IBM Global Technology Services October 2011Thought Leadership White PaperSecuring mobile devices inthe business environmentBy I-Lung Kao, Global Strategist, IBM Security Services
2 Securing mobile devices in the business environmentAs the world becomes more interconnected, integrated and ● Improved client services—Sales or support employees whointelligent, mobile devices are playing an ever-increasing role in regularly interface with customers may respond more effi-changing the way people live, work and communicate. But it is ciently, directly increasing customer satisfaction.not just happening in personal life: Smartphones and tablets are ● Reduced IT cost—By allowing employees to use, and oftenalso being rapidly adopted by enterprises as new work tools, pay for, their own mobile devices and wireless services, compa-joining existing laptops and desktops. The use of mobile devices nies potentially save IT spending on device purchases as wellfor business has experienced an explosive growth in the past few as management and communication services.years and will only accelerate in the near future. There are some cautions, however. Companies need to fully rec-And while the BlackBerry® has been the de facto mobile device ognize that when employees connect mobile devices to thefor business for many years, the availability of other smartphones enterprise and merge both business and personal data, thoseand tablets with broader consumer appeal, such as iPhone® and mobile devices must be treated just like any other IT equipment,Android™ devices, is fundamentally changing the game. with appropriate security controls. If security is not addressed atEmployees are now bringing their own mobile devices to the the outset, these mobile devices may become a point of securityworkplace and asking companies to support them. These new weakness that threatens to disclose business information ordevices offer improved hardware performance, a more robust become a new channel to introduce security threats to the com-platform feature set and increased communication bandwidth, pany’s IT infrastructure and business resources. Many IT depart-expanding their capabilities beyond voice and email. As a result, ments are ﬁnding signiﬁcant challenges in securing mobilehowever, this increased access to enterprise systems can also devices, for a variety of reasons:bring an increased security risk to the organization. ● A range of mobile device platforms, such as BlackBerry,This paper explores how companies can more safely introduce Symbian®, IOS®, Android and Windows Mobile, needs to beemployee- or corporate-owned mobile devices into the work- supported, and each platform brings with it a unique securityplace, identify the risks inherent in their broader access to corpo- model. Other than the BlackBerry platform, most startedrate data, and derive enhanced business value. as consumer platforms and lack enterprise-strength security controls.Mobility brings both advantages and risks ● Business and personal data now coexist on the same device.to the enterprise Finding a balance between strict security control and privacyAs employees bring mobile devices into the workplace, many of personal data, particularly when the device is no longer aorganizations are motivated to encourage their use for business corporate-issued asset, can be challenging.purposes, because they tend to drive: ● Unauthorized or non-business oriented applications have the potential to spread malware that affects the integrity of the● Increased employee productivity—Mobile devices can give device and the business data residing upon it. employees access to corporate resources and enable continu- ● Mobile devices are prone to loss and theft, due to their small- ous collaboration with colleagues or business partners. size and high-portability. Whenever a device is lost, corporate data is at risk both on the mobile device and within the corpo- rate network.
IBM Global Technology Services 3● Many mobile devices are always on and connected, so vulnera- bility to malicious attacks increases through different commu- Mobile operating system exploits 2006-2011 (Projected) nication channels. 40● Mobile technology is advancing quickly and becoming increas- 35 ingly complex. Many companies do not have enough resources 30 or skills in house to fully embrace mobile technology in 25 the workplace. 20Security threats to mobile devices 15The security of mobile devices has become a top concern for 10many IT executives. Hackers are discovering the beneﬁts of 5compromising both business and personal data contained withinmobile devices. Because many mobile platforms are not natively 0 2006 2007 2008 2009 2010 2011designed to provide comprehensive security, hackers have a Mobile OS exploitsstrong incentive to develop new techniques or create mobile-centric malware speciﬁcally for these devices. In a recentIBM X-Force® security research report, mobile operating sys- Figure 2: Mobile operating system exploits.tem vulnerabilities have increased signiﬁcantly (see Figure 1) andexploits of vulnerabilities are also on the rise (see Figure 2).1 The latest smartphones are designed to provide broad Internet and network connectivity through varying channels, such as 3G Total mobile operating system vulnerabilitiees or 4G, Wi-Fi, Bluetooth or a wired connection to a PC. Security 2006-2011 (Projected) threats may occur in different places along these varying paths 200 where data can be transmitted (see Figure 3). When a device 180 downloads a new mobile application from any online application 160 store, the software may contain malware that can steal or dam- 140 120 age data on the device and, in some cases, even disable the 100 mobile device itself. Most mobile devices now have Internet 80 connections, so common web-based threats that have attacked 60 laptops or desktops may also apply to mobile devices. A device 40 connected through Wi-Fi or Bluetooth is at greater risk 20 because the Wi-Fi source or the other Bluetooth-enabled 0 2006 2007 2008 2009 2010 2011 device may have been compromised and can play a role in a “man-in-the-middle” attack (when a hacker conﬁgures a laptop, Mobile OS vulnerabilites server or mobile device to listen in on or modify legitimate communications) or other attack type.Figure 1: Total mobile operating system vulnerabilities.
