There are best practices for keeping data safe as Apple and Google devices capture the enterprise. Beth Schultz reports.
Not so long ago, enterprise mobility came with a set of well-defined security best practices that typically looked something like this: Control access through a virtual private network (VPN), encrypt data while in transit and at rest, and only allow the use of IT-controlled, password-protected devices, such as a corporate laptop or a BlackBerry.
“Over the last few years, most companies have had a pretty good angle and knowledge on regular device security that had been beaten into them,” says Marco Nielsen, vice president of services at Enterprise Mobile, a mobility services outsourcer.
But that was so yesterday. While laptops and BlackBerry devices haven't disappeared from the enterprise, many business users are pushing them aside for the latest consumer-oriented smartphones and tablets. The Apple iPhone and iPad, and their Google Android counterparts, are where enterprise mobility lies today – or at least this is what many of today's workers believe.
Enterprise IT hasn't been so certain, with its predominant focus on such matters as buttoning down the corporate network and keeping data secure. At the most obvious level, an iPhone or Droid is small and considerably more lightweight than a laptop. And that makes such a device far easier to forget as a CFO disembarks from an airplane or a sales executive exits a taxi.
What if during that ride the sales executive had used Microsoft Outlook Web Access to download email with customer-sensitive information – and hadn't bothered to password-protect the phone? He is going to be bummed that he lost his personal device, but the company will be in a much more precarious position due to the sensitive data sitting in an email cache ready for any Joe Hacker to read.
Here to stay
Ignoring the problem won't make it go away. “These mobile devices are here, they're here to stay, and people are using them whether you like it or not,” says Jon-Louis Heimerl, director of strategic security at Solutionary, an IT security consulting firm.
Indeed, across the globe, business users are clamoring for corporate permission to use the coolest new consumer-oriented mobile devices, namely the iPhone and iPad, and smartphones and tablets using the Android operating system. And enterprise IT security executives are under pressure to give them this access – in a way that won't jeopardize the company's information assets.
As Pat Patterson, information security architect at Raymond James Financial, puts it, “We're all in the same boat.”
He considers Raymond James, a diversified financial services holding company based in St. Petersburg, Fla., fairly typical of organizations struggling over the new era of enterprise mobility.
“We were a big BlackBerry shop, when BlackBerry was the business platform,” Patterson says. “But as the iPhone made its splash, we scrambled to support the same functionality – centralized control of email, contact and calendar information – on that platform as we have with BlackBerry.”
The iPhone and its predecessors have changed the game, introducing apps that push data farther and farther from the corporate data center. As a security person, that doesn't make Patterson too happy. “I like to have all the data in my data center under lock and key,” he says.
Nevertheless, he says, “We do want to enable use of these devices as an additional method for our financial advisers to service our clients, but we have to make sure we can do it securely first.”
That is what the role of the security professional should be all about, he adds. “I look at things from being a part of the support organization, so I have to figure out how to enable the business to do things that help the business,” Patterson says. “It looks to me like the business would benefit from being able to have additional apps out there on these mobile devices, especially tablets. Those will be real enablers for our financial advisers when sitting down with clients – if we can get good apps in their hands. And in order to get good apps in their hands, we have to be able to protect the data on the devices.”
Solutionary's Heimerl agrees that such scenarios are indeed playing out across the corporate landscape. “We're at the point now where companies are starting to say, ‘We've got to embrace mobile technologies and smart devices and support them, whether we really want to or not, because that's the way of the world right now,” Heimerl says.
So if VPN access, data encryption and password protection formed the baseline of smart security in the old IT-controlled mobile world, then what are best practices for today's enterprise mobility?
First things first
The most secure enterprise mobility implementations start with smart policies. As a best practice, make a decision, establish usage and security policies, and then clearly articulate those to staff, Heimerl says.
“For example, specify, ‘OK, you can use your mobile device to access our corporate servers in this way: using an encrypted connection with a password on your endpoint. You can use it for email, contacts and calendars, but no document-sharing allowed,'” he says. “Give people a list of approved things, as well as a list of things they're not allowed to do.”
As a self-proclaimed security technology geek, Heimerl says he hates to keep reiterating that one has to have good policy, but ultimately the first defensive step is, well, good policy. “You've got to make a conscious decision and not just let smart devices happen at your company.”
That is sound best practices advice, says Nelson Saenz, the IT director at Active Interest Media (AIM), an El Segunda, Calif.-based media company focused on enthusiast magazines and related consumer shows, internet sites and books.
