Securing Mobile Devices in the Business Environment


Published on

As the world becomes more interconnected, integrated and intelligent, mobile devices are playing an ever-increasing role in changing the way people live, work and communicate. But it is not just happening in personal life: Smartphones and tablets are also being rapidly adopted by enterprises as new work tools,joining existing laptops and desktops. The use of mobile devices for business has experienced an explosive growth in the past few years and will only accelerate in the near future.

And while the BlackBerry®has been the de facto mobile device for business for many years, the availability of other smartphones and tablets with broader consumer appeal, such as iPhone® and Android™ devices, is fundamentally changing the game.Employees are now bringing their own mobile devices to the workplace and asking companies to support them. These new devices offer improved hardware performance, a more robust platform feature set and increased communication bandwidth,expanding their capabilities beyond voice and email. As a result,however, this increased access to enterprise systems can also bring an increased security risk to the organization.

This paper explores how companies can more safely introduce employee- or corporate-owned mobile devices into the work-place, identify the risks inherent in their broader access to corporate data, and derive enhanced business value.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing Mobile Devices in the Business Environment

  1. 1. IBM Global Technology ServicesThought Leadership White PaperOctober 2011Securing mobile devices inthe business environmentBy I-Lung Kao, Global Strategist, IBM Security Services
  2. 2. 2 Securing mobile devices in the business environmentAs the world becomes more interconnected, integrated andintelligent, mobile devices are playing an ever-increasing role inchanging the way people live, work and communicate. But it isnot just happening in personal life: Smartphones and tablets arealso being rapidly adopted by enterprises as new work tools,joining existing laptops and desktops. The use of mobile devicesfor business has experienced an explosive growth in the past fewyears and will only accelerate in the near future.And while the BlackBerry® has been the de facto mobile devicefor business for many years, the availability of other smartphonesand tablets with broader consumer appeal, such as iPhone® andAndroid™ devices, is fundamentally changing the game.Employees are now bringing their own mobile devices to theworkplace and asking companies to support them. These newdevices offer improved hardware performance, a more robustplatform feature set and increased communication bandwidth,expanding their capabilities beyond voice and email. As a result,however, this increased access to enterprise systems can alsobring an increased security risk to the organization.This paper explores how companies can more safely introduceemployee- or corporate-owned mobile devices into the work-place, identify the risks inherent in their broader access to corpo-rate data, and derive enhanced business value.Mobility brings both advantages and risksto the enterpriseAs employees bring mobile devices into the workplace, manyorganizations are motivated to encourage their use for businesspurposes, because they tend to drive:● Increased employee productivity—Mobile devices can giveemployees access to corporate resources and enable continu-ous collaboration with colleagues or business partners.● Improved client services—Sales or support employees whoregularly interface with customers may respond more effi-ciently, directly increasing customer satisfaction.● Reduced IT cost—By allowing employees to use, and oftenpay for, their own mobile devices and wireless services, compa-nies potentially save IT spending on device purchases as wellas management and communication services.There are some cautions, however. Companies need to fully rec-ognize that when employees connect mobile devices to theenterprise and merge both business and personal data, thosemobile devices must be treated just like any other IT equipment,with appropriate security controls. If security is not addressed atthe outset, these mobile devices may become a point of securityweakness that threatens to disclose business information orbecome a new channel to introduce security threats to the com-pany’s IT infrastructure and business resources. Many IT depart-ments are finding significant challenges in securing mobiledevices, for a variety of reasons:● A range of mobile device platforms, such as BlackBerry,Symbian®, IOS®, Android and Windows Mobile, needs to besupported, and each platform brings with it a unique securitymodel. Other than the BlackBerry platform, most startedas consumer platforms and lack enterprise-strengthsecurity controls.● Business and personal data now coexist on the same device.Finding a balance between strict security control and privacyof personal data, particularly when the device is no longer acorporate-issued asset, can be challenging.● Unauthorized or non-business oriented applications have thepotential to spread malware that affects the integrity of thedevice and the business data residing upon it.● Mobile devices are prone to loss and theft, due to their small-size and high-portability. Whenever a device is lost, corporatedata is at risk both on the mobile device and within the corpo-rate network.