4 Securing mobile devices in the business environment Wi-Fi device App store Internet Mobile Telco service Web site device provider Mobile Corporate Corporate device VPN Gateway intranet (Bluetooth enabled) Mobile device A threat can occurFigure 3: Flow of data transmission.Because of the variety of communication mechanisms available No matter what the threats are, the targets that hackers try toand increasing use of business applications on mobile devices, access and exploit typically consist of one or several of thethe security threats to mobile devices have evolved to all the following:threats applicable to desktops or laptops, plus new threats thatare truly unique to mobile devices. Therefore, mobile devices ● Credentials to access business or personal accountsneed to be protected with an even broader set of security tech- ● Conﬁdential business or personal informationniques than those employed for traditional desktop or laptop ● Phone or data communication servicesoperating environments. ● The mobile device itself
IBM Global Technology Services 5The most frequently seen mobile device security threats are: malware developers in the past few years, the Google Android platform is leading in new malware development, primarily due● Loss and theft to its popularity and open software distribution model. The● Malware mobile threat research report from Juniper Networks also states● Spam that malware on Android grew 400 percent from June 2010 to● Phishing January 2011.3● Bluetooth and Wi-Fi Malware can cause a loss of personal or conﬁdential data,Loss and theft additional service charges (for example, some malware can sendSmall size and high portability make loss and theft top security premium Short Message Service (SMS) text messages or makeconcerns when a mobile device is used in the workplace. phone calls in the background) and, even worse, make the deviceAccording to a mobile threat study by Juniper Networks, unusable. Although quickly removed, numerous malicious appli-1 in 20 mobile devices was stolen or lost in 2010.2 When devices cations recently found their way onto the Android marketplace.are lost or stolen, all of the data stored on or accessible from the Some of these were legitimate applications that had been repack-mobile device may be compromised if access to the device or the aged with a Trojan designed to gain root access or additionaldata is not effectively controlled. privileges to users’ devices. Unsuspecting users may have had malicious code or additional malware installed in that singleWhile not foolproof, some techniques can help reduce the risk download from the applications store. Malware can then spreadof data compromise, such as using a complex password to access quickly through a wired or wireless connection to another devicethe device or critical data, remotely locating the device on a map or a company’s intranet.using global positioning services (GPS), remotely locking thedevice to render it useless, or remotely wiping data on the Companies can signiﬁcantly reduce the malware risk by adoptingdevice. Some mobile platforms natively provide these tech- a similar approach to be used for both mobile devices as well asniques, and in the event they do not, basic platform capabilities the desktop and laptop environment. In addition to advisingcan often be augmented by functionality available in third party employees to only download and install trusted applications andmobile device management or mobile security solutions. take appropriate actions when suspicious applications are identi- ﬁed, a company should run antimalware software on eachMalware employee’s device to detect malware in real-time and scan theMobile device malware—viruses, worms, Trojans, spyware—has entire device periodically.been on the rise over the past few years because most mobileplatforms do not yet have native mechanisms to detect malware.Virtually no mobile platform available today is immune tomalware. Although more established mobile platforms such asSymbian and Windows Mobile have been a proving ground for
6 Securing mobile devices in the business environmentSpam application. Two-factor authentication is also useful to thwartWith the growth of text messaging, spam—unsolicited commu- phishing: First, a user enters a static password, then anication sent to a mobile device from a known or unknown second authentication factor, such as a one-time password or aphone number—is also on the rise. Spam is not only a big con- device ﬁngerprint, is dynamically generated to further authenti-cern for mobile service providers because it wastes a signiﬁcant cate the user. So even if a user’s static password is stolen by aamount of bandwidth, but it is also a growing security issue for hacker using a phishing technique, the hacker cannot login tomobile device users. According to the recent Global System for the genuine site without the user’s second authentication factor.Mobile Communications Association (GSMA) pilot of theGSMA Spam Reporting Service (SRS), the majority of spam Bluetooth and Wi-Fiattacks are for ﬁnancial gain, with 70 percent of reports of spam Bluetooth and Wi-Fi effectively increase the connectivity ofbeing for fraudulent ﬁnancial services rather than the traditional mobile devices within a certain range, but they can be easilyadvertising scenarios found in email spam.4 exploited to infect a mobile device with malware or compromise transmitted data. A mobile device may be lured to accept aWe feel that the most effective method to thwart spam is to Bluetooth connection request from a malicious device. In adeﬁne a blacklist to block spam messages either by using the “man-in-the-middle” attack, when mobile devices connect, thefunctions of an antispam solution or by turning on the