22-05-2013, 04:34 PM
Securing the mobile enterprise
Securing the mobile.pdf (Size: 508.07 KB / Downloads: 18)
Executive summary
The traditional network perimeter is more elastic than ever before. Mobile devices
such as tablets and smartphones are capable of so many day-to-day computing tasks
that they are gradually assuming a primary role in the device portfolio. Employees are
increasingly expecting to use their own devices on the corporate network.
The consumerisation trend can bring considerable productivity benefits to an
organisation, and may help to open up new markets. However, when viewed from
an information security and management perspective, consumerisation poses a
considerable challenge.
Computing surveyed 130 IT decision makers to understand the degree to which the
trend for multiple endpoint devices has penetrated the enterprise, and the
challenges that it is presenting to IT security professionals. This paper discusses
these survey findings and suggests some ways to overcome the challenges.
Evolving expectations of the mobile landscape
Mobile computing has become such an integral part of our working lives that it is
sometimes difficult to remember how we managed without it. The social networks
that, to varying degrees, touch the lives of most of “Generation Y” rely on constant
connectivity and instant updates. The idea of accessing the internet via a stationary
PC must seem positively archaic to anybody under the age of 30.
Earlier this year, Gartner drastically lowered its forecast for PC unit shipments for
2011 and 2012. Key to Gartner’s revised forecast was its reduced forecast of mobile PC
shipments, fuelled by the incredible rise in the rate of adoption of smartphones and
tablet devices. As recently as two years ago, analysts such as Gartner believed that
mobile PC growth would remain steady, and that other mobile devices would be
purchased in addition to, rather than instead of, such devices – mainly for personal
use. What no analyst saw coming was the increasing rate of adoption of mobile PC
alternatives as primary mobile devices – especially in the consumer marketplace.
It has not just been analysts that have been caught out by the rise of the
smartphone and tablet. The growth in personal mobile devices has outstripped the
pace at which IT and security teams have been able to adapt their policies and
enforcement tools. The unfortunate truth is that many IT organisations are only
just beginning to get their heads around the security implications of the
proliferation of mobile devices across the enterprise.
Consumerisation for the nation
The use of multiple devices at work is one element of this discussion. Perhaps more
significant is the actual ownership of these devices. Much has been written about
the consumerisation of IT, the key aspect of which is the use of personal mobile
devices to access corporate data. The effect of consumerisation on the enterprise is
far from uniform but the fact is that the growth in the numbers of personal devices
is causing ever increasing amounts of corporate data to reside outside of the
corporate firewall. The traditional network perimeter is becoming ever more elastic,
and in some cases, is beginning to erode entirely.
Computing asked: “What proportion of your employees expects to use their
personal smartphones for work purposes?” The largest number of respondents
(31%) stated that less than 10 percent of their employees did so (Fig. 3). This, along
with findings from the previous question, indicates that despite the increasing
elasticity of the corporate network perimeter, a majority of organisations still
probably expect their mobile employees to focus on their work laptop as their
primary means of email and internet access. This is, after all, a model embedded at
considerable capital cost into the majority of corporate IT infrastructures.
However, 23 percent of those responding estimated that 10 to 29 percent of
employees wanted to use personal smartphones, and 13 percent put the number at
between 30 and 49 percent (Fig. 3).
Security implications of consumerisation
It is arguable that the consumerisation of IT can bring huge benefits to
organisations in terms of new markets and new productivities. However, as stated
at the beginning of this paper, it is also challenging the traditional security
infrastructure and mindset. Computing asked: “Are you 100 percent confident that
you know about all of the devices accessing your corporate network?” Only 53
percent of those responding said yes (Fig. 4).
Mobile device management
The threats being posed to business organisations from the proliferation of
endpoint devices, particularly those based in an Android platform, are clear. So,
what are these organisations doing to mitigate the risk?
Computing asked: “What is your organisation doing to reduce the risks of smartphone
usage?” The responses to this question indicate that business organisations are very
much aware of the threats outlined above, with 54 percent updating corporate
security policies to take account of smartphones and other endpoint devices and the
same proportion actively educating users about sensible usage (Fig. 5). Forty percent
are taking the sensible but surprisingly frequently overlooked step of ensuring that
all mobile security software such as anti-virus, personal firewalls etc. are up to date,
and 30 percent are reviewing mobile security as a whole.
Focus on the data, not the device
The proliferation of endpoint devices within the enterprise has highlighted the
shortcomings of one of the traditional approaches to data security, with different
teams responsible for managing different aspects of device ownership such as asset
management, security, policy etc. and different software sets being used to secure
different devices. Organisations have often focused on devices rather than looking
at corporate data as a whole, regardless of where it may reside. Indeed, the majority
of those polled (54%) said they run different solutions for different devices and 13
percent were unsure whether or not this was the case.
It is easy to see how this device-focused approach has taken hold within the
enterprise. The speed of proliferation of endpoint devices has caught business
organisations by surprise, and budgets have often not kept pace. However, our
findings would suggest that many organisations are aware that approaching devices
separately may not be the best option.
When asked whether their organisation would benefit from a more consolidated
approach to information security, 47 percent answered yes. Only 26 percent were
confident enough to answer no, with the remaining 27 percent unsure (Fig. 7). Fifty
percent of respondents stated that they were actively considering consolidating
their mobile security device systems within the next year.
Conclusion
The speed at which multiple mobile devices have become part of the corporate
environment has heightened the already considerable challenges facing security
professionals in ensuring that corporate data remains secure. The chances of
becoming a high-profile casualty of data loss, with the associated damage to brand
and credibility as well as to compliance with industry or government regulations, are
higher than ever before.
The optimum way to approach this challenge is to ensure that clear policies are set
out with reference to mobile devices, including those owned by the employee, and
that these policies are communicated effectively. Corporate policy should be
combined, as much as possible, with the education of end users on secure use of
mobile devices. This policy and education should then be enforced, preferably with a
consolidated software set.