  3. 3. 3IBM Global Technology Services● Many mobile devices are always on and connected, so vulnera-bility to malicious attacks increases through different commu-nication channels.● Mobile technology is advancing quickly and becoming increas-ingly complex. Many companies do not have enough resourcesor skills in house to fully embrace mobile technology inthe workplace.Security threats to mobile devicesThe security of mobile devices has become a top concern formany IT executives. Hackers are discovering the benefits ofcompromising both business and personal data contained withinmobile devices. Because many mobile platforms are not nativelydesigned to provide comprehensive security, hackers have astrong incentive to develop new techniques or create mobile-centric malware specifically for these devices. In a recentIBM X-Force® security research report, mobile operating sys-tem vulnerabilities have increased significantly (see Figure 1) andexploits of vulnerabilities are also on the rise (see Figure 2).1Figure 1: Total mobile operating system vulnerabilities.2001801601401201002006 2007 2008 2009 2010 2011806040200Total mobile operating system vulnerabilitiees2006-2011 (Projected)Mobile OS vulnerabilites403530252006 2007 2008 2009 2010 201120151050Mobile operating system exploits2006-2011 (Projected)Mobile OS exploitsFigure 2: Mobile operating system exploits.The latest smartphones are designed to provide broad Internetand network connectivity through varying channels, such as 3Gor 4G, Wi-Fi, Bluetooth or a wired connection to a PC. Securitythreats may occur in different places along these varying pathswhere data can be transmitted (see Figure 3). When a devicedownloads a new mobile application from any online applicationstore, the software may contain malware that can steal or dam-age data on the device and, in some cases, even disable themobile device itself. Most mobile devices now have Internetconnections, so common web-based threats that have attackedlaptops or desktops may also apply to mobile devices. A deviceconnected through Wi-Fi or Bluetooth is at greater riskbecause the Wi-Fi source or the other Bluetooth-enableddevice may have been compromised and can play a role in a“man-in-the-middle” attack (when a hacker configures a laptop,server or mobile device to listen in on or modify legitimatecommunications) or other attack type.
  4. 4. 4 Securing mobile devices in the business environmentFigure 3: Flow of data transmission.Because of the variety of communication mechanisms availableand increasing use of business applications on mobile devices,the security threats to mobile devices have evolved to all thethreats applicable to desktops or laptops, plus new threats thatare truly unique to mobile devices. Therefore, mobile devicesneed to be protected with an even broader set of security tech-niques than those employed for traditional desktop or laptopoperating environments.No matter what the threats are, the targets that hackers try toaccess and exploit typically consist of one or several of thefollowing:● Credentials to access business or personal accounts● Confidential business or personal information● Phone or data communication services● The mobile device itselfMobiledeviceTelco serviceproviderWi-Fi deviceInternetMobiledeviceCorporateVPN GatewayApp storeWeb siteCorporateintranet(Bluetooth enabled)Mobile deviceA threat can occur
  5. 5. 5IBM Global Technology ServicesThe most frequently seen mobile device security threats are:● Loss and theft● Malware● Spam● Phishing● Bluetooth and Wi-FiLoss and theftSmall size and high portability make loss and theft top securityconcerns when a mobile device is used in the workplace.According to a mobile threat study by Juniper Networks,1 in 20 mobile devices was stolen or lost in 2010.2When devicesare lost or stolen, all of the data stored on or accessible from themobile device may be compromised if access to the device or thedata is not effectively controlled.While not foolproof, some techniques can help reduce the riskof data compromise, such as using a complex password to accessthe device or critical data, remotely locating the device on a mapusing global positioning services (GPS), remotely locking thedevice to render it useless, or remotely wiping data on thedevice. Some mobile platforms natively provide these tech-niques, and in the event they do not, basic platform capabilitiescan often be augmented by functionality available in third partymobile device management or mobile security solutions.MalwareMobile device malware—viruses, worms, Trojans, spyware—hasbeen on the rise over the past few years because most mobileplatforms do not yet have native mechanisms to detect malware.Virtually no mobile platform available today is immune tomalware. Although more established mobile platforms such asSymbian and Windows Mobile have been a proving ground formalware developers in the past few