As vice president of IT at Windsor Foods in Houston, Stephan Henze has to stay one step ahead of the latest IT trends. That's why he's spending a lot of time thinking about securing and deploying smartphones enterprisewide. The company had only a few-dozen smartphones just a short time ago, but IT now manages about 100 of them, and Henze foresees substantial growth in the near future.
The task of securing smartphones keeps getting hairier, Henze says, while the company's need for mobile communications grows stronger, even on the shop floor, where maintenance engineers will soon receive automatic SMS alerts on their phones.
He's not sure he can continue to enforce the company policy of supporting only Windows Mobile-based phones, yet nonstandard devices will complicate his security efforts. He is well aware that for some people, a smartphone is a fashion statement. "With PCs, I was able to tell them we're not a Mac environment, but I'm not sure I can do that with phones down the road," he says.
Henze is among a growing number of IT and security leaders grappling with the challenge of securing these increasingly popular devices. The primary concern, of course, is the risk of exposing sensitive data if a phone or removable memory card is lost or stolen. Data can also be exposed if a phone is sold or sent in for repairs without its memory first being erased.
There's also the risk that VPN-connected devices could expose corporate networks to hacker and malware intrusions. And there's a growing potential for viruses to attack the phones themselves through SMS hacks and other exploits. "If I take your device and muck around with it, what if the VPN is set up on it?" asks Philippe Winthrop, an analyst at consultancy Strategy Analytics Inc. "It's a huge risk not being dealt with enough today."
10 smartphone security risks
Here's a look at 10 common smartphone security risks, with tips for dealing with them from Gartner analyst John Girard:
1. No configuration management plan.
Tip: Responsibility for managing smartphones should be given to the same staffers who provision and manage PCs.
2. No power-on password, or a weak password policy.
Tip: Several vendors' device management consoles allow you to configure password complexity rules and password reset questions and answers.
3. No inactivity timeout/auto-lock.
Tip: Timeout policies should be enforced over the air through your device management console, so that the enterprise can maintain near-real-time control.
4. No auto-destruct/data-wiping plans.
Tip: Two methods should be used: over-the-air commands and locally initiated wipes. The latter should occur after a password has been entered incorrectly a certain number of times or when a device has been off the network for a predefined amount of time.
5. No memory encryption rules.
Tip: Major enterprise smartphone operating systems provide settings for enforcing encryption.
Complicating matters, users are apt to view smartphones as their own personal gadgets, not something IT should control. "There's a deep underlying current of 'This is my mobile device,' " says John Girard, an analyst at Gartner Inc. A user will often see his smartphone as something that's "blue and plays music," not as an asset that needs to be secured, he says.
Smartphones' multimedia capabilities raise other concerns, Girard says. For instance, company policy might prohibit moving corporate documents to external media, but is there a policy that governs using a smartphone to take photographs in the office or record meetings?
Many companies try to take control by purchasing standard phones for employees -- a move that at least enables them to support just a single operating system. But even then, users may adhere to the standard only loosely, says Paul DeBeasi, an analyst at Burton Group. "I see employees who have the company phone in their left pocket and their personal phone in their right," he says.
Indeed, in a recent study of 300 companies in the U.S. and Europe by Good Technology Inc., a vendor of mobile security and management tools, nearly 80 per cent of the respondents reported an increase in the number of employees who wanted to bring their own devices into the workplace in the past six to 12 months, and 28 per cent reported a data breach because of an unauthorized device.
Despite all of the security risks, "two out of three organizations are struggling in terms of not only defining but enforcing IT and business policies around mobility," Winthrop says.
Girard concurs that companies have been slow to realize the implications of a phone-related data breach. "If clients do call and ask about phones, they're asking me to render an opinion that reduces their liability for employees using smartphones, [rather than] trying to do something to improve security," he says. "I'm waiting for the level of concern to grow up and match what exists for PCs."
And it should. Whether companies buy smartphones for employees or just allow their use, it's the company that's liable if data gets exposed, Winthrop says.
