Solving the Mobile Edge Security Problem
This situation, by the way, is not new to enterprise security experts. The person or group in charge of enterprise security faces a constant barrage of new, one-off, "surprise" devices every day. Whether for meaningless tinkering or for valid business reasons, a security professional’s job is never straightforward when presented with requests to allow devices with an unknown level of security risk. Setting policies around these devices and making decisions around their acceptable use within the enterprise is a constant dance that needs to be performed very carefully. Allow these devices and you run the risk of inadvertent disclosure of sensitive enterprise data—either by introduction of a new virus propagation vector or by something as simple as enabling the use of sensitive corporate data on a device that is very easily lost or stolen. Disallow them and you run the risk of being overruled by executive decision anyway, discrediting your organization and hampering your ability to make effective security decisions in the future.
The difference with the mobile devices discussed in this article is that they are no longer one-offs; they’re in your enterprise to stay. They are useful productivity enhancers and represent a straightforward evolution of mobile computing. They are a security threat that we now have to deal with, just as we dealt with laptops when they were introduced 15 years ago. The way to deal with these new converged mobile devices is simply the same way you’ve dealt with laptop and desktop security in the past. Vulnerability scanning to identify and visualize the mobile threats, central policy management to make the decisions on how security should be enforced, and endpoint security enforcement applications to transparently enforce the policy decisions you’ve made. Decisions such as these:
- What data is considered sensitive on my mobile devices? E-mail? Contacts?
- Which applications should be on my mobile devices?
- What data should those applications be allowed to access?
- How much control should I give to the user?
- Which resources should be allowed? Cameras? WiFi?
- Should Bluetooth be allowed to work for anything other than headsets?
- Should my mobile data be encrypted? How? With which algorithms?
- How should device access be protected? PIN? Password? Picture story?
Throw in a perimeter security gateway that does mobile device registration, compliance checking, and remediation, and you’ve got yourself a complete, end to end, centralized security infrastructure to address your mobile threats. Although the threats to your enterprise from mobile devices are significant, the solution to address them does not have to be complex.
Over time, what we now consider to be "mobile security" will become simply "security." And in comparison with the Blackberry—a closed architecture with limited functionality and centralized control—these new mobile devices are powerful, heterogeneous, vulnerable, and pose a serious risk to your enterprise environment if they are not properly protected and managed. There were four times as many smartphones sold in the first quarter of this year than there were laptops, and it’s only a matter of time before the hacker community catches on to the fact that the easiest way to the heart of corporate and government networks is via mobile devices. So far, the mobile device worms and viruses that we’ve seen in the wild have been fairly benign, but that will change. Now is a good time for security administrators to start thinking about extending the security policies and enforcement mechanisms from the wired world, to the untethered mobile edge. If we don’t, we could very well see the next Internet worm propagate and infect our enterprise networks via our cell phones.