Over the past several years, industries with mobile workforces have woken up to the issue of laptop protection. Most IT Asset Managers are now sold on the notion that the data on a device is likely worth considerably more than the device itself and, regardless of the company’s given industry, the device most likely falls under both a regulatory umbrella and related corporate policies that requires them to protect that data.
Through a layered approach to security, including physical protection, encryption and theft recovery/alert reporting technologies, ITAM staffs generally have a good handle on protecting both the laptop and the data on it.
However, new breeds of devices are invading the workspace: smartphones, tablets, and hybrid devices are in some cases as powerful and have more storage than desktop computers had a decade ago. With them is a host of issues around their management and the risk of data breaches, especially as mobile device companies promote the ability for data to move reasonably seamlessly between the corporate LAN and these mobile endpoints.
Further complicating matters is the issue of consumerization, whereby employees are bringing their own devices into the enterprise, often without the blessing of corporate IT.
While most mobile devices have varied encryption solutions available, like with laptops, IT asset managers must consider a layered approach as they put policies in place to protect and track these devices. Often merely encrypting the device is insufficient, and encryption is only as good as the password on the handset.
Defining the Minimum Mobile Security
John Pescatore, a senior analyst with Gartner describes what he considers the “four commandments” for mobile asset security. In Pescatore’s mind, to be considered for enterprise use, a smartphone or tablet should at least allow a corporation to enforce:
- A mandatory password (a strong password, not just a four digit PIN)
- A mandatory activity timeout requiring password reentry
- An over-the-air kill capability to wipe and disable device if lost or stolen
- Device content encryption1
The above requirements demonstrate why RIM’s BlackBerry devices continue to be the market leader in the enterprise – much to the consternation of employees who want to access corporate data on their iPad.
In many cases, mobile device security begins well before the handset. Full-disk encryption (FDE) can go a long way to protecting the computer at the user’s desk. But if that user is still able to insert an SD card into their laptop or desktop, copy data to it and then insert that card in their smartphone, the enterprise may be exposed if that device is lost. If this risk is a concern, corporate policies need to be put in place with an appropriate data loss protection/prevention (DLP) application to ensure critical data isn’t copied to removable media. Another choice is if copied, to enforce that the media is encrypted. DLP applications can also help ensure that critical data isn’t emailed to a smartphone.
There is no denying protecting data on mobile devices is challenging. The myriad of form factors, operating systems and devices means there is no one-size-fits-all solution. As a result, many pundits suggest that the best solution for addressing security for data stored on endpoints is to keep corporate data off the devices altogether. If a device is lost, stolen or compromised, there’s nothing on the device of concern. Where do the data and applications go instead? The cloud.
If you feel moving to the cloud is for you, there are numerous ways to accomplish this move. While some so-called cloud solutions are merely window dressing, others do provide a solid framework for endpoint mobile data security that, in theory, removes the requirement for mobile endpoint encryption.
However, like encryption, there is still no one-size-fits-all solution and solid password policies remain an integral part of any cloud solution.
VPN and the Cloud
For any enterprises considering the cloud as a security panacea, at first blush the simplest answer seems to be a VPN solution. Employees that want access to company data from mobile devices are required to fire up their VPN client and connect via an encrypted session to the corporate LAN where the data resides. VPN clients exist for virtually all of the popular mobile platforms out there. While applications might be run locally, the data, in theory, remains upstream, encrypted and protected in the company servers.
However, without an effective mechanism to ensure the data isn’t copied to a local device, VPN solutions perhaps allow an enterprise to tick a regulatory check-box, but they certainly shouldn’t allow IT staff to sleep well at night.
Using Virtualization with the Cloud
A more sophisticated solution that protects both data and allows for consumerization employs virtualization to help ensure true multi-tenancy on a mobile device.
The term “multi-tenancy” is gaining ground to describe a mobile device which contains both an employee’s personal data, such as personal pictures, email, passwords, as well as their corporate data.
And if an employee is supplying their own device, a virtual solution means the organization does not have to own the device, nor (in theory) the network. Physical assets stay in the enterprise, with the intangible logical component on the personal mobile device.A virtualization solution such as Citrix Receiver allows a user to run a virtual desktop on any mobile device of their choosing. Backend servers deploy services to the receiver on the device endpoints. Because the virtualization solution runs in its own space on the mobile device, in theory the data remains firmly segmented, with little to nothing copied to the endpoint, other than the client application. IT Staff need not worry about encryption on the device, because there’s nothing on the device at all.
Additionally, virtualization solutions allow IT Asset Managers to keep a firm handle on software inventories.
An extreme example of this virtualized solution is the new breed of devices running Google’s Chrome OS. A mobile device running Chrome appears to the end-user as a fully functional mobile computer, but it is in fact nothing more than a dumb terminal, with no local storage whatsoever. Citrix recently announced a version of their receiver product for these dumb devices. Users interacting with them may not even realize nothing is living on the device. It’s all upstream in the cloud.
Of course a Chrome-equipped dumb device only goes so far when an executive directs IT to light up his iPad prior to his vacation in Hawaii.
Cloud Factors to Consider
When considering cloud solutions for mobile devices, whether it’s simply a required VPN into a data storage server, a fully virtualized solution or a hybrid of the two, one thing above all is required: ubiquitous mobile data. It’s no good for your mobile workforce to require always-on connectivity if the organization expects your employees to work while wedged into seat 23B on a trans-continental flight.
Furthermore, cost concerns can’t be disregarded. An organization with 750 mobile broadband-equipped tablets, paying $50 per month per device for mobile data is going to spend $1.8M in mobile data charges alone over the four-year lifespan of those devices. If those mobile users travel internationally, data roaming supplements on those amounts can increase dramatically. And that may or may not be on top of the mobile voice plans those users will have as well.
While one can certainly argue that free or nearly-free WiFi connectivity is becoming ubiquitous, it’s just not practical to require an employee to duck into a coffee shop every time they need to update a spreadsheet. Additionally, encouraging the use of public WiFi in itself represents numerous security obstacles. As the recent rash of press stories have recently exposed, an open, public WiFi access point with no WPA encryption means data transmitted between the mobile device and the access point can easily be sniffed. Requiring mobile employees to use free WiFi may be penny-wise and pound foolish.
Also, as many of us have experienced at hotels over the years, public WiFi may simply lack the bandwidth required to support a resource-hungry virtual client.
Finally, in addition to the mobile data costs, there are the costs required to license and host the virtualized environments. There are many well-respected companies who are more than happy to help address this burden, including Amazon’s Elastic Compute Cloud offering (EC2), Microsoft’s Windows Azure and many other smaller players. By outsourcing data centers into the cloud, the enterprise avoids the need to manage network equipment, maintain & scale servers or storage, or dedicate resources to managing infrastructure. Automated service management patches the underlying OS, balances loads, and shields users from hardware failure.
Mobile Device Management
The last, but equally important piece of the puzzle is the emerging area known as Mobile Device Management (MDM). Such solutions allow you to remotely monitor your smartphones and tablets, auditing hardware and software, managing user rights and alerting you to error conditions that may indicate a breach, or a potential breach. For example, if a mobile tablet is never supposed to leave a hospital and a geotechnology alerting system indicates that it is traveling to an employee’s home on the weekend, that’s a strong indicator of a potential breach and resultant liability scenario. A good MDM solution will also alert you to potentially dangerous applications which have been installed on an endpoint and/or provide you with a means to lock, wipe, or reset a device which you may feel is out of your control.
As we have seen, the mobile security environment continues to evolve but the good news is that the marketplace is beginning to provide solid solutions to help address endpoint security. A layered method continues to be the best approach.