We see the pattern time and again. “Everyone” agrees that a new technology will transform business and you must be part of it or risk being left behind. Businesses caught up in the hype rush to implement optimistic and poorly thought out projects. Something goes wrong resulting in massive costs and reputational damage. Finally, we take a more cautious and realistic approach to building the new technology into our business models and the technology starts to meet its early promise.
Such is Enterprise mobility. The notebook, smartphone, and broadband wireless are enabling technologies, allowing us to break away from the office and have accelerated a transformation of how we think of the workplace. Benefits from anywhere access to data and tools include a boost to productivity, improved customer service, and flexibility for employees. The concept appears to be a clear win/win with evangelist’s spruiking the undeniable benefits, but often ignoring the security implications. We are a long way down the road to mobile maturity, but we are not quite there yet.
Early mistakes were made, and records show it takes time for an industry to adapt and learn. In 2006, millions of health records in the US were exposed from a stolen laptop, resulting in a class action that cost tens of millions on top of the privacy and identity theft issues. Lesson learned? Perhaps not, try googling breaches from lost and unencrypted notebooks and smartphones and you will find the same mistake made time and again.
A variety of risks and mistakes continue to be documented. Just this month a Chinese firm admitted to installing hidden software that sends the users text messages, call log, contact list, location history, and app data back to Chinese servers – software that may have been preinstalled on as many as 700 million phones! What happens when such a phone is brought inside your corporate network as a BYOD device?
So how to reduce these risks? Any solution must take into account the diverse range of devices, technologies, and user awareness that is present across an organisation as well as trade off security for ease of access and use.
Attempting to implement a specific solution for each disparate device, scenario, and individual is prone to failure and akin to wack a mole. Instead, a multilayered approach can work with a fundamental focus on data, authorisation, and compliance rather than the device or specific risks. Applying broad strategies that can cover unforeseen risks as well as known risks – make the system as intrinsically safe as practical. Build a consistent, secure environment across devices and applications, and quarantine and protect that environment from unregulated parts of the system.
The most successful solutions will allow a company to maintain control of its data while not getting in the way of work.
Elements of a Mobile Security Strategy
In order to develop a robust mobile security strategy, consider a wide range of technologies and techniques, then pull them together to meet your security objectives and implement a consistent strategy.
Manage the Human Factor
The greatest vulnerability in any corporate security system are its people. People want to get their job done, not fight with the tools and access they need to do that job. Where security gets in the way, then they will work around it and introduce new risks.
Staff will use weak passwords that are easy to remember. They will click on random email attachments with no thought that they may be a virus. They will help the nice man, purportedly from Microsoft, remotely take over their PC to fix the “computer problems” he generously rang them about. They will enter their credentials into a fake website, just, because. They will jailbreak their phone. They will let little Jonny install a game that comes with a special payload of malware. They will not do these things to harm their company, boss, or IT staff, but rather because their focus is on their work and because they don’t have the knowledge or awareness to know better.
People don’t like to feel needlessly constrained in what they can do with their tools, or even which tools they are allowed to use, and that is doubly so when they are using personal devices for work. Security policies will be more effective if they take into account user expectations and behaviour. Enforce password policies but perhaps also support alternative and easier authorisation methods, say fingerprint access. To share files, the standard corporate fileserver may not cut it for staff used to using Dropbox or OneDrive, so perhaps look at cloud options that can be implemented in a secure way. Solicit requests from staff about current pain points and any tools or functions they feel are missing and work out a way to help them out – with security integrated.
Work with staff to meet their needs rather than try to dictate from on high what staff must use.
Redefine “The Workplace”
In the world of enterprise mobility, the “Workplace” is now a collection of locations, devices, data, and communication channels. Not all of these elements are under direct control of the corporate and edges to the corporate environment are necessarily blurred.
Defining a mobile security environment then necessitates a focus on defining and monitoring flows and storage of information and identifying where boundaries are set and how to control movement of data across those boundaries.
Set and Enforce Mobility Security Policies
To limit risks of unauthorised access, a strict mobile security policy is essential.
The basics include enforcing a lock policy on devices, and device encryption. You can also set compliance requirements for devices such as ensuring patches and anti virus are up to date, and check that the device is not jail broken or has risky software installed on it.
To implement such policies you need some control over the device, and that can cause issues in the case of BYOD where policies may conflict with personal use of the device, or where enforcement of compliance may not be realistic on the device.
Application control aims to reduce to risk posed by security flaws in particular applications. At a basic level using a white or blacklist of approved applications and versions might be enforced alongside centralized provisioning and management. More advanced methods that have emerged in recent years include security and management protocols baked into applications. Again, in many cases where staff are using personal devices, enforcing application control can be a point of conflict.
Protect Data in Transit, Layer Security
Mobile devices may access corporate resources across a changing variety of network infrastructure including public and unsecured wireless hotspots. Ensuring traffic that transits across such networks is secured by appropriate encryption protocols is essential.
Some small businesses allow remote users to login work machines directly with the windows RDP protocol. Don’t. While RDP is generally secure, you only need one bug or weak password and you have a breach. Require a VPN to carry your RDP traffic (remember CVE-2012-002 which allowed RDP servers exposed to the internet to be compromised. You don’t want that.) A VPN may itself have bugs or other vulnerabilities, but two reasonably independent layers are much less likely to be penetrated than one.
