Amazon Kindle Fire Meets Enterprise: Security Advice

How do you secure these devices, and prevent them from accessing the network, without help from your mobile device management system?
Amazon announced its new 7-inch tablet this week to much fanfare. Great price ($199), great specs, and even more important, it runs Google's Android operating system, giving the user access to apps, movies, and a whole slew of other content. Our take: The price point makes this thing a credible iPad killer, but it's also a shot across Google's bow because the Kindle Fire is highly customized by Amazon and does not provide access to Google's Android market. Now it's an Amazon vs. Apple discussion instead of Google vs. Apple.

Smart tactic for Amazon and great for the consumer, but what does it mean for your network? If sales of Hewlett-Packard's doomed TouchPad are any indication, my bet is that it will increase the rate of tablet adoption dramatically. When HP announced a steep TouchPad price drop, weekend hackers started snapping them up and hacking them to run Android, dynamic IT dashboards, and remote-controlled robots. With such a low price for the Kindle Fire, consumers -- read: your end users -- will soon employ them for all kinds of functions Amazon never intended -- and you never imagined, for that matter. Which leads us to the security issues that accompany any fast-paced consumer adoption and how you can address them.

First, the Kindle Fire runs Android, and like all Android devices, you would expect support from the major mobile device management providers. But you'd be disappointed. Amazon has decided that the Kindle Fire will not have access to the Google Android Market, where major MDM vendors put their apps. Only the Amazon Android Store is accessible, and MDM providers do not have their apps available in that store at the moment.

[ Want a closer look at Amazon's Kindle Fire tablet? See Amazon Kindle Fire: Visual Tour. ]

Second, if you do get your hands on an MDM client, it may not function properly on the Kindle Fire, at least at first. The hardware is different from other Android devices, and the OS, while Android-based, is a completely different user interface. Basic security functions your organization may require, such as pass code screens and encryption, may not function either.

On Nov. 16 (the day after the first preorders land on doorsteps nationwide) you will have people walking into the office with their new Kindle Fires and hopping on the company Wi-Fi to show off the sleek-looking tablet to envious peers. And to be fair to the Fire, this problem is applicable to any new consumer device, be it a smartphone, tablet, or netbook.

So how do you secure these zero-day devices, and/or prevent them from accessing the network, without help from your MDM system?

First, find out when your MDM vendor will support the device, and mark that day on your calendar so you can push out updates ASAP.

Second, if you want to prevent access from the Kindle Fire -- or any device -- set your Wi-Fi APs to deny access for the specific Organizationally Unique Identifier. Now, this isn't a perfect solution, because, for example, an OUI linked to Apple may block all iPhones, even though you only want to block iPads. Watch the help desk phones light up.

Third, leverage your vulnerability scanner, such as Nessus or Qualys, and use its operating system fingerprinting function to find devices that match the unsupported profile, and have it blocked via firewall or the access point. This is a manual process but shouldn't be too burdensome.

Fourth, if you're really concerned, get yourself a Wi-Fi intrusion-detection system -- technology that's custom built for the identification and authorization of wireless devices.

Finally, and in my opinion, most important, get your priorities straight. Just let them on and realize that your network is public, but your systems are private. In other words, don't try to prevent the connection to the network, prevent access to the resource, such as the file server or email. MDM vendors provide the capability to default-deny any device that isn't registered with their software. In our Kindle Fire case, if we have this policy enabled, the employee can get access to Wi-Fi and show off but cannot access email, calendars, or the file server until the device is supported.

One other piece of advice from the trenches: If you see a phenomenon like the Kindle Fire coming your way, buy one or three and give them to the security and IT staff to play with, so they know what the device can and cannot do. You might be surprised at your team's ability to develop security controls and provide help desk support once they have had a chance to analyze new hardware. Plus, it helps build morale when the company encourages the "geeking out" of the IT staff via access to a cool new device.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing