Here’s the quandary: Employees want to be able to access
e-mail, corporate data and applications on their handheld devices—anytime, anywhere.
IT management wants to protect the company’s information assets and believes
mobile devices such as smart phones are the Achilles’ heel of the IT operation.
Can the two sides come to terms?
They really won’t have a choice, as mobile broadband becomes
pervasive and a growing number of employees bring their tech “toys” to work.
Apple’s recent announcement that its iPhone will soon work directly with
Microsoft’s Exchange Server 2003 and 2007 will undoubtedly result in a flood of
iPhone users requesting—or demanding—to use these devices to hook into the
corporate network. On the other hand, the increasing theft of corporate data—especially
when stored on mobile devices—has placed a huge burden on the IT department.
So what’s an IT manager to do? Fight a no-win battle, or
find a way to increase the security of mobile devices?
“There’s no question that allowing sensitive data to move
outside the enterprise increases the risk that the information will fall into
the wrong hands,” acknowledges Vadim Lander, distinguished engineer and chief security
architect at CA. “There are also privacy and compliance issues that must be
considered.
“But there’s also no doubt that mobile computing increases
employee productivity, especially for people who spend most of their time in
the field. So corporate and IT managers need to find the right balance between
risk and productivity.”
The best way to accomplish that, Lander says, is by
implementing multi-layered, end-to-end protection that covers mobile devices, networks
and users. “Your company’s security
policy should cover all devices, all networks and all users, while keeping a
watchful eye on anything suspicious,” he explains.
“All mobile devices should be configured with anti-virus and
anti-malware software. You should have a strong security policy and a process
to validate that each device is in compliance. Plus, you must be able to erase the
information on devices remotely in the event they are lost or stolen.”
When it comes to the network, Lander advises that all data
going to and coming from mobile devices be encrypted. And he recommends that
mobile users identify themselves to the network with two-factor authentication.
Taking Best Practices on the Road
“Companies must take a proactive approach to security,
especially when mobile devices are involved,” Lander says. “With proactive
security, if there’s any suspicious activity from a mobile device, you can turn
off that unit’s access to the network—and, if necessary, erase the device.”
Other best practices for mobile security include:
- Implement
end-to-end security.
- Get
executive buy-in for a strong security policy.
- Provide
security training to all mobile users and explain the liability issues
involved.
- Centralize
management of all mobile devices.
- Provide
strong encryption and two-factor authentication
Lander predicts that as more enterprises begin to support
and manage mobile devices, there will be increasing adoption of authentication
and authorization technology. “In the future, biometric technology will be
deployed on handheld computing devices,” he says. “For example, one day, you
may have a fingerprint scanner on your BlackBerry or iPhone.
“Eventually, the controls needed to authenticate a
particular user to a device and network will be baked right into the network infrastructure,
and no one else will be able to use that device to access the network.”
Asked about the balance between risk and productivity,
Lander replies, “Companies will have to figure out how to achieve the right
balance, because mobile devices are not going away, and employees want to be
able to handle their business and personal needs on one device.”