As with laptops before them, the growing use of smartphones and tablets extends the corporate network beyond the physical boundaries of the enterprise. In fact, recent research from IDC estimates that the number of mobile workers accessing enterprise systems worldwide will hit 1.2 billion by 2013—representing more than one third of the world’s workforce.As such, enterprise security needs have intensified due to this growing diversity of threats.
“Mobility has added a new dimension to enterprise network security,” says ABI Research practice director Dan Shey. “Convergence of communications and the growing use of social networking and smart devices are diversifying the environments containing potential threats.”
The diversity of threats and the escalating risk to enterprise networks require multiple levels of security spanning several technologies. There are perimeter security solutions—those solutions that protect the network itself—and endpoint security solutions—those solutions on the devices themselves that help keep them, and the enterprise network, secure.
Authenticate the users
Controlling access to the network itself is the first line of defense against threats. Two-factor authentication is a good start. By requiring anyone accessing enterprise data to use two-factor authentication, the enterprise can prevent a majority of data breaches. This is the simplest, most basic form of security.
Strong authentication is currently deployed, but not broadly. Only 30% of enterprises use strong authentication as the primary method for authenticating employees and contractors into the corporate network, with 43% of enterprises using strong authentication for VPN access only and 27% using no form of strong authentication at all.
According to Forrester Research, 67% of companies don’t require advanced authentication policies or apps from partners accessing their corporate networks, even though the risk they present is the same as an employee. Moreover, 29% and 32% of companies are either not interested in implementing or have no plans to implement strong authentication for their partners or customers, respectively.
Control access to the wireless network
“Wi-Fi networks are now as important as wired networks in the enterprise. Users expect safe, ubiquitous, fast access for business applications,” says Jesse Frankel, product marketing manager, AirMagnet. “Stretched IT staff need independent, automated, 24/7 monitoring tools to ensure secure, reliable connectivity.”
“Networks are designed for PCs,” says Ozer Dondurmacioglu, manager, product marketing, Aruba Networks. “We need to have different rules for mobile devices due to their different OSes.”
“You need a purpose-built product for wireless security,” agrees Frankel.
Mobile device access control products for Wi-Fi networks, such as those from AirMagnet and Aruba, can detect device types, authenticate devices, and download a self-generated authentication certificate if one is not available. In some products, device fingerprinting is built into the authentication process which allows IT managers to apply device-specific policies to different types of mobile devices. Another problem is guest use of the wireless enterprise network.
“In these cases, we recommend setting up a guest network which runs in the same Wi-Fi space as the enterprise Wi-Fi,” says Dondurmacioglu. This guest network should have a firewall between it and the enterprise network data. In addition, the IT managers can set a bandwidth cap on traffic for guests so that the entire network isn’t bogged down. Access controls such as requiring a logon and registering a mobile phone number with the guest Wi-Fi will further ensure network security.
“Rogue APs running in the middle of the Wi-Fi network are a significant threat,” adds Dondurmacioglu. Rogue devices are unsecure and create interference, and IT needs to move quickly to secure or remove these devices. Network access control programs enable such rogue detection.
Securing and managing corporate data on a mobile device without touching the user’s personal data is the purpose of mobile device management software. Union Bank’s Steve Chong, manager of messaging, and Rob Walters, SVP of distributed computing services, recently deployed Good for Enterprise.
“We place a lot of focus on security because we are a financial institution and we handle customer data,” says Walters. “Security must be our top priority, and we are always thinking about it.”
“The reason for the Good deployment was to isolate corporate data on individually-owned devices,” says Chong. “And at the end of the device life cycle, we only wipe the corporate data, we don’t have to set the phone back to its factory defaults.”
Mobile device management is a good security step, but it doesn’t solve all security problems.
“We haven’t had any known security breaches, but there are still security concerns around devices,” says Walters. “They can be used as USB keys and vectors to take sensitive data out of the enterprise. We need to implement security controls to account for this.”
Future threats: mobile malware
As more users access the Internet from an ever-expanding pool of devices, Web-based threats will continue to grow in size and sophistication. According to McAfee, the number of new pieces of mobile malware in 2010 increased by 46% compared with 2009. In addition, there were 20 million new pieces of malware in 2010, equal to nearly 55,000 new threats daily.
Mobility risks that businesses should consider include an increase in cyber attacks, which are more difficult to manage and prevent, and IT policies that are difficult to monitor and even more difficult to enforce, which usually results in non-compliance.
Some security threats can’t be overcome with data encryption, secure connections to the enterprise, or secure mobile devices. One such threat is posed by using Web-based e-mail applications on public kiosk devices.
“There is only so much social engineering you can teach a user to ensure he is a good user: teach them to log off and clear the cache every time they check e-mail,” says Mark Rothman, president and CEO, Messageware. “But that is not enough.”
Security threats in using Outlook Web Access (OWA), a popular Web-based e-mail client, include vulnerable sessions, as OWA can still be open in the background when the user thinks it’s closed. Security issues also occur when the browser tries to download an attachment; the Web browser opens the attachment unbeknownst to the user, and even after that browser window is closed, the document still exists in the Temp folder on the kiosk device.
Messageware OWA was developed to overcome these and other security problems inherent in OWA. Using a point solution such as this can overcome security issues that can’t be solved with any of the other technologies described in this article.