by Paul Schwarzenberger, CISSP, CLAS
Here at HP we have noticed that many of our customers are embracing the concept of “consumerisation” – the desire of employees at all levels to use their personal mobile devices such as the iPhone, iPad, and Android phones, to connect to corporate systems such as e-mail, calendar, contacts and the intranet.
Consumerisation places the IT Director or Chief Security Officer in a challenging position – on the one hand, use of personal devices may increase productivity, mobility, employee satisfaction, and possibly even reduce cost for the organisation. On the other hand, placing corporate data on to a personal device could significantly increase the risk to the organisation of data loss, regulatory infringement and potential reputational damage.
How significant are the risks of allowing widespread use of personal mobile devices in an organisation? To help assess the overall risk, here are some examples of potential methods by which use of a personal smartphone could result in loss of an organisation’s confidential information:
- Viruses – while not as common as for laptops, there have been viruses developed to target smartphones
- Malicious apps – earlier in 2011, Google identified 58 apps within the Android MarketPlace as malicious and removed them. A malicious app could record voice calls, take screenshots or act as a keylogger and then upload information to a server on the Internet
- Synchronisation – when a smartphone is connected to a laptop or desktop via a USB cable, files are copied to and from the mobile device. This could lead either to data loss, or to a virus being introduced to the mobile from a home computer
- Productivity apps – the widespread popularity of apps such as GoodReader and DropBox mean that a well intentioned employee can easily place confidential information on unknown, uncontrolled servers on the Internet
- Encryption – many mobile devices do not have the capability of encryption. Where encryption has been implemented within a mobile operating system, in some cases there have been successful attacks to bypass the encryption password
From these examples, it may seem that the best approach for the IT Director or Chief Security Officer is to “just say no” to the requests coming in from employees to use personal devices. Or, to avoid thinking too much about the issue! But the former could result in a loss of productivity, and employee dissatisfaction. While the latter could lead to significant data loss, damage to the company’s reputation of even large fines in the case of a regulatory infringement.
HP works with organisations to help them assess the value of their information, the regulatory requirements applicable to their sector, understand the potential risks, and examine options for technical solutions to minimise and reduce the risks. To support this, HP has developed an Enterprise Mobile Security architecture – a model which identifies the various security measures which can be taken to reduce risks to corporate data.
Significant elements of the Enterprise Mobile Security Architecture include:
- Business applications – understand which business apps are required – is it just e-mail, or are their other applications as well
- Secure Container – separation of corporate data from personal data on the device
- Encryption – ensure that either the whole device, or just the corporate data is protected by encryption both for data at rest and data in transit
- Mobile Device Security – enforce the use of a password on the device, whitelist or blacklist apps, block jailbroken devices, prevent screen capture, ensure updates
- Device Management – monitor, audit, reporting, remote wipe of device, remote wipe of corporate data, remote unlock
A significant number of organisations have already implemented enterprise mobile security solutions, to allow the use of personal mobile devices, while retaining control of personal data. Examples can be found in many sectors ranging from the financial and legal sectors, to consultancy organisations and some parts of the public sector.
Many other organisations are now at the point where they are now considering the best approach to take to solve the challenge of consumerisation.
Check out our 7 steps to plan for consumerisation.