Ultraportable gadgets now let employees access information on demand through 2G, 3G,Wi-Fi, and Bluetooth networks, often on a single device, and application vendors are taking notice (see story, "Is The Smartphone Your Next Computer?"). Smartphones handle Web browsing, synchronize with enterprise messaging systems, support multiple VPN methods, and run an ever-broadening range of business applications, making them attractive as primary connectivity devices. In a recent InformationWeek poll of 1,139 business technology professionals, 30% of smartphone users say they use the devices for enterprise connectivity, and 37% either occasionally or frequently leave their laptops home in favor of smartphones.
This is a compelling business opportunity or a potentially disastrous data leakage risk, depending on your perspective.
To help prevent the latter situation, we're launching a Rolling Review focused on managing and securing smartphones. If these devices are incorporating PC-like functionality, they need to be subject to the same security and governance policies that cover desktops and laptops.
Enterprise-class mobile devices are no longer bogged down with half-baked apps that are more trouble to use than they're worth. Employees expect to be able to access data anywhere, reply to e-mail from the road, and text or send Twitter messages in real time. That's fine if they're discussing where to meet for lunch, less so if they're sending sensitive financial information that's subject to regulatory restrictions.
Certainly, mobile devices aren't yet as powerful or flexible as their larger counterparts. But perceiving even the current generation of smartphones merely as innocuous handsets is a grave mistake.
In this Rolling Review series, we'll dive into the risks facing smartphones and discuss the full range of security controls (and we don't mean just products) that can be employed to properly protect corporate information and equipment. As the saying goes, "With great power comes great responsibility." Smartphones are capable of carrying some of the most critical and sensitive information that your organization has, typically without benefit of inclusion in a comprehensive security plan. That's a recipe for disaster.
HANGING OUT IN THE BREEZE
Smartphones possess all the elements of PCs--an operating system, applications, data storage, and network connectivity, as well as the ability to integrate remotely with the corporate IT infrastructure via a VPN--so it's reasonable to guard against PC risks such as viruses, malware, theft, accidental loss, unauthorized access, and hacking attempts. Now, compared with PCs, the quantity of known malware for smartphones is small--there are just a few mobile device viruses currently in the wild, a fact that leads some to conclude there's not much to worry about. But as use of any new platform rises, so too does interest from rogue coders who are tempted by possible financial gains. We fully expect to see more attacks that focus on exporting stored data via covert channels. And additional smartphone security threats come from a variety of vectors, including e-mail, SMS, Multimedia Messaging Service, Bluetooth, and file downloads from the Web via Wi-Fi and cellular data networks. Because corporate devices use semipublic data networks, via the cell phone provider or just about any Wi-Fi network, the traditional perimeter model can finally be declared completely dead. Though these phones house trusted data, they aren't anywhere near being behind the corporate firewall and intrusion-detection and -prevention systems.
As for running only corporate-approved applications, you can forget that as well. Though your company might have a policy forbidding installation of apps to a phone, users are likely do it anyhow, and there are few controls for preventing them--certainly nothing like you'll find for PCs.
And what about data stored on a phone's MicroSD card? Consider a salesperson having a drink with a rep for a competitor at a trade show. All it takes is a phone left on a bar, and data ranging from spreadsheets and presentations to client lists could be gone in a flash. The in-box likely contains business-sensitive attachments, the contact database includes lists of current (and future) clients, and calendar entries can provide insightful information about meetings. Because most smartphones don't require passwords once they're powered on, a competitor might even gain access to the corporate network via a VPN client.
Given the evolving capabilities of smartphones, the biggest danger to IT is underestimating the power, functionality, and impact that these devices will have on the enterprise security model. The message seems to be getting out: In InformationWeek's 2008 Strategic Security Survey, we asked why organizations are more vulnerable this year than 12 months ago. The No. 1 reason, cited by 72% of the nearly 1,100 business technology professionals surveyed, is that there are more ways to attack corporate networks, including via wireless. You need to put a policy in place, and you need to do it now.
(click image for larger view)