Published on February 17, 2014
Mobility, Security and the Enterprise: The Equation to Solve IT departments need to think long and hard before deciding on the right mobile device platform for their business needs. CONTENTS The Increasing Impact of Consumerization 2 The Impact of Mobility on Network Security 3 Making Smarter Decisions – Android – iPhone/iPad – Microsoft Windows Phone – RIM – Symbian 4 SonicWALL Solutions for Mobile Device Security 6 Conclusion: Making Smart Choices 8
Abstract Smartphones and tablets are everywhere today – equally found in the hands of consumers or the enterprise community. But for all their apparent user-friendliness, these mobile devices can represent a significant threat to corporate data. IT departments need to think long and hard before deciding on the right smartphone platform for their business needs. The Increasing Impact of Consumerization The “Consumerization of IT” is an industry-accepted idiom introduced by Gartner® Inc., who reports that the majority of new technologies enterprises currently adopt for their information systems will have roots in i consumer applications. At the same time, because employees now work anywhere at any time and need constant access to key corporate information, they rely upon the same smartphone technology they use in their personal lives to extend their workday and increase efficiency. However, IT can no longer force users ® to carry one IT-managed smartphone (e.g., RIM BlackBerry) for work and another consumer device for personal use. With an ever-increasing percentage of the workforce having grown up using the Internet and mobile phones, more workers feel entitled to greater freedom in selecting their business computing devices, and smartphones are their devices of choice. More than a third of consumers in Western Europe will access the ii Internet using their mobile phones by 2014. Eighty-five percent of Americans age 15-18 own a mobile phone.iii Those now joining the workforce tend to believe that the technology they have at home is better iv than the one they have at work. Among “millennials,” sixty-nine percent will use whatever application, device or technology they want, regardless of source or corporate IT policies. Less than half will stick to company-issued devices. Moreover, a greater percentage compared with older employees will regularly v store corporate data on personal smartphones. This trend will only increase over time. The power of users now rules the day. IT has effectively lost its ability to constrain the choice of smartphone access in a corporate setting. Further vexing IT administrators is that the scope of the issue continues to expand as new categories of devices are introduced to the corporate network, including devices such as the ® ® ® Apple iPhone and iPad . A moving target Face the facts: there will be many rapid changes in smartphone platforms, beyond the control of corporate ® IT. Administrators must deal with multiple operating system platforms including iOS, Google Android, ® ® Nokia Symbian and Microsoft Windows Mobile and Windows Phone 7, with an additional potential for new providers from emerging technology powerhouses such as China. As a result, significant IT investment in securing any particular consumer smartphone platform is practically untenable over time. IT must have an agnostic approach to smartphone platforms to support multiple platforms for their users, as well as provide contingency for access continuity. For example, BlackBerry users in certain countries have vi faced threatened service outages that could have required them to switch to a different platform. Subsequently, to minimize risk of regional loss-of-service, a global business cannot depend solely upon the viability of a single smartphone vendor’s platform, but instead, must deploy smartphone solutions that are able to facilitate multiple platforms. The need for platform flexibility could potentially undermine IT controls gained from mandated deployments of single-vendor platforms, such as BlackBerry Enterprise Server (BES). The burden of juggling support for multiple smartphone platforms can also take IT resources away from securing other aspects of the network. Ultimately, new business technology should enhance employee productivity, not overwhelm it. Organizations must bear in mind the impact that individually supporting and securing multiple smartphone platforms will have upon administrative overhead and total operating costs. 2
Risk/reward: a complex equation Perhaps the biggest threat is from users themselves, who are increasingly utilizing their mobile devices with scant regard for IT policies; for example, playing games or checking personal webmail while connected to corporate networks. Increasingly, mobile device usage is placing great pressure on corporate network resources, too, especially when users consume high-bandwidth content such as video. According to a study by IDC, people downloaded 10.9 billion mobile apps in 2010 (a figure IDC expects will increase to nearly vii 76.9 billion by 2014 ), each a potential threat to corporate security. The combination of these factors presents IT departments with a serious dilemma. On one hand, smartphones and tablets are simply too powerful and useful for businesses to ignore, empowering users in completely new ways and enabling them to work far more flexibly and productively. On the other hand, they are also difficult to deploy securely, adding substantial pressure to technology budgets and resources. Getting this balance between reward and risk right is a familiar problem for IT managers. Security must be seen to be enabling the business, rather than holding it back from the rewards many of these new devices