While smartphones are nothing new for the enterprise – BlackBerries have long been standard knowledge-worker accessories – the explosion of competing platforms, increased horsepower and ballooning Internet connectivity have ramped up their security risks.
A recent Aberdeen Group study found that the typical enterprise must deal with an average of 2.8 to 3.3 different smartphone platforms . Meanwhile, more than two-thirds of those surveyed noted that some or all employees were permitted to use personal-liable mobile devices for corporate use.
That “some or all” is telling. Sure, you can establish a policy blocking the average user’s mobile phone from corporate access. What happens, though, when it’s a senior executive who is bringing some new, untested platform onto your network?
Will you say “no” to your CEO?
Clearly, Mobile phones are no longer something that IT can shrug off as someone else’s problem. They are simply too powerful and pervasive to ignore. If your organization is struggling to cope as smartphones invade the enterprise, these five best practices should help.
Treating a smartphone like a PC means installing endpoint security, enforcing device-side encryption, having policies in place for how to connect to corporate assets (such as through a VPN) and requiring strong authentication to unlock the device in the first place.
The gold-standard for secure smartphone usage is BlackBerry. The devices are encrypted, require passwords to unlock (although programs like UnlockIt are out there to bypass some of these requirements) and they can be controlled via the BlackBerry Enterprise Server, which gives IT the power to create and enforce more than 450 different policies.
The trouble is that knowledge workers aren’t satisfied with BlackBerries alone. iPhones and Androids are the new trendy gadgets, yet they don’t have the security pedigree of BlackBerry.
Even if new platforms are relatively untested from a security standpoint, that doesn’t mean they can’t be secured. As with the PC, most smartphone users will likely get their security from third parties. A number of security startups already have smartphones in their sights.
These include authentication vendors, such as MultiFactor Corporation with its SecureAuth solutions and Entrust with Entrust IdentityGuard Mobile; mobile antivirus vendors like Lookout and DroidSecurity; and mobile device management solutions from companies such as Zenprise, Good Technology and Trust Digital.
Of course, incumbent security vendors aren’t sitting this out. Symantec, Kaspersky, McAfee and Cisco have all released smartphone-related products.
Smartphone security products are out there, and it’s time for IT to start evaluating and adopting them.
Even though smartphones are becoming as powerful as PCs, they differ in important ways.
“Despite the risks associated with these devices, the current threat landscape is still in its infancy. The greater threat involves a lost or stolen device. In this case, password protection, encryption and related security measures become the highest priority to ensure the device and its data are secure,” said Khoi Nguyen, Group Product Manager, Mobile Security Group, Symantec.
Sure, laptops get lost and stolen, but it’s not really that common. According to Accenture, however, 10 to 15 percent of all handheld computers, PDAs, mobile phones and pagers are lost by their owners. This means that IT must expect these devices to get lost or stolen.
Besides password protection and encryption, IT should have the ability to remotely wipe or even brick phones. Even this, though, can be problematic.
According to Ahmed Datoo, VP of marketing at Zenprise, more often than not, users will delay reporting their device as lost or stolen, either in the hopes that they can retrieve the device or because they are embarrassed for losing it.
“Every second of delay could mean the loss of sensitive corporate data. Providing users with an ability to wipe their own devices will significantly reduce the risk of both personal and corporate data loss,” he said.
Another important difference is that IT does not own most smartphones, which makes enforcing security policies trickier. Many security experts recommend controlling what applications can be present on smartphones. That’s doable if the organization owns the phones, but it’s impossible when end users own them.
Next Page: Smartphone and network visibility
Comment and Contribute
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeed
One of the ways around the issues of security and control that make some businesses wary of cloud computing is to build a private cloud -- one that remains within the corporate firewall and is wholly controlled internally. Private clouds also increase the agility of IT an organization's IT infrastructure and make it easier to roll out new technology projects. Download this eBook to get the facts behind the private cloud and learn how your organization can get started.