“We've always been forward-thinking in terms of mobility and giving employees mobile access to our information,” he says. “It is who we are and what we do. As a dynamic media company, there's an impetus on us in IT to foster mobile connectivity and provide easy but secure access to information.”
And so AIM has long had a bring-your-own-device philosophy with the general rule being, “If we can connect your device to our Exchange server, we'll do it,” he says.
But from the beginning, Saenz adds, AIM has wrapped policies and processes around it all. Employees receive instructions on how to go about getting devices activated, for example. “Through the help desk and portal server, users fill out a form, the device gets activated and users receive an automated email walking them through setup.”
Subsequent to that, AIM continues educating users. “We put out instructions, for example, for what to do if a device gets lost, misplaced or stolen,” says Saenz. “They know they need to notify us immediately so that we can wipe the device remotely.”
Insisting that users or the IT staff have the ability to wipe a lost or stolen device remotely, returning it to factory settings so corporate data doesn't fall into the wrong hands is indeed a best practice for smart device use, Solutionary's Heimerl says.
Kenneth van Wyk, founder and principal consultant at KRvW Associates, an Alexandria, Va.-based security consulting firm, agrees. “If you're going to have employees using enterprise infrastructure, email, file services and more, and they lose a device or it gets stolen, that's your biggest problem right there,” he says.
“But if you know where those mines are, you can deal with them,” van Wyk adds. “If you've got some device management, and you're quick enough, you can wipe the phone and protect your enterprise data before things explode.”
That means users must know what to do if they can't find their devices. “You've got to have good processes in place,” van Wyk says.
At AIM, IT uses remote wiping that comes with Good Technology's Good for Enterprise mobile device management (MDM) tool. But companies can let users do the erasing themselves, too.
For example, iPhone and iPad users should subscribe to Apple's MobileMe service [editor's note: now iCloud], Heimerl says. MobileMe not only allows remote wiping, but also restoration of expunged emails, contacts and calendars should a lost device be found.
For Android users, remote-wipe software and services are available from the device makers, as well as third parties. Google also offers its Apps Device Policy mobile app for Google Apps for Business customers.
As enterprise mobility implementations mature, IT organizations increasingly turn to MDM tools, such as the Good for Enterprise platform in use at AIM. Although the company has long been mobile-friendly, it experienced a turning point in device use with the iPhone's availability, Saenz says. “All of a sudden we had a large amount of mobile devices, mostly being iPhones, and we had no way of managing them,” he says.
The same goes for Raymond James, which has been allowing its financial advisers to use iPhones for email and contacts for roughly the past year-and-a-half, Patterson says. “For these purposes, we thought the control that Mobile ActiveSync provides us was good enough,” he says, referring to the Microsoft mobile data synchronization technology the company uses on 1,500 to 2,000 smartphones today.
“However, before going full bore and placing our client data out there in the wild, we knew we needed to have a better way of controlling iPhones and Androids,” Patterson says.
For example, Patterson says he is troubled by how Raymond James' Mobile ActiveSync implementation handles self-registration of devices. “If I upgraded my iPhone tomorrow, switching my SIM card, that phone wouldn't necessarily be wiped before it went on to its next destination,” he says.
That is a problem if the company is going to allow financial advisers to pull up client histories or account balances on their iPhones or iPads, Patterson says.
Another MDM, Sophos Mobile Control, which the company introduced earlier this year and that Raymond James is beta testing, offers far more robust device inventory control. “That's fairly critical,” says Patterson. “Besides, I need to know that we can wipe the phone if data is in any way being cached on that device, that we're enforcing a lock policy, and that we're able to ascertain the information on the device isn't being tampered with in any way. And say we find an unauthorized application on that device? We want to be able to block that, too.”
As far as other key MDM features, IT organizations also should consider full-disk encryption, says Joe Nocera, a principal with PricewaterhouseCoopers.
“You obviously want the ability to encrypt sensitive data on the device, and this includes both data that is accessed via email, as well as in any attachments launched via email,” he says. “I've seen some examples where an individual email session is encrypted, but as soon as the user invokes an external program to view it, the attachment gets written insecurely on the file system in clear text.”
Over time, MDM best practices will evolve, Nocera adds. “The next generation will provide more of what we've seen with traditional IPS and anti-virus, with more network-based protections.”
Build security into mobile apps
At Raymond James, Patterson says he doesn't much care which applications developers are cooking up for potential use on iPhones, iPads and Android devices. “I just want to know that they're safe,” he says.
