Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

On-the-go defense

Where devices go, applications follow. And in today's bring-your-own-device (BYOD) world, with personal devices increasingly flooding onto the enterprise network, a plethora of unexpected and sometimes unwanted applications are coming through the floodgates as well. This massive change is throwing even the most confident IT managers for a loop, according to many experts.

“Traditionally, things were cut and dried in the BlackBerry days,” says John Sawyer, senior security analyst with In Guardians, an information security consultancy based in Washington D.C.

“The company provided one device with one management platform and [had] hundreds of controls and a locked-down environment. In the past few years, with the economic crisis, companies are cutting costs and [giving] employees the new devices they want with BYOD. And consumer products that no one ever thought of being there are entering the enterprise.”

Companies need to understand the risk and the opportunity implicit in mobilizing the workforce – and that means learning to operate security in a completely different paradigm than they have before, says Nicko van Someren, chief technology officer for Good Technology, a Sunnyvale, Calif.-based provider of multiplatform enterprise mobility. “Mobility is an increasingly important tool,” van Someren says. “IT organizations have been used to having a great deal of control on the machines on which their information is resting. But in a mobile world, they don't control the connectivity, they often don't control the device, and there are more issues with the loss of control of the data that legitimately makes it onto the devices and then is moved somewhere else.”

“Operating systems don't sell devices... what sells devices is the apps.”

– Tyler Shields, senior security researcher and mobile expert, Veracode

Indeed, if employees are using their own personal devices for work, they will often enlist personal applications on that device through the corporate network. In addition, mobile users are also seeking out and finding applications for business use that they download onto their personal or even company-issued phones or tablets. As Sawyer points out, there are an ever-growing number of enterprise applications targeting everything from health care to industrial control systems. So, both business-related apps that are neither used nor sanctioned by the company, in addition to just plain fun ones, are getting downloaded onto both personal and corporate-controlled devices. BYOD or no, it seems the line between the private and the professional is blurring beyond recognition.

And it's not surprising considering how important the application has become in the scheme of device usability. “Phones don't sell mobile devices,” says Tyler Shields, senior security researcher and mobile expert for Veracode, a Burlington, Mass.-based application security company. “Operating systems don't sell devices. What sells devices is the apps.”

Click here for full access to our exclusive Mobile Spotlight issue. 

Even for a relatively conventionally locked-down enterprise, like the one run by VyStar Credit Union, “managing security is pretty ridiculous right now,” says Brent Morris, the Jacksonville, Fla.-based financial institution's security analyst. VyStar doesn't support BYOD. Instead, all its employees' iPhones and iPads are company-owned, but Morris admits that they are often used for personal use.

Aside from the run-of-the-mill social networking or email applications that pop up, Morris says he has to be wary of the increasing number of fraudulent applications, which could target either the personal information of the user or the vital information of the enterprise itself. Some legitimate apps will collect personal or device information, such as serial numbers to a current location, making them another potential conduit for misdeeds and another management headache. The credit union has considered BYOD, but, says Morris, “The level of security issues that opens up is a Pandora's box.”

“IT professionals know that the BYOD trend is coming – or has already arrived...”

– Sanjay Castelino, VP of product marketing, SolarWinds

Industry surveys underscore what many experts have said: Companies are not necessarily prepared to embrace all the facets of the BYOD revolution and the emergence of unexpected applications that are coming with it. The Association for Information and Image Management (AIIM), a global community of information professionals, in mid-April released an industry-watch paper that looked at the ongoing migration to the adoption of mobile content applications. The report pointed up what it called the “consumerization of IT” as a trend that is changing the way companies do business. But, the study also found contradictions: 67 percent of respondents said they considered mobile technologies important or extremely important to improving business process, but only 24 percent said they were mobilizing content – leaving more employees to take matters into their own hands.

SolarWinds, an Austin, Texas-based IT management software vendor, released its own study in April looking squarely at the BYOD trend and attendent security concerns and other risks. Based on its survey of 400 IT pros, the company found that many were worried about the security issues, as well as legal and regulatory threats , the risk of malware, and associated management burdens that could come with employees using their own devices.

“IT professionals know that the BYOD trend is coming – or has already arrived – and many don't know how much support or oversight they should provide on personal mobile devices,” says Sanjay Castelino, VP of product marketing at SolarWinds. “They are trying to build the boat while sailing it, and are learning every day what the implications of BYOD are to their corporate networks,” he says.

Click here for full access to our exclusive Mobile Spotlight issue.

The survey makes clear the competing objectives for companies: Keeping employees happy and productive by allowing them to use their own personal mobile devices, versus keeping their network secure. Two-thirds of the SolarWinds' survey respondents said that they do not have the necessary tools in place to manage mobile devices on their network that are not issued by the company. In addition, more than one-quarter of respondents (27 percent) said they were “not at all confident” that they know about all the personal mobile devices on their network.

And yet, as Castelino points out, simply telling employees not to use personal devices is an increasingly unrealistic proposition, especially since his survey found that the people who most often employ BYOD (with or without approval) tend to be management. “It's tough to say ‘no,'” Castelino says. “The industry needs to look beyond the device and think about the application.”

In fact, Apple and Google have both made efforts to vet the apps that users download from their stores, Apple's App Store and Google Play, respectively, according to industry experts. Traditionally, iOS applications have had a reputation for having less incidence of fraudulent applications sneaking in than Android, which has been less restrictive in its application policy.

“Apple does have controls in place and more stringent guidelines for applications that go into its App Store,” says Sawyer. “For Android, there's more of a push now to start implementing something.” But IT departments might need to lower their expectations for support from the mobile OS developers, since limiting application availability or setting restrictions on how these apps interact flies in the face of what mobile applications were built to be, says van Someren.

“The key thing to understand is that when Apple and Google create these beautiful operating systems, they make them leaky,” he says. “They make it easy for data to be passed from one user to another or one application to another. These are technologies that are going out of their way to take data on the mobile device and make it available somewhere else – the opposite of what most enterprises are wanting.”

So, the burden for managing mobile application risks weighs largely on the enterprise IT departments themselves. Industry experts say there are almost no hard-and-fast rules. Each company will likely institute different policies based on its own industry, its regulatory and audit demands, its workforce and its size. A small technology industry start-up is likely to have very different mobile application usage policies than a large and heavily regulated financial services firm. “The hardest part is matching the policies to the culture of the organization,” says Veracode's Shields.

According to Good Technology's van Someren, though, it's really all about the data, no matter the device being used to create access and move it.

“You have to have a centralized policy over the data, even if not the devices,” he says. For this reason, he suggests implementing controls that operate at the application level to get “as close to where the data comes in as possible.”

Click here for full access to our exclusive Mobile Spotlight issue.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.