antispam hacker can intercept and compromise all data sent to or from thefeature on the device if it is available. connected devices.Phishing Setting the device’s Bluetooth to an undiscoverable mode and“Phishing” is an email or an SMS text message (dubbed, turning off the device’s automatic Wi-Fi connection capability,“SMiShing”) sent to trick a user into accessing a fake website, especially in public areas, can help reduce risks. To completelysending a text message or making a phone call to reveal personal block incoming connection requests from unknown devices, ainformation (such as a Social Security number in the United local ﬁrewall should be installed and run on the mobile device—States) or credentials that would allow the hacker access to ﬁnan- another traditional security practice that can be extended to thecial or business accounts. Phishing through mobile browsers is mobile environment.more likely to succeed because the small screen size of mobiledevices does not allow for some protection features used on the Establishing a mobile security strategyPC, like web address bars or green warning lights. Creating a stringent strategy that deﬁnes guidelines and policies helps lay the foundation for a more security-rich mobile envi-The most effective antiphishing approach helps a user recognize ronment. This strategy should focus on several key areas: Dataa fraudulent website when it is presented. Some ﬁnancial institu- and resources accessible from mobile devices, platform support,tions have deployed “site authentication” to conﬁrm to users that management methodology and best practices.they are communicating with a genuine website before theyenter account credentials from either a web browser or a mobile
IBM Global Technology Services 7Initially, your organization should identify which business data it need to be employed to provide comprehensive security controlswill allow to be stored and processed on which mobile devices. for mobile devices. As such, depending on how these securityThis helps determine what needs to be protected and to what solutions are delivered (on-premise or from the cloud), adegree. Many enterprises only permit employee email, contact company may choose to use a hybrid model for deviceand calendar information. Others allow access, through a security management.browser or native mobile application, to other business-criticalapplications such as enterprise resource systems (ERP) or cus- No matter what the mobile environment, a number of mobiletomer relationship management (CRM). Different degrees of security policies and best-practice procedures need to be put inaccess from mobile devices require varying levels of security con- place and should also be identiﬁed in the company’s mobile secu-trols. However, it should be noted when business data ﬂows rity strategic plan. Fortunately, many best practices that havefrom a more strictly controlled location (for example, a database been exercised for desktops and laptops can be duplicated foror a ﬁle server) to a less protected device, the risk of losing the mobile devices, such as:data becomes greater. ● Speciﬁcation of roles and responsibilities in managing andYou may also need to determine which mobile device platforms securing the deviceswill be allowed in the business environment and, thus, need to ● Registration and inventory of mobile devicesbe supported in the mobile security strategy and plan. Different ● Efficient installation and conﬁguration of security applicationsmobile platforms have different native security mechanisms that on devicesneed to be outlined and understood, although applying a set of ● Automatic update of security patches, polices and settingssecurity controls to all supported platforms in a consistent man- ● Reporting of security policy enforcement statusner is desirable. ● Employee education on securing mobile devicesAnother important decision is the responsibility for mobile secu- Applying security controls based on arity management work, whether using the current IT security frameworkteam to handle mobile devices, or outsourcing to a managed Taking a broad look across the IT and business environment,security service provider. Multiple security technologies may IBM has developed a well-deﬁned framework that speciﬁes security domains and levels for applying various security technologies.
8 Securing mobile devices in the business environment When applied to mobile devices, the framework suggests the following security controls, with actual requirements varying by deployment: IBM Security Framework ● Identity and access SECURITY GOVERNANCE, RISK MANAGEMENT ● Data protection AND COMPLIANCE ● Application security ● Fundamental integrity control PEOPLE AND IDENTITY ● Governance and compliance Identity and access DATA AND INFORMATION ● Enforce strong passwords to access the device ● Use site authentication or two-factor user authentication to APPLICATION AND PROCESS help increase the trustworthiness between a user and a website ● If virtual private network (VPN) access to corporate intranet is allowed, include capability to control what IP addresses can be NETWORK, SERVER AND END POINT accessed and when re-authentication is required for accessing critical resources PHYSICAL INFRASTRUCTURE Data protection ● Encrypt business data stored on the device and during transmission Common Policy, Event Handling and Reporting ● Include capability to wipe data locally and remotely Professional Managed Hardware ● Set timeout to lock the device when it is not used services services and software ● Periodically back up data on the device so data restore is possi- ble after the lost device has been recovered ● Include capability to locate or lockout the device remotelyFigure 4: IBM Security Framework.