BYOB vrs CYOD
In some environments Choose your Own device rather than Bring your Own Device is a popular trade off where policy allows staff to choose from a wide range of acceptable devices that are owned by their company rather than allow an open slather approach. This approach can reduce the range of potential vulnerabilities and will reduce conflict over acceptable use of the device by maintaining hardware ownership within the company.
Protect Documents at the File Level
Rights Management technologies can be used to secure access to company documents by default, and to restrict movement of those documents outside of a secured environment. At a basic level that means encrypt all documents and only unlock those documents after appropriate authentication is applied. This means if a document is accidently emailed, or a device with the documents stolen, the document will still not be accessible. It also means that if authorisation is revoked for a user, they lose access to corporate information, even if that information is still on their personal devices.
Restrict Printing, Emailing, or Copy/Paste of Corporate information
Following document encryption, the potential exists for decryption to occur at a whitelisted application level where the approved application can also restrict the ability to copy or print sensitive documents.
Whole device encryption is slowly becoming standard on smartphones (much to the highly publicized concern of some government authorities) and is a must to ensure data on devices can not be read, even if an unauthorised person gains direct access to the devices file storage.
Technology such as bitlocker has been available for some time and is underused on notebooks and desktops. Trusted Platform Modules (TPM) is now quite common on business focused laptops and allows for simple access with bitlocker enabled on a notebook.
File level encryption may be more appropriate where personal devices are in use and to better protect documents that may be transmitted to other users or to remove file servers or cloud storage. Using both technologies is reasonable and largely invisible to the user.
Use Multi Factor Authentication
Typical authentication requires knowledge or access to a single authentication key, such as a password or a physical device. The problem then is when that access method is discovered or becomes accessible to an unauthorised person, then the attacker is straight in.
Two factor authentication requires access to two different categories of authentication keys, selected such that if one authentication method becomes exposed, it remains unlikely that the second method is also exposed so the attacker still cannot gain access. For example, an online portal might be secured with a password but also requires access to a separate security fob that generates a changing one time password. If the set password is exposed, an attacker still cannot log in without physical access to the security token. For highly sensitive information, additional authentication requirements might be added.
The main drawback of multi factor authentication is the additional time and nuisance of entering two or more authentication keys every time data is accessed. This issue should be managed by considering the value of the protected content and apply realistic policies to find a reasonable balance. For example, when accessing data at an online portal from a particular device policy may require the password entered on every access (or after a short timeout) but the changing security token to be applied only once per day when access can be verified to be from a previously authorised device.
Device Access Control
Maintaining a registered list of approved devices (corporate and personal owned) can allow for access to be restricted to those devices, reducing the issues with an open slather approach.
Partitioning Personal and Corporate Data
When accessing corporate data and systems on personal devices, isolating corporate from personal data and usage can help maintain privacy for the user and secure corporate data from unsanctioned access or copying. Access to corporate data can then be restricted to approved applications and allow a remote wipe function on corporate data without touching personal data.
Use Data Analytics and Context – Conditional Access
Increasingly intelligent authorisation systems can be used to detect and block unusual activity and tailored to complementary systems that are in use.
Fred might log into a company cloud storage in the evening for an hour or two accessing from his home internet originating from an IP address in Brisbane. He might access the same information the following day from a wireless hotspot while at lunch, also in Brisbane. An hour later, he tries to access the information from a IP registered in Melbourne and different device. That may raise a flag and an advanced authorisation system might block that one and lock his account in case it’s an attempt using leaked credentials.
Use an Enterprise Mobility Solution
A range of enterprise mobility solutions are available from major IT corporates and are under rapid development. A number of packages have reached a level of maturity and include many of the technologies discussed in this article along with excellent reporting tools and risk management systems. They are worth considering as an excellent starting point and core component of your mobile strategy.
Enterprise mobility solutions can be assessed by features including:
- support a wide range of devices, environments, and applications.
- include threat detection based on known attacks and vulnerabilities, and abnormal behaviour.
- wipe all corporate data from a device when an employee leaves an organisation
- set policy restrictions on, for example, restrict the ability to cut and paste content to unprotected files.
- prevent access on devices or in environments that do not comply with security policies, such as jail broken phones, and lock or remove data on devices that become non-compliant.
- provide a end user based a self-service portal for users to enrol their own devices
- include single sign on so once authenticated, multiple applications and sites are accessible.
- support bulk deployment tools to enrol devices, change rules, and install applications on large scale.
Bringing it all Together
Enterprise Mobile Security requires wide-ranging integration of technologies, procedures, and policies and is one of the toughest and most important systems to get right in your organisation. It requires a good knowledge of your business but also of the technologies available.
My advice is to keep your eye on the big picture and continuously weigh up risk against productivity while reviewing the systems effectiveness, and feed those reviews back into incremental improvements. The more traditional rigid approach of ticking boxes and believing you are secure is a sure path to failure.
For smaller organisations, draw on the experience of external experts, but don’t buy into a prepacked, “standard” solution (there is no such thing). Work with consultants to help them understand your business, and work with them to tailor the technology and policies to your needs.