Enterprises should allow employees to use non-BlackBerry mobile devices in the enterprise, but policy must be clearly communicated, outlining rules and the consequences for violating them, according to panelists taking part in a spirited discussion on mobile device security at InfoSec World 2010.
The session opened with a conversation about mobility-related threats, including tethering, a technique which allows users to go online from their notebooks or PDAs, using their cell phone or other Internet-enabled mobile device as a router. Without a firewall or access control on the device, the technique can potentially open up a path for an attacker to access work email and sensitive documents. The risks need to be considered by an organization's security staff, said Scott Register, director of project management at BreakingPoint Systems Inc., based in Austin, Texas.
"If [tethering] doesn't bother you, it certainly bothers your IT guy or your risk management guy," Register said. "You get to the point where if you're doing risk management, you have to weigh the convenience versus the security."
Jeremy Rissi, principal at Triton Federal Solutions Inc., a company of the McLean, Virginia- based management consulting firm Project Performance Corp., said an organization's mobility policy considerations should be based on three main areas: "Do you protect the device, do you protect the application on the device, or do you protect the data inside the application on the device?"
Security options need to be considered, Rissi said, including enforcing password policies on the device, creating a list of whitelisted or blacklisted applications, disabling configurations like Bluetooth or ensuring security applications like a firewall or antivirus protection are present on the device before they connect to the network.
With dealing with a mobile device security policy, companies are faced with a decision: design security from the ground up and only allow certain supported mobile devices, or allow employees to bring their many devices from, say, the Verizon and Apple store onto the network.
Stephen Fried, a former vice president at Fidelity National Information Services Inc., said the decision to restrict use to particular mobile devices comes down to economics. Fried is seeing a groundswell in "buy versus build" activity -- letting employees build their own IT and select the device that makes them happiest.
"Certainly it involves a much lower capital cost, born entirely by end users," Fried said. "Allowing users to buy what they want, get the latest and greatest blinking lights that they want. …That gives them a certain sense of empowerment," adding that the tools they use at home are ones they are comfortable with and ones that will help them do their jobs effectively.
Having that patchwork of technology can make standardizing configuration and support very difficult, however. The alternative to the patchwork, Fried said, would be one where only select devices are allowed to attach to an enterprise infrastructure for email, Exchange and VPN support. If an organization requires encryption, it should only support devices that allow encryption. If an organization requires a VPN, only devices that support the VPN client should be used.
The choice comes down to how the company is organized, according to Fried. "You really have to take a look at your organizational culture. What is the power and influence that you have? Some organizations are very end-user centric. Some are very corporate-centric. Where do you want to strike that balance?"
Policy or technology?
So is it better to attack mobile device security with policy or technology? The panel and audience emphasized the importance of a combination of both efforts. ""It's absolutely a combination," Register said. "You need to start with your policy…you need to reinforce that policy with whatever technology you can find and apply it to fit your policy."
Rissi agreed, adding that a company's defenses need to also combine a give-and-take policy, for example, offering the use of mobile devices, but making employees agree to protect them with strong passwords that will be changed every 30 days. "People are going to be more accepting of that because they got something, rather than if you simply issue a blanket statement that says you can't use any device in our network other than this device that we give you," Rissi said.
Fried also sees the value of a balanced policy, rather than one that simply restricts employees. "No matter what restrictions you put in place, we have very smart, creative people in our organizations and they will find their way around those restrictions," Fried said. "Part of the challenge is coming up with an acceptable policy and technology that allows for that creativity and still does its best to try and protect them."
Concerned about the growing landscape of privacy laws, a few attendees at the conference spoke about their litigation concerns -- how to handle investigations when enterprise-owned data is placed on an employee-owned device. Fried has seen many organizations adjust to this blur between personal and employee-owned assets by modifying policy and including click-thru agreements thatprotect the enterprise.
"What I've seen some companies do is modify their use policy and say, 'you can bring your own personal device and use it…if there is an investigation and we have a need, you are specifically consenting us to search the device even though we acknowledge it is your device,'" Fried said.
Register noted that most employees aren't specifically setting out to break rules. Employees may be on the road, for example, trying to do their job, checking mail or trying to find a customer's phone number, and policy rules may be in the way.
The blur between personal ownership and enterprise ownership extends beyond mobile devices, and the merging will likely create other kinds of challenges for security professionals in the future. Register used the example of social networking sites like LinkedIn. "To pretend that you can create some hard technology wall between the two is probably not feasible at all," he said. "It's a valid work tool, but my corporation, my employer, doesn't own it. …To say you can't commingle the two, good luck with that." "Is LinkedIn a personal tool or a work tool? The answer is yes."