The proliferation of powerful, Internet-connected mobile computing devices such as Apple's iPhone, late-model BlackBerrys and phones based on Google's Android operating system has made security front of mind for many CIOs.
More compliance FAQs?
Get caught up on regulations and more with our IT compliance FAQs.
Information workers have increasingly come to rely on mobile computing devices to check email, author and edit sensitive documents and interact with mission-critical enterprise applications. And, as smart people have pointed out, organizations benefit from the access and collaboration features offered by iPhone adoption and other mobile computing devices, making it possible for workers to be productive from just about anywhere.
The rub is using these devices within the enterprise makes their security, along with the mission-critical data they contain, IT's business. Consequently, these devices create a potential blind spot in enterprise-wide compliance efforts that have traditionally focused on securing network infrastructure, servers and desktops.
So what is the impact of this new generation of mobile computing devices on IT operations and compliance?
- What do we mean by mobility?
- What threats exist for mobile devices and mobile device data?
- What laws and regulations govern the security of mobile devices?
- What is the role of IT in securing mobile devices?
So, what do people mean when they talk about mobility and mobile devices? Without putting too fine a point on it, mobility is typically in the eye of the beholder. In the most general sense, the term mobile devices covers any portable computing device used outside the traditional office setting.
That definition takes in everything from run-of-the-mill laptop computers to function-specific handheld devices, to the latest status devices like iPads and iPhones. Some of these are employer-owned and, so, are managed assets. Others are employee-owned and employer-managed, or employee-owned and employee-managed. What is common among these devices is they all operate from both within and outside the traditional enterprise network perimeter where new security and availability challenges are introduced.
So the question is: Are these mobile computing devices the second coming of "Windows PC," which is to say will they be as ubiquitous, feature-rich and highly susceptible to attacks, viruses and worms? The short answer for now is no. Despite obvious similarities between Windows and the quick embrace of platforms like the iPhone and the BlackBerry, viruses and other malicious code targeting those platforms are still the exception rather than the rule.
The recent malicious code targeting of the iPhone, for example, was limited to jailbroken phones, which, by definition, have circumvented much of the platform security built into mobile computing devices. Self-replicating malware for the Symbian platform has also been around for close to a decade, although outbreaks have been limited and mostly harmless. Security software vendors are pushing a standard menu of products to protect phones, including antivirus software and firewalls.
Of more concern however, are third-party applications built to run on these new devices. There have already been instances of malicious programs that have successfully been introduced onto platforms like Google Inc.'s Android under the guise of legitimate applications. Getting malicious code to run on closed platforms like the iPhone and BlackBerry is a challenge. Disguising an information-stealing Trojan as a legitimate app in hopes of sneaking it past Apple's code review team however, has a higher chance of success.
Malware aside, the biggest security threat posed by mobile devices is the inadvertent loss of data when the devices themselves are lost or stolen. A certain percentage of those contain sensitive corporate data and documents that could easily fall into the wrong hands. While viruses and worms have allure, the nuts and bolts of tracking and managing mobile devices and protecting the data on them is the most pressing problem facing enterprise IT administrators today.
Few regulations specifically call out the security of mobile devices and mobile device data. That's cold comfort to enterprise IT staff members concerned about whether their mobile devices fall under the umbrella of data privacy laws. Chances are they do. As we've written about before, data security and privacy laws including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act speak in broad terms about the need to secure data at rest and/or in transit.
As an example, HIPAA speaks of the need to secure protected health information transmitted over "communications networks," while the Payment Card Industry standard focuses on extending favored protections (such as firewall and antimalware) to both mobile and nonmobile workers, as well as securing cardholder data in transit to both IP-based and mobile networks.
More recently, regulators have broadened the language they use in describing endpoints to mobile computing devices when writing regulations. Massachusetts' 201 CMR 17.00 data privacy law makes specific mention of data protections extending to sensitive data sent to and residing on "laptops and other portable devices." But waiting for regulations to specifically call out the need to secure mobile computing devices isn't advisable. Auditors are increasingly attentive to the exposure posed by employee use of mobile devices. Spelled out specifically or not, companies may find themselves on the hook to explain how they limit mobile access to sensitive data, or protect that data in transit and at rest.
Mobile adoption poses new and unique challenges to IT operations and security staffs used to overseeing centrally managed, monolithic computing environments. Mobile device adoption is user-driven, rather than centralized in many organizations. And, unlike the PC world, the plethora of platforms and providers makes coordination of management and policy difficult.
Even in cases where employers standardize on a single mobile platform, there is no assurance that users won't still bring their phones or other mobile devices to work and use them alongside those provided by the company. IT operations teams need to get visibility into such activity, namely understanding which mobile devices and platforms are in use on their networks and, if possible, determine which users are associated with each.
Beyond that, there is a need for common management tools that can monitor the configuration and security of mobile assets as well as enforce security policies on them. Even if employers have not acquired mobile devices for users, they have an interest in ensuring that their employees use strong passwords to protect their devices. They also want to know that basic security features such as data encryption, firewalls and antivirus software have been deployed.
Aside from that, enterprises are increasingly interested in using remote tracking and data wiping capabilities so that lost or stolen assets don't cough up sensitive communications and intellectual property. Such common-sense investments will go a long way toward taming the Wild West of mobile devices and bringing mobile device management and compliance efforts in line with those elsewhere in the enterprise.
This was first published in April 2010