Three key considerations for a secure corporate network
Last year, Mad Money’s Jim Cramer predicted that the mobile Internet would bring the tech sector out of the recession, and his prediction is right on track. Sales of mobile devices are going through the stratosphere. According to Gartner, over 347 million smartphones were sold in Q1 2010. For the first time, global laptop computer sales are exceeding desktop system sales. The Apple iPad and tablet computers are becoming part of the business environment.
In short, businesses have turned to mobility to make the difference in their bottom line. Mobile technology, along with its benefits and challenges, is infiltrating the corporate landscape faster than any other technology out there. And the crush is on to support the mobile workforce like never before.
That’s the good news. The not-so-surprising, not-so-good news is that cyber-crime is up. The Federal Bureau of Investigation (FBI) notes that reported criminal activity was up 22.9% in 2009 from 2008. Losses more than doubled from $264 million in 2008 to about $560 million in 2009. According to MarkMonitor Inc., an online brand protection solutions company, online sales of counterfeit and gray market goods will cost companies more than $135 billion in 2010.
Along with mobile computing’s obvious benefits come headaches for the IT security folks who have to ensure the sanctity and tranquility of their networks. Three major considerations that security experts need to address are that traditional security models don’t work for several reasons; smartphones are sometimes too smart for their own good; and mobile applications downloaded from app stores by employees to their “personal-but-also-dialed-in-to-the-network” PDAs can wreak havoc.
Think Outside the Box
Laptops and netbooks are really PCs in a transportable form factor. However, smartphones are quite different animals. You can’t install typical security measures like a firewall, virtual private network (VPN), or anti-virus on smartphones like you’d traditionally install on a desktop or laptop. Doing so would put a major load on the phone’s CPU, causing reduced performance as well as eating up bandwidth and battery life. Not to mention that users can turn off such features (also a sure bet, if they’re losing bandwidth and battery life).
Bear in mind that mobile operating systems are much different. For instance, mobile operating systems don’t really multi-task and a cool user interface doesn’t mean it’s necessarily secure. For instance, Apple’s iPhone has drawn criticism from IT managers for its lack of enterprise manageability and in response has developed Mobile Device Management service (MDM) but it still falls short when security and app stores come into play.
Unfortunately, application stores are fast becoming the biggest culprits and delivery systems for malware. A recently published study says that about 20% of the apps for sale in one store are already infected. Additionally, 5% of applications have the ability to place a call to any number, without requiring user intervention, dozens of applications have the identical type of access to sensitive information as known spyware, and 2% of market submissions can allow an application to send unknown premium SMS messages without user intervention. Ouch!
Too Smart for Their Own Good
The obsession to have the “hottest” phone is driving the influx of smartphones into the enterprise environment from the executive level down, and iPhones and Droids are at the top of the hit list. The gotcha with these phones is that they are inherently insecure. Active Sync isn’t secure enough and Native iPhone security isn’t by any means secure so if you connect your smartphones using native security you’ve just blown any compliance you hoped for.
But it’s not all bad news; there are ways to safely integrate smartphones onto the network by maintaining their invisibility on the Internet and tightly controlling them via a policy driven umbrella. Alternatively, you could form corporate policy to populate your network with Blackberrys from RIM. Although they’ve not viewed as the hot ticket gadget, these smartphones can be secured with user experience regulated.
Corporate culture and management requirements need to be taken into consideration when deciding which position to adopt. There are some clear cut options available. You can let users connect their various devices to the network, take the associated risks and throw compliance to the wind. You can go to the opposite extreme, allowing only corporate issued devices on the network and having them guarded by a strictly centralized mobile and smartphone policy. Or you can accommodate in the middle ground where you allow employees to connect their devices but have them comply with a centralized policy and maintain compliance enforcement.
