CIOs Must Bolster Mobile Security as BYOD Trend Booms
With users already accustomed to accessing corporate data on personal devices, enterprises need BYOD plans that focus on authentication and encryption across all business units.
May 24, 2012
Part 1 of our report on InformationWeek's 2012 State of Mobile Security focused on the effects of bring-your-own-device policies on enterprise networks. In Part 2, we explore how CIOs should respond to the BYOD trend.
CIOs need to put the brakes on BYOD initiatives, shore up Wi-Fi polices and bolster encryption to secure corporate data, according to InformationWeek's 2012 State of Mobile Security.
Michael Finneran, author of the report, notes that while giving employees a green light to use their own devices might provide a morale boost, it's a potentially costly one if corporate data falls into the wrong hands.
The survey found that there's much to be done to secure enterprises as more devices and more platforms connect to the organization. A good place to start is Wi-Fi policy. Surprisingly, the survey found that 32% of respondents cite penetration of Wi-Fi networks as a top concern, while only 5% worry about penetration of users' home Wi-Fi networks.
The encryption is available--the IEEE 802.11 standards committee has developed an excellent encryption mechanism in WPA2, which has been a required element in all Wi-Fi-certified products since 2006. However, only 64% of respondents use it, while 24% still use WEP and another 24% still use WPA2's predecessor, WPA.
Rogue access points and radio frequency intrusion must be monitored more than ever. For example, if someone has installed an unauthorized access point and connected it to the wired LAN, there's a good chance that person will not have activated the required security features, creating a serious vulnerability.
To better secure Wi-Fi, enterprises should make the following policy changes:
Standardize on WPA2 across all access points; absolutely no WEP.
Mandate a VPNor other secure connection if allowing access through home Wi-Fi networks or public hotspots, which are inherently problematic as they offer no encryption.
Regulate guest access via a portal and manage levels of access, as well as duration.
Specify regular scans for unauthorized access points and sources of interference.
Employ a wireless intrusion-detection system that specifically looks for Wi-Fi transmissions.
Unify WLAN and BYOD/mobility teams; often the people managing Wi-Fi are different from those managing cellular services.
Next: Mobile Security Risks and ResponsesRisky user behavior is at the heart of respondents' concerns regarding tablets and smartphones, including malware on applications from app stores (31%) and users forwarding corporate information to cloud-based storage services (30%) and personal accounts (21%). Use of VPNs, Secure Sockets Layer or secure email should take care of these concerns. With tablets using the same mobile operating systems as smartphones, the same security approach should be applied across all devices, with a focus on authentication and encryption.
Enterprises should make the following policy changes for authentication:
Require power-on passwords for all devices containing corporate data; a power-on password buys time to wipe a device that's lost or stolen.
Extend password-strength polices to mobile devices.
Require stronger authentication if users are allowed to store sensitive or regulated data on smartphones or tablets.
When it comes to encryption, there are two major focus areas: encrypting data at rest on devices and in transit over wireless networks. Encryption is challenging in mobile security because there are different options for the various mobile platforms.
Make encryption the price of being allowed to keep corporate data on a mobile device.
Build and maintain a list of devices that meet your security criteria.
Specify requirements for over-the-air encryption.
Consider emerging virtualization technology for tablets; virtual desktop technology has major appeal in the mobile space because the connection from the mobile device to the server is secure, and once the connection is terminated, all data is wiped from the device.
Rules for how mobile devices connect to the enterprise need a mobile device management (MDM) system to be effective, however. Mobile devices such as those from AirWatch, Good Technology, MobileIron or Sybase enable enterprises to enforce security and tightly manage devices. InformationWeek's Buyer's Guide to Mobile Device Management provides an overview of 10 vendors.
There are some policy guidelines for implementing an MDM:
Work out a funding scheme for MDM that gets business units some skin in the game; at anywhere from $2.50 to $5 or more per device, per month, MDM costs often come out of the IT budget. Considering that thousands of devices may need to be managed, those costs must be factored in.
Align required MDM features with your encryption, authorization, device support and other policies.
If you can't purchase an MDM immediately, at least take advantage of the password policy enforcement and remote-wipe capabilities of Microsoft's Exchange ActiveSync.
Find out what carriers can do for you.
These policies and recommendations are just the tip of the iceberg. Enterprises also need to consider application security and malware threats posed by a plethora of mobile platforms, as well as security awareness training--users are usually the weak link in the chain.
There's no doubt that BYOD has taken off, but the systems to ensure security and management haven't kept pace. Organizations need to start getting their houses in order by identifying what devices are connecting to their networks, and developing a mobility plan and policy. While permitting user-owned devices will no doubt boost productivity, if you're responsible for security, compliance and governance in your organization, you need to implement a program before a breach occurs.
Read more about:
2012You May Also Like