Technology to centrally secure and manage smartphones, whether via a third-party platform or from smartphone vendors themselves, does exist. Most analysts agree that, among smartphone vendors, BlackBerry maker Research In Motion Ltd. (RIM) and Microsoft Corp., with its latest version of Windows Mobile, provide the best management platforms.
For other devices -- or for companies that support phones from multiple vendors -- there are a variety of options, including management software from vendors such as Credant Technologies, Good Technology, Sybase, Trust Digital, Trend Micro and MobileIron, among others. Key capabilities offered by such platforms include centralized control of the following:
* Password management.
* Authentication authorization.
* Strong encryption.
* Inactivity timeout, in which users are logged out of an application session after a specified period of inactivity and are prompted for a password to restart.
* Remote wiping of memory if a device is lost or stolen or if the user enters his authentication credentials incorrectly a given number of times.
At Robinson Lerer & Montgomery LLC, CIO Jeff Saper has approached the security challenge by standardizing on the BlackBerry, which is issued to all employees at the New York-based strategic communications firm. Saper uses several of the 450 wireless IT policies and commands provided by BlackBerry Enterprise Server. The firm has also used Good Technology's platform to handle Palm and Treo devices, but Saper turned exclusively to BlackBerries when he decided to keep things consistent on a single platform.
10 smartphone security risks
(continued from previous page)
6. No master plan for backup and synchronization.
Tip: Use a secure, over-the-air backup-and-restore tool that performs periodic background synchronization.
7. No e-mail-forwarding barriers.
Tip: Forwarding of e-mail and attachments can be regulated with server-side settings of a corporate e-mail system, and additional filtering is available through commercial data loss prevention filters.
8. No application certification rules.
Tip: Private keys can be used to restrict which applications are allowed to install or execute.
9. No default browser permission rules.
Tip: Choose browser default settings that comply with company policy when phones are provisioned, to avoid providing an entry point for malicious code.
10. No plan for dealing with smartphone diversity.
Tip: Set a policy that defines what levels of support different devices will receive. Assign smartphone support to a single IT group.
Security measures include inactivity timeouts after 10 minutes of nonuse, and remote wiping of the devices if there is any fear of data compromise following a loss or theft, or if the password is entered incorrectly more than 10 times. "Even if someone could hack the password, it's safe," Saper says.
Most important, he says, users can't disable any of the security functions.
With remote wiping, it's important that data is backed up to the BlackBerry server so that it can be restored, Saper says. He can restore message history too, because the server ties into Microsoft Exchange. Such backups can make clear what data is on a device and hence what would be vulnerable if the phone were stolen, Girard points out.
While other platforms can perform remote wipes, the BlackBerry server also provides confirmation that the wipe was accomplished, which would give a company a stronger position if a case involving a smartphone data breach ended up in court, he says. "If you can't prove you did the wipe, it doesn't sound good," he adds.
Girard also believes it's important to set devices to time out after periods of inactivity. He recommends setting inactivity timeouts at one to five minutes for devices with high-value information, no more than 10 minutes for those with medium-value data and no longer than 15 minutes for those with low-value information. To resume using the device, employees should have to re-authenticate by entering a strong password.
That's easier said than done. "Because it's mobile, people think it's supposed to be easy, and they resist having to type in a seven- or 12-digit code," Girard says. "But you can't just have a four-digit code, because there's a very real chance of someone observing you typing it in."
Girard has also had clients who allow more than 10 password retries before deactivating a device. That's a highly questionable policy. "Even if you're drunk, you should be able to get in after that many tries," he says.
Christopher Barber, CIO at San Dimas, Calif.-based Western Corporate Federal Credit Union (Wescorp), supports two devices, the BlackBerry and Apple Inc.'siPhone 3G. The iPhone runs e-mail and a relationship management application used by salespeople. To secure the iPhones, Barber set up a standard security profile that includes all the safeguards he wanted, with Microsoft Exchange Server pushing it out to the devices.
He uses RIM's Enterprise Server for the BlackBerries. Security features include strong password protection, encryption and remote kill capabilities.
Data out the door
"Our biggest concern with any smartphone is [that] it acts as a storage device," Barber says. "Users can plug it into the USB, download company files and walk out the door with them." With the global profile, however, he can enforce password strength and encryption, so even if users do put sensitive data on a portable device, there is a reduced chance of someone else accessing it if the phone is misplaced or stolen.