years, the Google Androidplatform is leading in new malware development, primarily dueto its popularity and open software distribution model. Themobile threat research report from Juniper Networks also statesthat malware on Android grew 400 percent from June 2010 toJanuary 2011.3Malware can cause a loss of personal or confidential data,additional service charges (for example, some malware can sendpremium Short Message Service (SMS) text messages or makephone calls in the background) and, even worse, make the deviceunusable. Although quickly removed, numerous malicious appli-cations recently found their way onto the Android marketplace.Some of these were legitimate applications that had been repack-aged with a Trojan designed to gain root access or additionalprivileges to users’ devices. Unsuspecting users may have hadmalicious code or additional malware installed in that singledownload from the applications store. Malware can then spreadquickly through a wired or wireless connection to another deviceor a company’s intranet.Companies can significantly reduce the malware risk by adoptinga similar approach to be used for both mobile devices as well asthe desktop and laptop environment. In addition to advisingemployees to only download and install trusted applications andtake appropriate actions when suspicious applications are identi-fied, a company should run antimalware software on eachemployee’s device to detect malware in real-time and scan theentire device periodically.
  6. 6. 6 Securing mobile devices in the business environmentSpamWith the growth of text messaging, spam—unsolicited commu-nication sent to a mobile device from a known or unknownphone number—is also on the rise. Spam is not only a big con-cern for mobile service providers because it wastes a significantamount of bandwidth, but it is also a growing security issue formobile device users. According to the recent Global System forMobile Communications Association (GSMA) pilot of theGSMA Spam Reporting Service (SRS), the majority of spamattacks are for financial gain, with 70 percent of reports of spambeing for fraudulent financial services rather than the traditionaladvertising scenarios found in email spam.4We feel that the most effective method to thwart spam is todefine a blacklist to block spam messages either by using thefunctions of an antispam solution or by turning on the antispamfeature on the device if it is available.Phishing“Phishing” is an email or an SMS text message (dubbed,“SMiShing”) sent to trick a user into accessing a fake website,sending a text message or making a phone call to reveal personalinformation (such as a Social Security number in the UnitedStates) or credentials that would allow the hacker access to finan-cial or business accounts. Phishing through mobile browsers ismore likely to succeed because the small screen size of mobiledevices does not allow for some protection features used on thePC, like web address bars or green warning lights.The most effective antiphishing approach helps a user recognizea fraudulent website when it is presented. Some financial institu-tions have deployed “site authentication” to confirm to users thatthey are communicating with a genuine website before theyenter account credentials from either a web browser or a mobileapplication. Two-factor authentication is also useful to thwartphishing: First, a user enters a static password, then asecond authentication factor, such as a one-time password or adevice fingerprint, is dynamically generated to further authenti-cate the user. So even if a user’s static password is stolen by ahacker using a phishing technique, the hacker cannot login tothe genuine site without the user’s second authentication factor.Bluetooth and Wi-FiBluetooth and Wi-Fi effectively increase the connectivity ofmobile devices within a certain range, but they can be easilyexploited to infect a mobile device with malware or compromisetransmitted data. A mobile device may be lured to accept aBluetooth connection request from a malicious device. In a“man-in-the-middle” attack, when mobile devices connect, thehacker can intercept and compromise all data sent to or from theconnected devices.Setting the device’s Bluetooth to an undiscoverable mode andturning off the device’s automatic Wi-Fi connection capability,especially in public areas, can help reduce risks. To completelyblock incoming connection requests from unknown devices, alocal firewall should be installed and run on the mobile device—another traditional security practice that can be extended to themobile environment.Establishing a mobile security strategyCreating a stringent strategy that defines guidelines and policieshelps lay the foundation for a more security-rich mobile envi-ronment. This strategy should focus on several key areas: Dataand resources accessible from mobile devices, platform support,management methodology and best practices.
