Time to Get Smart About Portable Device Security

We have fallen in love with portable devices, including smartphones and tablets. By reinventing the way phones and portable computers work, an intuitive and user-friendly way to surf the web, communicate, and access entertainment is offered. For many of us, it’s hard to imagine life without instant access to personal communications, social networking and media sharing sites that these devices provide.

The flip side of this is that organizations are facing a growing set of challenges, as employees increasingly select and use tablets and smartphones – as well as laptops – to perform their work. The rise of the ‘company car’ IT scheme (‘pick any of the following – but you pay if you want something higher performance’) – also known as bring your own device (BYOD) – means that information will need to be secured across many more platforms that are not wholly under the direct control of the organization.

A key challenge is that many of the most popular consumer devices were not designed from the start as business tools, and they do not offer levels of security comparable to current desktop and laptop computers. What’s more, the way these devices are used blurs the line between personal and business behavior.

Among the potential risks to the organization are misuse of the device itself, external exploitation of software vulnerabilities, and the deployment of poorly tested, unreliable business apps – all of which open up new routes for data loss. They present just another way for an organization’s reputation to be damaged.

But all is not lost. By putting in place the right working practices, usage policies and management tools, organizations can benefit from the greater flexibility, increased productivity and reduced costs that consumer devices can bring to the workplace, while minimizing exposure to the potential risks. However, time is of the essence, and organizations urgently need to formulate a response to this trend. That’s why the Information Security Forum (ISF) has worked with a number of its members – leading organizations in the employment of technology – to compile an objective, best practice-focused approach to securing mobile devices.

The Urgency of Now

The need to act is clear. Thirty-three percent of ISF members who provided input to a recent ‘Securing Consumer Devices’ report already use consumer devices in certain parts of their operational environment, and 75% have pilots or are running trials. Over 70% remarked that the pressure for increased adoption and change in this area was escalating – with most saying that it is “escalating severely”.

To help its members formulate an effective response to these demands, the ISF report breaks down portable device security into four manageable components: governance; users; devices; and applications and data.

Governance

Without control over portable devices, organizations have little or no visibility of usage and penetration, and poor knowledge of ownership, support requirements, adherence to policies, or compliance. In addition, consumer mobile devices and apps are typically sourced from a wide variety of unapproved, non-corporate suppliers, with limited attention paid to service provision contracts.

Addressing this demands creating a framework for ensuring correct and consistent mobile device security assurance. This involves surveying the extent of consumer device penetration and identifying the different device user groups, their requirements, and the attendant risks. Organizations then need to agree to a device provision mechanism; define policies around ownership, corporate access and acceptable use; and identify any statutory requirements.

A comment from one participant in the ISF survey, an executive at a services company, highlights the need for more rigorous governance around portable devices: “We had an agreed password policy for all BlackBerry devices that required a long and complex password string. That all changed when a senior executive requested a simple password, as he couldn’t enter the complex one while driving.”

Users

Many user groups within organizations are very keen to use portable devices in new ways to support the way they work (see table below).

Participants in the ISF study reported that of the various user groups, the main drivers of portable device adoption were senior management (50%), followed by business groups and IT (each 20%). Of course, senior executives have the greatest influence to drive adoption as well as to influence new policies and standards. As one ISF member said, “Our CEO walked into the board meeting and gave everyone an iPad. He then turned to the CIO and said, ‘We’ll be using these from now on!’”.

The challenge for information security professionals is that without control over consumer device working practices, users are free to combine work and personal data. This is accompanied by the increased risk of operating in unsuitable locations and exposure to loss and theft. Users can also potentially misuse or abuse the device through jailbreaking or disabling security features. They might also copy data to removable storage devices, or use the device for making inappropriate calls, or for downloading and sending offensive or inappropriate content. The list goes on.

Organizations need to ensure employees are aware of what constitutes good working practice for mobile devices. In addition to making consumer device security an integral part of awareness campaigns, organizations should create an acceptable use policy that employees must sign. Furthermore, organizations should consider monitoring device usage and enforcing policy through disciplinary or financial sanctions.

The most effective practice, however, will likely be awareness. Ensuring that employees don’t blur (or forget) the lines between business and personal use will be key. Awareness programs will need to reinforce that the employee is responsible for looking after the organization’s information – regardless of the device it is on. As a result, employees have to be more aware and understand what is expected of them, and what to do in the event of a problem. Awareness will need to cover both electronic and physical security.

Devices

Left unprotected and unmanaged, portable devices are exposed to a range of information security threats. These include: exploits by malware targeted at the device’s operating system or apps; unauthorized connections; exploitation of software vulnerabilities by malware that exposes data or causes unexpected behavior; and compromise or irrecoverable loss of data.

Organizations need technical solutions for securing access to mobile devices and their contents. These include: enabling or installing functionality, such as malware protection, firewalls, and storage encryption; enforcing complex passwords; and enabling remote maintenance, upgrades, and device wipes through a mobile device management (MDM) system.

Secure disposal of smartphones and tablets also needs careful consideration – many of these devices are auctioned off, thrown away, or sent to be recycled. There is the possibility of information stored on the device being compromised very easily via one of these methods. As one information security executive commented, “When someone leaves, what are they walking out with?”

For laptops, there are a wide variety of solutions to choose from, but the secret is to select the solutions that best fit the needs of the business. Tablets and smartphones may have to be dealt with on a case-by-case basis as ‘commercial strength’ solutions become available. Where possible, the basics – such as patching, malware protection, software and firewalls – will need to be in place on the employee-owned device, to provide a minimum baseline of security.

Virtualization (or using cloud-based virtual desktops) is likely to play a major role. By using a virtual environment, organizations can ignore the underlying device and deploy a secure environment in which the employee can work. The security of the virtualized machine and associated information can be enhanced by prohibiting the use of USB devices, printing, or writing to the device’s storage, and by deploying applications such as digital rights management (DRM) and data loss protection (DLP).

Applications and Data

Most applications on portable devices will have been purchased or downloaded from an app store or software vendor. In many cases, the provenance of the apps is unknown, and they are unlikely to have undergone formal software development and testing, or to be provided with proper documentation and upgrade regime. The apps may also lack activity reporting and logging, and typically provide poor data protection.

Organizations need to ensure that apps used for business – and the types of data they are able to access or generate – are appropriate and properly tested. This might include going as far as developing apps in-house and building an organization’s own app store. This way, apps can be thoroughly tested and secured against malware infections. Organizations should also implement data classification to set limits on the type of data that can be accessed or generated by users on consumer devices.

Wading Through a Rising Tide

The moves toward consumerization of IT and the rise of BYOD in the workplace are real and fast-moving trends, but they should not mean a loss of control over IT resources and behavior. Information security professionals need to ensure the right guidelines, processes and procedures are in place so that information stored or accessed from portable devices is well protected.

Many people – either because of their job or role, IT experience and knowledge, or their personal outlook – may not want to mix their business and personal lives; they may not want to be ‘contactable’ at all times, or open up their devices to scrutiny by an organization. This means organizations will continue to supply IT equipment to employees. As one risk professional put it: “When we told employees that they could use their own device for work, there was considerable interest. When we told them we wanted to inspect and audit their devices, the interest almost vanished.”

However, while organizations address the rapidly rising tide of smart portable devices entering the work environment, they cannot afford to stand still: now is the time to get smart about device security.