart devices that act as productivity enhancers and electronic communicators par excellence threatens to take us back to the dark ages of management and security yet again.

At the dawn of the smart phone age the devices were expensive, crude and very corporate. They were generally managed and deployed by IT as part of a controlled rollout, usually to quite small groups of senior users.

The last couple of years, characterised by products such as the iPhone, have seen some fundamental changes in the market and people's expectations. Smart phones became low cost (OK, relatively low cost), more sophisticated and positioned for consumer tastes. Apple's success has spurred on the likes of Nokia, Palm and Microsoft to speed product development and developer ecosystems. Even Blackberry, the enterprise email stalwart, has quickly moved to try and capture the consumer market. But in the case of the new wave of smart phones, it has been employees as consumers, not the IT department, that have driven uptake and use.

Part of the attractiveness of the new wave of smart phones is the blend of both consumer applications and interactivity of the devices, together with the ability to connect to work systems, something that enterprise focused items had spectacularly failed to do previously. This blurring of the lines between personal and professional identities is something that needs to be managed carefully. People cherish their beloved gadgets, but are also spectacularly careless with them as they take them through life's ups and downs. Witness the discovery of a lost iPhone prototype in a San Jose bar after a party. Although the loss has now revealed Apple's potential hardware design, the data and new operating system features were protected from discovery through remotely wiping the device. In the ideal world, the company would specify and provide a (very) limited range of devices to the workforce, and the employee would be happy to be provided with one. These devices could be more easily deployed, managed, supported and secured. The reality is that these are intimate devices, and very personal. If what the company provides is not appreciated or is found to be wanting for functionality or desirability, then employees will look to acquire devices on their own to do their job more effectively. In many situations where companies provide a device such as a Blackberry, the employee will still carry another gadget to get around the restrictions imposed by using the corporate machine.

So this then leads to a dilemma. If the company strictly limits the devices employees are able to use, it may just encourage them to use unsupported ones in secret, allowing a back door to open up. On the other side, should the company be prepared to allow employees to supply their own devices, and what if any restrictions should be implemented? A free-for-all would just be asking for trouble. Considering a shortlist (or not so shortlist) of approved devices may be suitable to give enough choice for general satisfaction without going overboard with coverage.

Once the question of user choice of device is decided, the issue then revolves around management, security and support. If the device is provided by IT, management and policy should not be an issue. But if an employee supplies the device, where should the dividing line lie? The device must be secured, but at whose discretion or expense? Arguably, by tacitly allowing use of a personal device on the network, the company must then provide a list of required software and configuration information or policy. Ideally, the company would also be able to provide the software for the employee. However, issues such as benefits-in-kind tax may be a concern, as may the ability to extend corporate or volume licences to equipment not owned or controlled by the company.

There is also the issue of granularity of protection. What exactly should be covered in a remote wipe? If the user loses the device should everything be reset in a big bang, or only specified applications and data? What if the employee has pictures, personal messages or similar that are not backed up anywhere but are wiped from a lost device that is subsequently found?

Finally there is the thorny issue of identity management and the confidence that the person using the device is the legitimate account holder. Company notebooks and such like are more easily secured by means of complex passwords and multiple authentication procedures, such as smart cards or one-time tokens. Establishing links with domain accounts by means of a SIM card or phone number may help. But the issue remains that smart phones and newer devices still have a way to go to match their notebook cousins for security.

As ever we would be very happy to hear how you tackle these issues. Please let us know in the comments section below.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.