offer. However, mobile devices present them with new challenges. Not least of these is the risk that the IT department may actually be harming, rather than enabling the business, by imposing overly restrictive security policies. In order for organizations to obtain maximum benefit from the mobility phenomenon, they need to think about how much access they can give to the workforce, not how little. That in turn means making some important decisions about where and how the different mobile platforms really need securing. The Impact of Mobility on Network Security Mobile devices are outside of IT control Smartphones and tablets operate in two worlds: they can connect to the corporate network over wireless, or bypass the network entirely using mobile cellular connections. This means they might download malware from the web over 3G/4G, and then disseminate it to the network over the corporate WiFi network. Transferring data in and out of the corporate network, smartphones are beyond IT control. It is harder for IT to control what users do with their smartphone devices, and how these devices expose business data to security threats. Even if IT issues them, any endpoint device that can bypass security measures is insecure. Data leakage and loss The proliferation of smartphones in corporate environments creates new and wider potential for data loss and leakage, whether by theft, unauthorized access or unauthorized transmission. Determined professionals viii can ultimately undermine even “unhackable” smartphone platforms. Smartphones may also retain sensitive or proprietary data while connected to the corporate wireless network, then leak it over unsecured cellular to the web—and IT has no recourse. In addition, a growing amount of data loss via smartphones originates within the corporate organization. Whether unintentionally, maliciously or driven by profit, a growing amount of sensitive and proprietary data is lost and leaked via smartphone email attachments and FTP uploads. Locally resident smartphone data is only as secure as its Subscriber Information Module (SIM) card. Users more frequently lose smartphones than computers. Smartphone content is more vulnerable to theft by whoever finds the misplaced device, as network access codes, usernames and passwords are often unsecured. Even worse, users often pre-program this sensitive information into the handset for automatic ix log-on. In addition, thieves can thwart attempts by IT to wipe data remotely by simply by removing the SIM. The widespread practice of “jailbreaking,” or opening a phone to customize its features or functionality (such as to overcome restrictions on alternate mobile service carrier networks), also poses a serious security 3
threat. For example, jailbreakers using Secure Shell (SSH) applications to enable full access to their smartphones often overlook updating their root passwords, making them accessible to outside attack. Additionally, jailbroken phones often void smartphone service agreements, and jailbroken systems often go x untested in product update development. Moreover, jailbreakers often resell these compromised devices. A mobile device that can access the network via a corporate wireless access point represents the same kind of threat as any other endpoint. The problem is only different in that a phone or tablet is less likely to be running security software. A somewhat uncommon threat is the possible compromise of a mobile device via ® its Bluetooth connection. This requires physical proximity and specific knowledge. However, if the ultimate target is a larger network, this may be worth the effort for a perpetrator. Malware infection As their numbers increase, mobile devices become a more lucrative target for criminal attacks. The same threats that plague traditional computer operating systems can affect smartphones and tablets, disseminated in emails, social media sites, games, screen savers, instant messages, slide shows, or in some cases by shady URL-shortening services, which make bogus redirecting links more difficult to identify. One report cites that Android users in mid-2011 were 2.5 times more likely to encounter malware than at the beginning of the year. In particular, DroidDream malware had affected an estimated 250,000 mobile xi devices. Mobile devices can magnify malware distribution by spam, phishing, pharming and pretexting. Because smartphones and tablets are a more intimate communications channel than a computer, users are more likely to interact with files masquerading as personal communications. Likewise, users cannot as easily detect cues that a website is a false front on a handset with a small smartphone screen. Mobile device users xii have a 30% likelihood of clicking an unsafe link. Again, the infection may not be apparent even after perpetration, and propagate via smartphones across corporate IP networks. Bandwidth overconsumption The sheer volume of interactive Web 2.0 and streaming media traffic over smartphones can affect corporate wireless network throughput. Some of these applications, such as streaming video applications, constantly evolve to avoid control. In addition, like any web-facing endpoint device running applications over the network, smartphones present a potential channel for forced denial-of-service attacks. Making Smarter Decisions Choosing a mobile device platform that is safe, easy to configure and manage, and that is flexible enough to meet the needs of employees and senior executives sounds easy on paper. In practice, however, it is one of the biggest challenges ahead for IT managers. To be certain that devices are safe, IT departments must design security policies that are invariably a complex blend of technology and policy. Some aspects of these systems, such as mandatory reporting of lost or stolen phones, are largely device-independent and are thus relatively straightforward for organisations to enforce. But others, such as varied access levels depending on device type or control and optimization of smartphone and tablet traffic across WiFi networks, clearly depend on more-sophisticated technical insight. Most analysts agree that enterprises should be able to enforce several basic security features on any mobile device, including mandatory passwords, over-the-air device wiping capabilities and data encryption on the device itself. In practice, the choice of the platform itself will determine the effectiveness of the overall policy. 4
