Xylos brands

Security context on mobile devices

All IT departments are confronted with mobile devices today, and the upcoming holiday season will probably bring many technology gadgets such as smartphones and tablets to homes and christmas trees nation-wide. This are surprises both for the end-user (on christmas evening) and for the IT department (after the holiday season). We talk a lot about our customers about the trends of increased mobility, the new way/world of work and consumerization which are reshaping how IT departments work. 

The most commonly cited concern for the mobile devices is the security aspect, with two important facets:

  • How can third parties be prevented from intercepting data from a mobile device?  
  • How can end-users be prevented from tampering with the device (with possible security implications) ?
From the traditional control and manageability context, many IT departments initially feel that the preferred approach is to completely lock down the mobile device: email should be secured/encrypted, storing data on the device should be avoided, and preferably, apps on the devices should only be provisioned by the IT department. This approach has been tested with smartphones already (where typical usage cases are mail & calendaring functionality) and have worked with varying success in that world. However, with tablets entering the enterprise, restrictions such as not being allowed to store data on the device or insisting on enterprise-only applications quickly become unfeasible or are simply not enforcable as users ignore the strict IT policy for these devices. We often speak with customers who have standardized on heavily secured & managed mobile devices, yet feel a strong pressure from their business and end-users, to go for more consumer oriented devices such as the iPhone or iPad. This creates an (additional) tension between business users, who see an added value in using these (open, less controlled) devices for professional purposes, and the IT department, which traditionally has to focus on security, manageability and cost-control.

Obviously, there is no single answer to this situation, with the role of governance & security within the organization (beyond IT), the level of expertise & creativity of end-users and the business needs which are answered by these mobile devices, all being very important parameters in finding a good mobile device strategy. At Xylos, we believe that the foundation of a good mobile device strategy is based on the complimentarity that end-users see in the mobile device, (as an extension of the desktop), which should be leveraged as much as possible to create a uniform workspace across the desktop and the mobile devices. In that vision, there are two important aspects that require a different approach than what is usually followed by IT departments, and require "thinking outside the box".

First, there is the trivial remark that consumer mobile devices (today) do not distinguish between different user roles; on a regular workstation, it is considered a best practice and highly recommended to deprive end-users administrative rights and leave them with regular user rights, such that the desktops and laptops can remain standardized, managed, patched and secured. In this context, locking down the workstation makes sense both to prevent the end-user from tampering (by installing additional software, accidently contracting malware, ...) and to prevent third parties from retrieving confidential information from such a workstation. It is often said from a security point of view that "physical access" by a person with malicious intentions (end-user or third party) to any workstation should be considered equivalent as that device being hackable or potentially tampered with.

There is no reason why this remark cannot be applied to mobile devices: these devices are much more prone to being stolen/lost than a desktop or laptop, and hence from a security point of view, it makes more sense to assume that such a mobile device will fall in the wrong hands one day. Again, with physical access to the device making tampering with that device perfectly possible, one has to ask themselves whether a complete functional lockdown (with the corresponding user impact) is really the desireable approach? There are security measures, either completely transparent to the end user (encrypting the device and storage cards) or perfect common-sense (requesting a pincode/password before the device can be accessed) which can perfectly mitigate the risk of lost/stolen devices without a strong disruption of the user experience. This has to be combined with a good governance structure (policies & IT processes) to clearly explain users what is allowed on the device, and how to react promptly upon a loss/theft of their devices.

That mitigates a major issue around data loss that exists amongst many IT managers concerning third parties; another concern is that end-users might install & use applications: 

  • which are not fit for enterprise (for example, because an Office app on iOS or Android does not save back correctly Microsoft Office documents),
  • which contain malware (there have been incidents of malware applications on app stores/markets already),
  • which potentially leak information to unwanted locations (cloud based file hosting such as iCloud, Dropbox, ...).

In fact, the recent Carrier IQ commotion shows that the risk of malware/unwanted apps can even come from other sources than the end-user itself. Again thinking from within the desktop perspective, it is tempting to use a blacklist or whitelist approach for apps on mobile devices, much in line of software restriction policies which exist in the Windows world (this functionality can be implemented using the many mobile device management packages which exist today). Also here, we advise to proceed with caution and try to think out of the box again:

  • Working with a blacklist (which means: all applications are allowed, except unwanted applications) provide no protection whatsoever against unknown malware. Given the exponential growth of the consumer app stores for mobile devices, it is an impossible task to start blocking all applications which potentially could disrupt the enterprise or the collaboration between end-users. 
  • Working with a whitelist (which means: blocking all applications, except those explicitly allowed) provides protection against malware or unwanted applications. However, it is very likely that this precisely eliminates the primary use case of consumer mobile devices and the added value that end-users see for these devices in the enterprise. After all, providing a mobile device where the consumer app store is completely blocked, is for all practical purposes the same as providing a completely secured & locked down device (which users are revolting against in the first place).

Again, the question remains whether the reflex of IT to lock down the device, is indeed appropriate, and does not constrain the user in the way they feel the device can help them work more productively. The fact remains that applications such as Google Chrome or DropBox are engineered specifically to bypass IT restrictions, by installing in the user profile (where the user always has write access) or by using standard communication protocols such as HTTPS to make it more difficult to block DropBox traffic (and which open tunneling & proxy opportunities to more tech savvy users). It is not surprising that the question on how to block these unwanted services keeps recurring and apparently cannot be answered definitely given the very fast pace at which similar (cloud) services appear & disappear every day.

Therefore, to conclude, when devising a mobile device strategy, we recommend our customers to think out of the box and investigate not how to block applications or services, rather on how these services can be embraced and perhaps (partially) managed from an IT perspective. Obviously, this does not work well in all environments, but for many, it might provide a fresh and pragmatic perspective to relieve the phone & tablet consumerization pressure on the IT departments.

 

Key take-aways: 

  • Consider mobile devices to be insecure and very hard to lock down, and take this into account when devising strategies for delivering applications and data to these devices.
     
  • Try not to lock down the device, yet try to embrace the richness of these devices and the applications/services that come with them.
     
  • Governance is more important than technology when working with mobile devices: a common-sense policy to prevent users from storing confidential/sensitive information on mobile devices or in cloud-based services should be communicated, much in line of the awareness communication already performed for the danger of leaking information through USB devices or portable computers.

Share this blogpost
Categories: Security

Also interesting for you

Leave a reply

Your email address will not be published. Required fields are marked.