Mobile computing technologies represent a true paradigm shift for organizations, providing an unprecedented level of autonomy and productivity for users by eliminating geographical barriers.
The traditional model of centralized applications and data are rapidly fading away as users continue to exploit the value of on-demand information regardless of geographic boundaries. From the user’s perspective, mobile technology is fantastic.
However, there’s a dark side to this increase in productivity: mobile computing technologies represent a rapidly-growing challenge for security, privacy and compliance within the enterprise. iPads and other tablets, smart phones, and ubiquitous WiFi technologies have introduced a completely new world of threats and attack vectors to organizations that use them, and security analysts – as well as the attackers who try to exploit their mobile devices and networks – are just beginning to scratch the surface of ways to attack and defend this new and critical infrastructure. It’s truly the “Wild West” era for mobile security.
Of course, some of the threats that affect mobile devices are not really new; many are simply long-standing issues that have plagued stationary technology for years, such as malware and botnets, application vulnerabilities, device misuse, social engineering/phishing/”vishing” and device misconfiguration.
But many are truly unique to the mobile world. In particular, man-in-the-middle attacks are much more likely on mobile devices (as demonstrated by account hacking tools such as Firesheep), as is an increased likelihood of physical loss or theft of devices due to their small form factor.
Another key threat – and one that mobile platform vendors, in particular, prefer to gloss over – is the relative security of “trusted” application stores. Platform-specific stores including those from Apple, Google, Microsoft, RIM, Symbian and others provide an ocean of applications ranging from games, to productivity applications, to mobile platform development and management tools, all in one convenient location that is easily accessible directly from the mobile device desktop.
Unfortunately, the degree of vetting that application stores provide varies tremendously; while all app stores provide a vendor enrollment process, many do not provide technical standards, application development policies or developer authentication controls, all of which are critical to minimizing code-level vulnerabilities.
Some app stores don’t even provide evaluation of their developers’ applications (I’m looking at you, Android Marketplace…), virtually assuring that intentional malware can be easily encapsulated in a no-cost application that the user voluntarily installs on their own device.
At the Mobile Computing Summit in San Francisco a few weeks ago, the number of technologies presented by security firms aimed at minimizing these threats and ensuring the security of mobile devices was legion: from biometric authentication (to counter physical theft of the device), to advanced encryption (to protect data in transit), to virtualized “sandbox” technologies (to protect against malware intrusion), it’s clear that technology vendors are trying to hold back the tide of threats that mobile technologies introduce.
So what controls do federal technology and security managers need to implement on their mobile platforms to both ensure the advantages that mobility provides, while minimizing risks?
First and foremost, federal agencies need to establish the right device ownership and management policy. Will the agency provide devices to users, and maintain complete ownership and management of them? Or will a bring-your-own-device (BYOD) policy be in effect, in which responsibility for managing the device is shared between the agency and the user?
These are not easy questions to answer, and will have major implications for budgeting, privacy, and mobile adoption across the enterprise. Regardless of the form that mobile technology takes within the agency, every organization needs an acceptable use policy that meets – or even exceeds – the requirements of their stationary use policy; with advanced technology comes advanced responsibility, and both employees and contractors need to understand their role in carefully managing these critical assets.
From a technical controls perspective, on-device protection is absolutely critical: anti-malware, firewall, and centralized policy management tools give security personnel a first line of defense against malware, mobile app exploitation, and users who might want to enable device features that could potentially compromise security.
Another key control is encryption; wherever possible, encrypt the pipe between the mobile device and agency resources, preferably through end-to-end encryption methods such as VPN and tunneling. Centralized management tools, including policy enforcement, location tracking, remote lock/wipe, and remote backup and restore are also critical, as they mitigate against less tactical threats such as physical device loss and rogue users.
Finally, it’s important to remember that the first rule of security applies equally to mobile devices as it does to any other technology: there’s no such thing as 100% secure. Ultimately, malware will make it through the front lines, users will figure out a way to (accidentally or intentionally) bypass policy, and devices will be lost or stolen.
To minimize these threats, it is critical to continuously monitor the security data coming from your mobile devices. From communication logs, to policy reports, to end-point security data from anti-virus, DLP, authentication and encryption tools, continuous monitoring of all security-related data and automated alerting on anomalies – a key component of situational awareness – is the most effective way to get in front of threats when they become realized.
John Linkous is Chief Security and Compliance Officer for eIQnetworks, Inc. specializing in information security, regulatory compliance and enterprise systems management. He works directly with senior security executives in federal civilian and DoD agencies, as well as the healthcare, financial services, aerospace, retail, and telecommunications sectors.