Not all mobile devices are equal, and some vendors make it harder than others do to enforce rigorous security protocols and policies. Android Google’s Android® operating system has been a huge success with the handset vendor community, attracted by the completely open-source nature of the operating system. Such has been its popularity that Gartner reports that, by the end of 2011, Android will move to become the most popular operating system xiii (OS) worldwide and will build on its strength to account for 49 percent of the smartphone market by 2012. Although seen initially as a consumer platform (with the added benefit of a less restrictive and more flexible apps model than the iOS), Google has continually improved security support with successive releases of the operating system. Google has also added other security features, such as remote wipe and upgraded password policy enforcement, adding to Android’s appeal to the business community. iPhone/iPad Few pieces of technology have garnered as much attention as the Apple® iPhone® and iPad®. The iPhone remains a more popular smartphone choice for discerning consumers in its target markets. Gartner predicts that iOS will remain the second biggest platform worldwide through 2014.xiv While Apple cites the closed, tightly controlled iOS ecosystem as a security benefit, iOS applications can only be distributed, installed and SM backed up via the Apple App Store and iTunes®. This can affect organizations wishing to maintain control over the way they deploy their own or trusted third-party applications. Apple has become friendlier to enterprise iPhone customers, in particular by supplying VPN capability as standard, enabling access to some features of Microsoft® Exchange and including remote-wipe and automatic device-erasing features. Microsoft Windows Phone The latest version of Microsoft’s mobile device operating system, Windows® Phone 7, attracted a great deal of attention following its launch in 2010. Long criticized for the performance and usability of its mobile operating systems, the company’s latest version improves many aspects of the mobile Windows experience, in particular security access features and integration with back-office Microsoft applications that make it a powerful tool for accessing corporate data on the move. Like Apple, however, Microsoft has yet to provide a central console for large-scale management of devices, which limits options for security-conscious IT managers. It is also exclusively dependent on its own version of Apple’s App Store – Windows Phone Marketplace – for installation and distribution of applications, diminishing its appeal to the enterprise customer wishing to deploy apps and data in a carefully controlled manner. Gartner predicts that Nokia will push Windows Phone well into the mid-tier of its portfolio by the end of 2012, driving the platform to be the third largest in the worldwide ranking by 2013. In addition, Windows Phone will account for 19.5% market xv share by 2015, above Apple’s 17.2%, and account for 215 million worldwide shipments by 2015. RIM While devices such as the iPhone are trying to make the transformation from consumer to business devices, RIM is attempting to make exactly the opposite transition. Long favoured by corporate IT departments for its focus on providing superlative email facilities, RIM’s devices have historically not enjoyed the same degree of user evangelism as their more glamorous contemporaries. Apps, in particular, were late arrivals. In Q1 2011, there were still approximately 20,000 Blackberry apps in RIM’s app store, a small fraction of the number offered by iPhone and Android developers. Blackberry’s browser and interface, too, lack the usability of its main competitors. With 13.4 percent of projected global sales in 2011, however, RIM is clearly still a force to be reckoned with, especially in corporate markets where its ubiquitous email platform, robust hardware and excellent battery life all appeal to business users. Perhaps its biggest asset is the Blackberry Enterprise Server, which gives enterprises advanced central device management and control of security over the air, a feature unique to date among mobile device vendors. However, as more vendors enter the 5