  7. 7. 7IBM Global Technology ServicesInitially, your organization should identify which business data itwill allow to be stored and processed on which mobile devices.This helps determine what needs to be protected and to whatdegree. Many enterprises only permit employee email, contactand calendar information. Others allow access, through abrowser or native mobile application, to other business-criticalapplications such as enterprise resource systems (ERP) or cus-tomer relationship management (CRM). Different degrees ofaccess from mobile devices require varying levels of security con-trols. However, it should be noted when business data flowsfrom a more strictly controlled location (for example, a databaseor a file server) to a less protected device, the risk of losing thedata becomes greater.You may also need to determine which mobile device platformswill be allowed in the business environment and, thus, need tobe supported in the mobile security strategy and plan. Differentmobile platforms have different native security mechanisms thatneed to be outlined and understood, although applying a set ofsecurity controls to all supported platforms in a consistent man-ner is desirable.Another important decision is the responsibility for mobile secu-rity management work, whether using the current IT securityteam to handle mobile devices, or outsourcing to a managedsecurity service provider. Multiple security technologies mayneed to be employed to provide comprehensive security controlsfor mobile devices. As such, depending on how these securitysolutions are delivered (on-premise or from the cloud), acompany may choose to use a hybrid model for devicesecurity management.No matter what the mobile environment, a number of mobilesecurity policies and best-practice procedures need to be put inplace and should also be identified in the company’s mobile secu-rity strategic plan. Fortunately, many best practices that havebeen exercised for desktops and laptops can be duplicated formobile devices, such as:● Specification of roles and responsibilities in managing andsecuring the devices● Registration and inventory of mobile devices● Efficient installation and configuration of security applicationson devices● Automatic update of security patches, polices and settings● Reporting of security policy enforcement status● Employee education on securing mobile devicesApplying security controls based on aframeworkTaking a broad look across the IT and business environment,IBM has developed a well-defined framework thatspecifies security domains and levels for applying varioussecurity technologies.
  8. 8. 8 Securing mobile devices in the business environmentWhen applied to mobile devices, the framework suggests thefollowing security controls, with actual requirements varyingby deployment:● Identity and access● Data protection● Application security● Fundamental integrity control● Governance and complianceIdentity and access● Enforce strong passwords to access the device● Use site authentication or two-factor user authentication tohelp increase the trustworthiness between a user and a website● If virtual private network (VPN) access to corporate intranet isallowed, include capability to control what IP addresses can beaccessed and when re-authentication is required for accessingcritical resourcesData protection● Encrypt business data stored on the device andduring transmission● Include capability to wipe data locally and remotely● Set timeout to lock the device when it is not used● Periodically back up data on the device so data restore is possi-ble after the lost device has been recovered● Include capability to locate or lockout the device remotelyFigure 4: IBM Security Framework.IBM Security FrameworkCommon Policy, Event Handling and ReportingPEOPLE AND IDENTITYDATA AND INFORMATIONAPPLICATION AND PROCESSNETWORK, SERVER AND END POINTPHYSICAL INFRASTRUCTURESECURITY GOVERNANCE, RISK MANAGEMENTAND COMPLIANCEProfessionalservicesManagedservicesHardwareand software
  9. 9. 9IBM Global Technology ServicesApplication security● Download business applications from controlled locations● Run certified business applications only● Monitor installed applications and remove those identified tobe untrustworthy or maliciousFundamental integrity control● Run antimalware software to detect malware on storageand in memory● Run a personal firewall to filter inbound and outbound traffic● Integrate with the company’s VPN gateway so a device’s secu-rity posture becomes a dependency for intranet accessGovernance and compliance● Incorporate mobile security into the company’s overall riskmanagement program● Maintain logs of interactions between mobile devices and thecompany’s VPN gateway and data transmission to and fromservers within the intranet● Include mobile devices in the company’s periodic security auditChoosing the right solutionWhen choosing a mobile security solution, several factors needto be taken into consideration:● Solution architecture—The solution should be built on asound client-server architecture in which the server centrallycontrols and manages security policies and settings for varioussecurity features. The client should be installed on the mobiledevice and regularly communicate with the server to enforcepolicies, execute commands and report status.● Platform support—The solution should support a variety ofmobile device platforms with a consistent, easy-to-manageadministration console that is platform-agonistic to helpreduce security policies across different devices.● Feature expandability—Mobile device technology advancesvery rapidly and new mobile threats are evolving all the time.The solution must be flexible enough to accommodate futuretechnology changes and incorporate more advanced capabili-ties to counter new threats.● Usability—Features that are easy to use and require little userintervention can help drive acceptance by end users andincrease the effectiveness of security control.● Reporting and analysis—The solution needs to containreporting and analysis capabilities, with information that helpsthe company to support policy and regulation compliance, rec-ognize the mobile threat landscape and evaluate the solution’seffectiveness in countering threats.● Deployment and management—No matter how capable asecurity solution is, its value is greatly diminished if it cannotbe efficiently deployed or easily managed. The company needsto carefully assess the overall efforts required for initial roll-out and ongoing management of a solution.Another important decision in the solution choice is who will beresponsible for the overall mobile security implementation effortand subsequent ongoing management. Although it is possible tohave the current IT team responsible for desktop and laptopmanagement and security also handle mobile devices, resourceor skills constraints could prove challenging, particularly in aglobal, heterogeneous environment.
