March 18, 2014
Mobile security issues are top-of-mind for security leaders. David Jarvis knows this because he has asked them.
The author of the 2013 IBM Chief Information Security Officer Assessment and IBM Corp.’s Centre for Applied Insights conducted in-depth interviews with security leaders across four countries regarding business practices and their impact on their companies’ security posture. Asked what their biggest security challenge is, Jarvis says, mobile security came out on top.
“Through the interviews we did, we definitely saw significant attention and significant investment, with the focus really still on deployment,” Jarvis says. “There are concerns around theft or loss of a device, or loss of sensitive data on the device, but the concern isn’t slowing anyone down.”
Hand-in-glove with mobile security comes the issue of “BYOD” computing – users bringing their own, consumer-grade device into the company network. One study by security firm Webroot Inc. found that 82% of those surveyed believed employee-owned devices are a high security risk within the corporate environment.
There are three primary vectors of exposure BYOD computing brings to the enterprise: remote access, loss or theft of device and data, and connections to insecure networks, says James McCloskey, senior consulting analyst with Info-Tech Research Group in London, Ont.
“I don’t know that they’re exactly new, but (BYOD) exacerbates those vectors,” McCloskey says.
With more applications exposed to mobile workers so they can be productive, companies are revisiting the need for something above and beyond password only protection, he adds. They are taking another look at multi-factor authentication: Something you know, like a password, plus something you have, like a smart card or a key fob, adds up to authentication. And there’s been a lot of activity in the field of out-of-band authentication, McCloskey says; a user logs on, and is sent a one-time password by text to his or her smart phone, eliminating the need for a key fob or smart phone.
“That’s one less thing they have carry for those people, it’s one less piece of hardware you have to pay for these people,” McCloskey says.
Data has left the building:
Desktops and servers do not tend to walk away with their data. But that is exactly what mobile devices do. They are exposed to loss and theft, and there is a good chance users of a consumer device aren’t applying the most stringent security.
“Most people won’t have a password or will have a very weak password on their mobile device for personal reasons, because they’re not terribly worried about someone stealing their pictures or stealing their personal e-mail, but it’s a whole different equation when you start talking about downloading company information onto that device,” McCloskey says. “All of a sudden encryption becomes a much more important control, having a good authentication mechanism that unlocks or decrypts that data is equally important.”
So does enforcing the separation of work and personal data on mobile devices, says Ronald Gruia, principal analyst and program leader for emerging technologies at Frost & Sullivan in Toronto. That allows a personal workspace and a corporate workspace, with different standards of encryption enforced by a mobile device management solution. Encapsulation is one approach.
“The enterprise provides a secure mobile version of an application on a personal device that is separate from the personal applications that a user would have on that device,” Gruia says. “It’s easy to deploy, it’s secure, it co-exists with the personal environment, it’s scalable. The only issue there is that you only have specific applications, so that restricts their productivity.”
It helps isolate the company network if the personal workspace is exposed to a phishing attack, for example, but perhaps not entirely. Say a user downloads a file and saves it on the device’s SD RAM card, for example. It could trigger a worm attack on the other side of the fence, Gruia says.
As the enterprises extends more
applications out to a remote workforce to make it more productive, the applications themselves can become vulnerabilities. “Vulnerability-wise, whenever you do use an application, it’s always prone to attacks,” Gruia says. “if it’s going to be a touch point to the enterprise, it can always be exploited.”
Jarvis calls this an “emerging issue.”
“There is this increasing focus on the application, and I think that it’s a layer that’s getting increasing attention, but maybe not enough,” Jarvis says. “In our survey results, the security around applications was a lot lower than we thought in terms of importance. I think that’s definitely an emerging issue, and I think mobile is just accelerating it as an issue.”
“Application security is a key aspect because many organizations enable mobile users by exposing these applications either directly onto the Web or though a Web portal,” he says. “Those applications are more at risk than they ever were when they were just available from internal IP addresses.” Application security disciplines and secure coding are important to make sure the application itself doesn’t become a vector for data to be breached, according to McCloskey. And it is not just the application.
“Perimeter security effectively is compromised as soon as you’ve got the perimeter extending out onto the Internet, when you’ve got personal devices coming inside the perimeter, all of a sudden the idea of perimeter defence is no longer adequate on its own.”
McCloskey says that calls for a second look at an out-of-favour technology: Network access control (NAC). But not in the traditional, LAN-based sense, but from a remote access or wireless standpoint.
“(When you have a) device of some unknown provenance and some unknown security posture connecting onto your network, you want to have some mechanism to inspect that device and enforce certain policies – to be able to say, for example, this particular device is running its antivirus and it is up to date, it’s running an up-to-date version of the operating system and is patched and so forth, prior to being granted access to the internal network and applications and data that reside on that internal network,” he says.
But there are reasons NAC has fallen out of favour with the networking crowd, according to Gruia: its impact on performance, its complexity to manage, its cost, interoperability issues. But maybe more than that, NAC provoked political hurdles in the IT department; it touches security, desktop management and network management disciplines, each with an agenda.
Still, NAC could potentially tighten up security in the mobile environment, Gruia concedes. “You could devise policies on top of that, you could really do a bunch of different things,” he says. “It’s not the most popular use case, but it could be a use case.”
Ali Ashfari says NAC has come a long way in the last few years. The director of enterprise security for Cisco Canada says the company’s NAC offering, once hardware-intensive, is now part of its overall identity services engine; where previously, NAC servers were needed all over the network to shepherd traffic, it is now more of a service engine – the switching fabric itself does the enforcement.
It is also more context-sensitive, he says.
“The traditional NAC was very black and white,” Ashfari says. Devices that didn’t pass certain criteria were kept off the network. Now, policy can be differentiated according to a number of factors.
For example, while a user might be able to access certain data and applications on a laptop or desktop, he or she might not be able to on a tablet or smartphone. “Your identity might be the same, but because you’re accessing the network on an iPad instead of a desktop, your access is limited,” he says.
Other contextual rules might be built around time of day (“What access I give my employees or my contractors or my guests might be different depending on the time of day”), physical location (are you inside the building or connecting through a 4G network?) and what the security posture of the device is (is it running antivirus, and are the patches up-to-date?).
Gruia also cites desktop virtualization as an approach to securing the network against mobile vulnerabilities. In a virtual desktop infrastructure (VDI), the “computer” is a collection of virtualized compute resources: processor, memory, storage, applications. The device that handles the input and output becomes essentially and dumb terminal. “It’s a little bit more secure,” Gruia says, but of course there are drawbacks: the device has to support the appropriate hypervisor, it draws more power (an important issue with mobile devices), and there are issues with offline computing, Gruia says.
The different approaches to mobile security all have pros and cons, Gruia says. He recommends companies find their chief use case for mobile, and build around that.
Whatever approach, enterprises are forging ahead on mobile and BYOD security, says Jarvis. They have to. “I think it’s moving at such a pace that we saw some gaps emerge around an enterprise strategy for mobile security and BYOD and a specific incident response policy,” he says. “Those capabilities weren’t as widespread as the more kind of technical things that you would expect, like management capability or an inventory of devices or a published set of principals or even containerization or encryption.
“There has been such a rush to get this stuff in place, to get the architectures, the basic structure in place, that strategy and policy haven’t had the chance to catch up. It is not to say (security decision-makers are) not aware of those problems. They’re just not addressing it right now. Those are the two areas where we see the most planned attention over the next 12 months.” C+
Dave Webb is a Toronto-based freelance writer. He can be reached at email@example.com