Lax smartphone security
Only 23 per cent of smartphone owners use the security software installed on the devices. (Source: Trend Micro Inc. survey of 1,016 U.S. smartphone users, June 2009)
Taking a centralized approach to encryption is key, Girard says. All the well-known vendors have an encryption feature for their phones, "but unless the company takes enterprise control, it's strictly optional," he says.
But Barber says that securing smartphones is a matter of managing risks, not covering every base. He says he recently saw a YouTube video of someone who used a hacking program to break into an iPhone that was password-protected and encrypted. He also says the iPhone's removable SIM card is a vulnerability, because if a thief removes the card, the phone won't be able to receive a remote kill command because it won't be able to connect to the corporate network.
To offset this risk, Barber relies on a combination of policy and education.
"We train everyone not to put sensitive data on the iPhone," he says. In the future, he hopes to back that up with data loss prevention technology, which would monitor data being moved into an e-mail attachment or USB drive. "We're as comfortable as we can be, but there's always risk."
At Windsor Foods, Henze has also gone the centralized management route, using MobileIron's Virtual Smartphone Platform. The decision was based on his desire to manage not just security from one platform, but also carrier contracts and deployment. In addition, while he has standardized on Windows Mobile devices, he wanted to be sure he wasn't locked into that decision. MobileIron supports BlackBerries and iPhones and plans to support Symbian and Android devices.
Henze started with the basics, such as password management, auto-disable and remote wipe, but is adding centralized encryption. The platform also backs up applications and data on the phones and reports on configuration and memory utilization, which speeds troubleshooting. It also takes inventory of applications stored on the phones and disables any that aren't approved.
Henze also notes that the help desk manages the smartphones rather than a senior network engineer. In fact, a portal enables users to check on their phone usage and even perform tasks such as remote wipes and configuration themselves. "The [MobileIron] appliance makes it easier from an IT perspective," he says.
For Henze, the work of smartphone security has just begun. For instance, he's considering integrating digital rights management with the smartphone management platform.
"Let's say a person working with us has a laptop full of confidential information, and he gets terminated," Henze says. "With digital rights management, the device would check in with the authentication server to see if he's still a legitimate user, and if he isn't, he wouldn't be able to read those files anymore." This works better than remote wipe, he says, because if files are stored on a removable card, there is no way to delete them.
There have been concerns from some users about the Big Brother aspect of having IT monitor their phones. However, this concern is outweighed by the fact that IT can provide better service when it comes to new phone deployments, replacements and remote troubleshooting, Henze says. For instance, IT will be able to configure a new phone right after it's purchased, rather than taking three or four days. "They'll be up and running in no time, and when that happens, they'll appreciate it," Henze says.
In the end, there's no single means of maintaining security as more and more smart phones enter the enterprise, whether they're issued by the company or brought in by employees. But what's certain, says Winthrop, is that you can't just give employees free rein. It's not uncommon for IT to allow individuals to be responsible for their own devices, or even encourage the idea. But in the end, he says, it's the employer that's liable if data gets leaked.
"There's a fascinating issue here, in that employees don't think too long or hard about which laptop they're going to get," Winthrop says. "But they're absolutely going to ask 'Why did or didn't they give me a BlackBerry?' or 'Why can't I bring in my iPhone?' or 'I wonder if I can get a [Palm] Pre?' " But even if organizations want to cater to every user's desire, he says, they need to take into account the need to manage the devices and the information that passes through or is stored on them.
In fact, smartphones should be viewed not as phones, but as PCs that happen to make phone calls, Winthrop says.
According to Henze, that notion has turned the world inside out. "In the old days, there was the Internet, the intranet and the internal corporate network," and each was distinct from the other. But today, with miniature yet powerful mobile devices carrying data wherever a person can go, "the egg is scrambled," Henze says. "Data sits wherever, and it's much more difficult to get ahead of it."
Brandel is a Computerworld contributing writer. You can contact her at firstname.lastname@example.org.