personal firewall and anti-spyware solutions from leading vendors like McAfee®, Symantec®, Computer Associates®, Sophos®, Kaspersky Lab® and many more. SonicWALL is the only provider that solves the challenges of access, security and control with SonicWALL Clean VPN, Clean Wireless and Application Intelligence and Control. When SonicWALL SRA solutions are deployed with a SonicWALL Next-Generation Firewall, SonicWALL Clean VPN scans tunnelled traffic to block malware from using communications as a conduit into the network. SonicWALL Application Intelligence and Control can allow increased bandwidth for critical applications, while limiting bandwidth for unimportant or unacceptable traffic. SonicWALL® Clean VPN™ delivers the critical dual protection of SSL VPN and high-performance NextGeneration Firewall necessary to secure both VPN access and traffic. The multi-layered protection of Clean VPN enables organizations to decrypt and scan for malware on all authorized SSL VPN traffic before it enters the network environment. Clean VPN protects the integrity of VPN access by establishing trust for remote users and their endpoint devices, using enforced authentication, data encryption, and granular access policy. Simultaneously, Clean VPN secures the integrity of VPN traffic by authorizing this traffic, cleaning inbound traffic for malware, and verifying all outbound VPN traffic in real time. SonicWALL Application Intelligence and Control can maintain granular control over applications, prioritize or throttle bandwidth, and manage website access. Its comprehensive policy capabilities include restricting transfer of specific files and documents, blocking email attachments using user-configurable criteria, customizing application control, and denying internal and external web access based on various userconfigurable options. The SonicWALL Application Flow Monitor provides real-time graphs of applications, ingress and egress bandwidth, active website connections and user activity. This visualization capability enables administrators to effectively monitor and revise policy based on critical observations. In addition, when connecting over WiFi inside the corporate network and scanned by a SonicWALL NextGeneration Firewall, mobile devices adhere to organizational security, app control and content filtering policies. The SonicWALL Application Traffic Analytics solution is a combination of a SonicWALL Next-Generation Firewall and one of the software tools in SonicWALL’s suite of traffic flow analysis applications, including SonicWALL Global Management System (GMS) 7.0, SonicWALL Analyzer or SonicWALL Scrutinizer. The incorporation of next-generation syslog and IPFIX for application traffic analysis results in granular, flexible and easy-to-use real-time application level reporting capabilities. 7
Conclusion: Making Smart Choices The “Consumerization of IT” has made an increasing impact on business mobility solutions. Yet consumer mobile devices are largely outside of IT control. Like any unmanaged endpoint, mobile devices can be conduits for data leakage and loss, malware infection and bandwidth consumption. Organizations must choose products and technologies that address the very specific challenges that smartphones and tablets present. While mobile devices are too important for business to ignore, they can be difficult for IT to deploy securely. Mobile device technology remains a moving target for IT. Google, Apple, Microsoft, RIM and Nokia are all players in today’s mobile device market, each with their own corresponding strengths. Ultimately, IT must design mobile device security that blends technology and policy. Today’s smartest IT professionals will look not just to the platform vendors to ensure a peaceful and productive mobility future, but to the security community, too. ©2011 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. 093/2011 i “Gartner Says Consumerization Will Be Most Significant Trend Affecting IT During Next 10 Years,” Gartner Inc., October 20, 2005 ii “Western European Mobile Forecast, 2009 To 2014,” Forrester Research, August 31, 2009 iii “Media in the Lives of 8 to 18 Year Olds, The Kaiser Foundation, January 2010 iv “The State of Workforce Technology Adoption: US Benchmark 2009,” Forrester Research, Inc., November 11, 2009 v Millennial Workforce: IT Risk or Benefit?,” Symantec, March 2008 vi “Emirates to Cut Data Services of BlackBerry,” New York Times, August 1, 2010 vii "Worldwide and U.S. Mobile Applications, Storefronts, and Developer 2010–2014 Forecast and Year-End 2010 Vendor Shares: The "Appification" of Everything", IDC Report, December 2010 viii “‘Unhackable’ Android phone can be hacked,” Network World, July 29 2010 ix “5 Things You Need to Know About Smartphone Security,” CIO Magazine , September 8, 2009 x “Jailbreaking Your iPhone: The Pros and Cons,” Macworld, August 6, 2010 xi “Lookout Mobile Threat Report,” Lookout Mobile Security, August 2011 xii “Lookout Mobile Threat Report,” Lookout Mobile Security, August 2011 xiii “Forecast: Mobile Communications Devices by Open Operating System, Worldwide, 2008-2015,” Gartner, Inc., April 2011 xiv “Lookout Mobile Threat Report,” Lookout Mobile Security, August 2011 xv “Lookout Mobile Threat Report,” Lookout Mobile Security, August 2011 8
Mobility, Security and the Enterprise: The Equation to Solve IT departments need to think long and hard before deciding on the right mobile device
Smartphones, Security and the Enterprise: The Equation to Solve IT departments need to think long and hard before deciding on the right smartphone
Enterprise Mobility; Enterprise Mobility Suite; ... Microsoft Enterprise Mobility ... to solve individual parts of the enterprise mobility equation.
Enterprise mobility management (EMM) ... application management and financial management. Security. Because mobile devices are easily lost or stolen, ...
... enterprise mobility. Learn how MAM and MIM will join BYOD and MDM as part of an overall enterprise mobile management ... solve all security ...
Enterprise-Managed Rugged Mobile Devices Could Solve Challenges ... in Android security, ... developing his knowledge of Enterprise Mobility, ...
Dimension Data Secure Enterprise Mobility Survey: IT Leaders Struggling to Solve Mobility Security Challenges Global survey finds security ...
Enterprise Security ... The HP 50g has a numeric solver that can find the solutions to many ... The sixth choice begins the multiple equation solver.