  10. 10. 10 Securing mobile devices in the business environmentOutsourcing is another option. Leveraging the industry- widemobile security expertise of a managed service provider can notonly free up in-house IT resources, but also inject policiesand procedures that can, down the road, build up internal skillswithout putting the enterprise at risk. In addition, an outsideprovider may have the ability to provide a range of deliveryoptions, from on-premise to in the cloud, or even a hybridsolution that may better fit the enterprise’s changing needs.IBM hosted mobile device securitysolution provides security from the cloudTo help organizations embrace both company- and employee-owned mobile devices in a security-rich environment,IBM Security Services offers a robust mobile device securitymanagement solution. The solution, built on a client-serverarchitecture, helps efficiently deliver mobile security servicesfrom the IBM Cloud to mobile devices on a variety of platforms.These services can help companies address the major mobilesecurity issues discussed in this paper with a single solution.By both leveraging existing mobile devices owned by branchesand employees in different groups or geographies, and avoidingthe purchase of additional hardware or software, companies canreduce capital and operational costs.IBM Security Services provides a wide set of managedservices, including:● Requirement assessment and policy design● Training and providing knowledge assets● Guidance for production roll-out● Monitoring, alerting and reporting● Policy maintenance and calibration● Threat intelligence sharingThe solution combines industry-leading mobile securitytechnologies with IBM’s deeper security knowledge andhighly skilled technical professionals around the world to helpreduce risks and better manage regulatory compliance. WithIBM Security Services, companies can benefit from improvedoperational, financial and strategic efficiencies across the enter-prise, and, most importantly, can enhance their overall securitypostures to increase their business competitiveness.For more informationTo learn more about IBM Managed Security Services (CloudComputing)—hosted mobile device security management, con-tact your IBM marketing representative, IBM Business Partner,or visit the following website:
  11. 11. Notes
  12. 12. Please Recycle© Copyright IBM Corporation 2011IBM Global ServicesRoute 100Somers, NY 10589U.S.A.Produced in the United States of AmericaOctober 2011All Rights ReservedIBM, the IBM logo, and are trademarks of International BusinessMachines Corporation in the United States, other countries or both. If theseand other IBM trademarked terms are marked on their first occurrence inthis information with a trademark symbol (® or ™), these symbols indicateU.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered orcommon law trademarks in other countries. A current list of IBM trademarksis available on the web at “Copyright and trademark information” and Windows are trademarks of Microsoft Corporation in theUnited States, other countries, or both.Other company, product or service names may be trademarks or servicemarks of others.1IBM X-Force 2011 Mid-year Trend and Risk Report, September 20112Juniper Networks Malicious Mobile Threats Report 2010/2011, May 20113Juniper Networks Malicious Mobile Threats Report 2010/2011, May 20114GSMA Outlines Findings from Spam Reporting Service Pilot press release,February 10, 2011SEW03027-USEN-00