Translated into a best practice, that means evolving coding disciplines established for web application security to the mobile world, Nocera says.
“For a period of time, people thought of a mobile device as a bit of a black box and weren't too concerned about the data being left behind on that black box,” Nocera says. “But over the last 18 months or so, as we've seen incidents of various applications having cached sensitive information on mobile devices, people are starting to recognize them as full-functioning computers. They've got all the capabilities of our PCs or desktops, with file and operating systems, and once someone has defeated the basic security methods of a device, then they've got access to whatever is stored on the file system.”
A standard set of best coding practices would include clearing memory, encrypting sensitive data that is written to the file system, and clearing screen shots that are captured as the user moves from one application to the next, he says.
Specific to the iPhone, for example, pushing the home button should trigger a clear memory function, Nocera says. “If you don't clear the memory, the image of the last screen accessed is stored on the file system. So, one use case would be: If I toggle over to read a text message while I'm in an online banking app, an image of my last banking transaction gets saved. Developers want to be sure to invoke that function to clear the memory.”
In addition, developers need to pay attention to how they're storing authentication information, Nocera says. That should either be encrypted or cleared after a session closes.
“We've seen a number of cases where those types of remnants were being written to file systems and, likewise, where all sorts of personalization information, cached from web pages, were being stored in a local file system,” he says. “Basic disciplines around memory management, what you write to a file system and how you clear those things are the types of best practices we're looking at.”
Just because organizations are allowing smart devices on their network doesn't mean they have to give users carte blanche when it comes to connectivity, says Henry Mayorga, director of network topology at Baron Capital, a New York investment firm. That is why he says Baron employees must take a manual step before they can access the secure wireless network he built to accommodate their desire to use iPads.
As soon as Apple released the first iPad in January 2010, Baron money managers started buying them en masse, says Mayorga, adding that the enticement had been especially strong for them since the firm is located in the same building as Apple's Fifth Avenue store.
“We have a little more than 100 employees, and within one week we already had 35 iPads in the shop needing network connectivity,” he says.
Mayorga says he won't allow access to his network until users tell him the MAC (media access control) address of their iPad, iPhone or Droid. Employees must send him an email so he can verify the MAC address and add it to an access control whitelist, he says.
“I don't want users to be able to use existing usernames and passwords to get on the network from any iPad or other new device they happen to buy,” Mayorga says. “They can only use the machine that's registered to the system.”
Security can be inconvenient, but he doesn't really care, he adds. “If I know your device, you're getting into the network and very quickly. If I don't know your device, you're not getting in.”
When he got the go-ahead to build a wireless network in support of iPads, the blessing came with one caveat – he had to ensure security. For that, he says, he needed some sort of access control mechanism, and he decided the Institute of Electrical and Electronics Engineers (IEEE)'s 802.1x standard for port-based network access control was the only viable way to go.
“I can use my authentication schema to authenticate users and deal with nonstandard devices,” says Mayorga. “Anything that has a MAC address that comes into the wireless network I can manage and authenticate and allow or disallow from the network.”
And, he adds, he can give specific reports on who connected, when, and for how long. He knows the identities of all those machines and is confident that when they come into his network they have the right permissions.
Corporate apps: Secure accessUntil recently, most iOS and Android device requests centered on the ability to use email, contacts and calendar. But now businesses are pushing into the next generation of mobile device use, which brings up additional security implications, says Chris Hazelton, mobile and wireless research director at The 451 Group, a New York-based analyst firm.
“Now senior managers are saying, ‘Hey, not only do I want you to support this very cool device, but where are our apps for it?'” Hazelton says. “'How do I get access to our customer relationship management (CRM) and the company dashboard? Why don't we have this, and if we do, where do I go and how do I download it?'”
Such requests behoove IT organizations to build enterprise stores that specify which applications a user, based on corporate groupings, can view. But the app store serves a great security purpose, too.
“You can say, ‘You need to download these security applications from the app store, too, and if you don't, we'll turn off email or deny access to corporate applications,'” Hazelton says.
“So in addition to the carrot, being email and now other corporate applications, IT will be able to say, ‘In order to get that access, we need to be able to enforce specific security policies on the device. For example, you need to use password protection and if you turn on CRM, the operating system and IT policies will initiate a VPN session.'”
Device security was merely the first stage, appropriate when use of Apple iOS and Android devices centered on email, Hazelton says. “Now the applications are more and more critical to secure and provision.”
– Beth Schultz
This piece originally appeared in the June special Spotlight on Mobile issue of SC Magazine.