Mobile users and personal devices

Who's responsible for ensuring security?

  • alert
  • submit to reddit

SANS - Survey on application security programs

Workshop Business today is a very different beast to that of just five years ago, and a world away compared to ten years back. While some of us are undoubtedly still office based, there has been an equally clear trend towards more flexible working which is less dependent on a fixed location. The spread of Wi-Fi in the home and workplace and then in public areas made mobile working feasible and even tolerable. And with increasingly effective connectivity technologies such as 3G, mobility for all its good or ills is here to stay.

The move to mobility has been arguably wondrous for productivity, but has been a difficult transition for security. Just under half of you reported that your workforce has a poor or very poor approach to IT security, which is a difficult situation to resolve, even with the best policies and most comprehensive training. Coupled with the tendency of users to try to connect to any available network and a susceptibility to fall victim to exploits of unpatched vulnerabilities, virus outbreaks and phishing attacks, mobile computing has experienced (more than) its fair share of horror stories.

New technologies aimed at managing and securing the notebook estate have emerged. These include comprehensive group policies, systems & patch management, NAC, advanced end-point protection, intrusion protection and identity protection. Plus there are newer initiatives such as disk or folder encryption to protect sensitive data. While these have been deployed with various levels of success, at least they exist and are available.

Now that notebooks are firmly established as an enterprise workhorse, a new challenge has arisen. The growth of smart devices that act as productivity enhancers and electronic communicators par excellence threatens to take us back to the dark ages of management and security yet again.

At the dawn of the smart phone age the devices were expensive, crude and very corporate. They were generally managed and deployed by IT as part of a controlled rollout, usually to quite small groups of senior users.

The last couple of years, characterised by products such as the iPhone, have seen some fundamental changes in the market and people's expectations. Smart phones became low cost (OK, relatively low cost), more sophisticated and positioned for consumer tastes. Apple's success has spurred on the likes of Nokia, Palm and Microsoft to speed product development and developer ecosystems. Even Blackberry, the enterprise email stalwart, has quickly moved to try and capture the consumer market. But in the case of the new wave of smart phones, it has been employees as consumers, not the IT department, that have driven uptake and use.

Part of the attractiveness of the new wave of smart phones is the blend of both consumer applications and interactivity of the devices, together with the ability to connect to work systems, something that enterprise focused items had spectacularly failed to do previously. This blurring of the lines between personal and professional identities is something that needs to be managed carefully. People cherish their beloved gadgets, but are also spectacularly careless with them as they take them through life's ups and downs. Witness the discovery of a lost iPhone prototype in a San Jose bar after a party. Although the loss has now revealed Apple's potential hardware design, the data and new operating system features were protected from discovery through remotely wiping the device. In the ideal world, the company would specify and provide a (very) limited range of devices to the workforce, and the employee would be happy to be provided with one. These devices could be more easily deployed, managed, supported and secured. The reality is that these are intimate devices, and very personal. If what the company provides is not appreciated or is found to be wanting for functionality or desirability, then employees will look to acquire devices on their own to do their job more effectively. In many situations where companies provide a device such as a Blackberry, the employee will still carry another gadget to get around the restrictions imposed by using the corporate machine.

So this then leads to a dilemma. If the company strictly limits the devices employees are able to use, it may just encourage them to use unsupported ones in secret, allowing a back door to open up. On the other side, should the company be prepared to allow employees to supply their own devices, and what if any restrictions should be implemented? A free-for-all would just be asking for trouble. Considering a shortlist (or not so shortlist) of approved devices may be suitable to give enough choice for general satisfaction without going overboard with coverage.

Once the question of user choice of device is decided, the issue then revolves around management, security and support. If the device is provided by IT, management and policy should not be an issue. But if an employee supplies the device, where should the dividing line lie? The device must be secured, but at whose discretion or expense? Arguably, by tacitly allowing use of a personal device on the network, the company must then provide a list of required software and configuration information or policy. Ideally, the company would also be able to provide the software for the employee. However, issues such as benefits-in-kind tax may be a concern, as may the ability to extend corporate or volume licences to equipment not owned or controlled by the company.

There is also the issue of granularity of protection. What exactly should be covered in a remote wipe? If the user loses the device should everything be reset in a big bang, or only specified applications and data? What if the employee has pictures, personal messages or similar that are not backed up anywhere but are wiped from a lost device that is subsequently found?

Finally there is the thorny issue of identity management and the confidence that the person using the device is the legitimate account holder. Company notebooks and such like are more easily secured by means of complex passwords and multiple authentication procedures, such as smart cards or one-time tokens. Establishing links with domain accounts by means of a SIM card or phone number may help. But the issue remains that smart phones and newer devices still have a way to go to match their notebook cousins for security.

As ever we would be very happy to hear how you tackle these issues. Please let us know in the comments section below.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.