IBM Global Technology Services 9Application security ● Platform support—The solution should support a variety of● Download business applications from controlled locations mobile device platforms with a consistent, easy-to-manage● Run certiﬁed business applications only administration console that is platform-agonistic to help● Monitor installed applications and remove those identiﬁed to reduce security policies across different devices. be untrustworthy or malicious ● Feature expandability—Mobile device technology advances very rapidly and new mobile threats are evolving all the time.Fundamental integrity control The solution must be ﬂexible enough to accommodate future● Run antimalware software to detect malware on storage technology changes and incorporate more advanced capabili- and in memory ties to counter new threats.● Run a personal ﬁrewall to ﬁlter inbound and outbound traffic ● Usability—Features that are easy to use and require little user● Integrate with the company’s VPN gateway so a device’s secu- intervention can help drive acceptance by end users and rity posture becomes a dependency for intranet access increase the effectiveness of security control. ● Reporting and analysis—The solution needs to containGovernance and compliance reporting and analysis capabilities, with information that helps● Incorporate mobile security into the company’s overall risk the company to support policy and regulation compliance, rec- management program ognize the mobile threat landscape and evaluate the solution’s● Maintain logs of interactions between mobile devices and the effectiveness in countering threats. company’s VPN gateway and data transmission to and from ● Deployment and management—No matter how capable a servers within the intranet security solution is, its value is greatly diminished if it cannot● Include mobile devices in the company’s periodic security audit be efficiently deployed or easily managed. The company needs to carefully assess the overall efforts required for initial roll-Choosing the right solution out and ongoing management of a solution.When choosing a mobile security solution, several factors needto be taken into consideration: Another important decision in the solution choice is who will be responsible for the overall mobile security implementation effort● Solution architecture—The solution should be built on a and subsequent ongoing management. Although it is possible to sound client-server architecture in which the server centrally have the current IT team responsible for desktop and laptop controls and manages security policies and settings for various management and security also handle mobile devices, resource security features. The client should be installed on the mobile or skills constraints could prove challenging, particularly in a device and regularly communicate with the server to enforce global, heterogeneous environment. policies, execute commands and report status.
10 Securing mobile devices in the business environmentOutsourcing is another option. Leveraging the industry- wide IBM Security Services provides a wide set of managedmobile security expertise of a managed service provider can not services, including:only free up in-house IT resources, but also inject policiesand procedures that can, down the road, build up internal skills ● Requirement assessment and policy designwithout putting the enterprise at risk. In addition, an outside ● Training and providing knowledge assetsprovider may have the ability to provide a range of delivery ● Guidance for production roll-outoptions, from on-premise to in the cloud, or even a hybrid ● Monitoring, alerting and reportingsolution that may better ﬁt the enterprise’s changing needs. ● Policy maintenance and calibration ● Threat intelligence sharingIBM hosted mobile device securitysolution provides security from the cloud The solution combines industry-leading mobile securityTo help organizations embrace both company- and employee- technologies with IBM’s deeper security knowledge andowned mobile devices in a security-rich environment, highly skilled technical professionals around the world to helpIBM Security Services offers a robust mobile device security reduce risks and better manage regulatory compliance. Withmanagement solution. The solution, built on a client-server IBM Security Services, companies can beneﬁt from improvedarchitecture, helps efficiently deliver mobile security services operational, ﬁnancial and strategic efficiencies across the enter-from the IBM Cloud to mobile devices on a variety of platforms. prise, and, most importantly, can enhance their overall security postures to increase their business competitiveness.These services can help companies address the major mobilesecurity issues discussed in this paper with a single solution. For more informationBy both leveraging existing mobile devices owned by branches To learn more about IBM Managed Security Services (Cloudand employees in different groups or geographies, and avoiding Computing)—hosted mobile device security management, con-the purchase of additional hardware or software, companies can tact your IBM marketing representative, IBM Business Partner,reduce capital and operational costs. or visit the following website: ibm.com/services