IBM Global Technology Services Thought Leadership White Paper
Securing end-user mobile devices in the enterprise Develop an enforceable mobile security policy and practices for safer corporate data
April 2011
2
Securing end-user mobile devices in the enterprise
Executive summary Mobile devices, including smartphones and tablets, enable increasing numbers of employees to work “anywhere, anytime.” The security of enterprise data is a key concern, particularly on mobile devices that are easily lost or stolen. The security risk is further heightened by the proliferation of employee-owned mobile devices in many enterprises. Employees will almost always take the path of least resistance in leveraging mobile devices for business purposes, which may lead to unsafe computing practices. A clearly documented and enforceable mobile security policy is critical to reducing the risk of data loss. This white paper outlines the security risks of mobile devices accessing enterprise data and suggests approaches to mitigating the risk, which may include authentication, data encryption, malware, viruses and network security.
Managing various devices and platforms In the past, organizations often standardized enterprise mobility on a single mobile platform such as BlackBerry® smartphones, which were provided to a select number of employees because of cost. Today increasing numbers of employees have their own mobile devices and want to use them for business purposes. The diversity of devices that employees are bringing to work adds complexity to the IT organization and puts corporate data at risk.
Many mobile devices and platforms are targeted at consumers and consequently lack enterprise-grade security. When considering mobile security, you will want to look at: ● ● ●
Access control, which may include passcode locks Data protection, such as encryption Malware prevention
Controlling access Because mobile devices are portable, they are easily lost or stolen. Requiring authentication, such as a passcode lock, can make it more difficult for unauthorized users to access the device. Unfortunately, most approaches can also make it more difficult for the device owner, leading to user dissatisfaction, particularly when the devices are personally owned. Today there are few robust solutions available to adequately separate access to personal and work data, although this is likely to be an area of focus for a number of vendors in the space. In addition to standard numeric and alphanumeric passwords, other security options might include biometrics (such as fingerprint or voice detection), smart cards, tokens or digital certificates. In fact, two or more of these options may be required for multifactor authentication.
IBM Global Technology Services
Preventing the loss of corporate data In its sixth annual study, the Ponemon Institute found the average organizational cost of a data breach increased to US$7.2 million and cost companies an average of US$214 per compromised record, markedly higher when compared to US$204 in 2009.1 The study is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors. If you were to extrapolate this worldwide, the annual cost to business from lost or pilfered data is enormous—and likely to grow as mobile devices get smaller and, unfortunately, easier to leave on a taxi or restaurant seat. And then there are deliberate attacks. The Ponemon Institute study identified malicious attacks as the root cause of 31 percent of the data breaches studied, up from 24 percent in 2009 and 12 percent in 2008.2 “Wiping” or deleting all data from the mobile device after a certain number of invalid password attempts can help reduce the risk of a brute-force attack. In addition, a “local wipe” remote wipe initiated by an end user or administrator is a recommended practice when a device is lost or stolen. Encrypting the data on mobile devices can provide an additional level of security. Hardware-based encryption, one of the most common methods, offers an advantage over software encryption because it is built into the device and may enhance performance.
3
Browser and virtualized applications can provide alternatives to storing data on mobile devices. Little, if any, data is actually stored on the device; instead, data is requested and displayed as needed, reducing the risk of data loss. However, network access is required, so users can’t access data when offline or disconnected. In addition, performance may be less than that of a native rich client accessing local data on the mobile device, or end-user response time may be longer.
Battling a new wave of viruses Although the threat of malware on personal computers (PCs) is real, the threat on mobile devices is just beginning to emerge as they grow in popularity. Users may unknowingly infect their devices by visiting a compromised website, receiving a short message service (SMS) text message, or simply by installing an application. Even applications from “pre-approved” application stores like the Apple App Store or Google Marketplace are not immune. It is virtually impossible for application store owners to conduct in-depth code reviews of all applications. To address this threat, security suite software similar to what currently exists on PCs is gaining market acceptance. The software runs on the mobile device, scanning for malware and viruses, and is regularly updated as new threats arise.
4
Securing end-user mobile devices in the enterprise
Defining a security policy Practically speaking, it is very difficult to prevent employees from using personal mobile devices for businesses purposes. IT professionals can get ahead of this trend by establishing set policies and procedures regarding what content is allowed to be accessed on these devices, how it will be accessed and how the organization will handle lost or stolen devices that may contain business data. This way, employees can still be productive on the road, at home or at a customer site, and you can reduce the risk that data will be lost to unauthorized access. Here is a sample mobile security policy, applicable to both enterprise and employee-owned mobile devices to help you get started:
●
●
●
●
●
●
Eight-character alphanumeric mobile device password – Expiration every 90 days – Device lock after 15 minutes – Password prompt on device should pause for incremental time after each unsuccessful login to protect against brute-force login attempts Device wipe – Remote (by administrator) if device is lost or stolen – After 10 invalid password attempts to protect against brute-force login attempts Data-at-rest encryption for employees with high-value or sensitive access – Encryption key strength of at least 128 bits (AES)
●
●
– Protection for associated encryption keys exchanged or stored in a manner not easily retrieved in readable form at rest on the file system or in transmission – Method to reflect the encryption status of a given device based on value, application of policy or other manner Bluetooth® configuration set so that it is not discoverable, and only connected with paired devices on all handheld devices supporting these features Requirement that remote access for data synchronization or to the corporate infrastructure must go through an approved remote access gateway and support the required security authentication Local synchronization using direct Universal Serial Bus (USB), infrared, Bluetooth, wireless local area network (WLAN), local area network (LAN) or wireless connections Antivirus program run on any device with access to the corporate network Firewall program run on the mobile device
Putting it all together: implementing a security policy Once you have defined a policy, mobile technology solutions can help you implement it. A mobile device management (MDM) solution will likely serve as the cornerstone. Although major messaging players like IBM Lotus® Domino® or Microsoft® Exchange have basic device management capabilities, advanced
IBM Global Technology Services
MDM solutions typically deliver a more comprehensive approach. These may include self-service functions like onboarding, remote wipe or online help and the ability to manage mobile applications or track voice and data plans to reduce cost and improve management. In addition, some MDM solutions can help separate work and personal data and eliminate the need for an “all-access” device password lock. They may also provide remote wipe capabilities for just the enterprise data if the employee leaves the company, keeping personal data intact.
life cycle portfolio can help you plan, manage, support and deliver enhanced service quality to mobile device users and includes the following: ●
●
●
Mobile security suite software may also protect devices from malware and viruses. When combined with MDM, the device’s security posture can be ascertained before it connects to the network. If the device fails the security check, the user can be notified and the device separated from others to reduce enterprise network risks.
● ● ● ● ●
●
Working with an experienced partner IBM Mobile Enterprise Services provides an integrated suite of capabilities to help you align your collaboration, social networking and communications strategies with your key mobile requirements, business goals and initiatives. Our comprehensive
5
Support for RIM® BlackBerry® smartphones and PlayBook™ tablet Support for Apple iPhone and iPad, Google Android, Windows® Mobile and Windows Phone 7, Symbian and HP webOS Mobile device management Telecom expense management Virtual private network and other network services Security assessment, implementation and monitoring Employee self-assist and service desk services Enterprise mobile application store and application delivery and management Cloud-based messaging, collaboration and social media mobile services
As your mobile enterprise continues to expand and devices grow more robust, your security risks increase. But with careful preparation, you can leverage the latest tools and expertise to help protect your highly valuable assets.
For more information To learn more about security and IBM Mobile Enterprise Services, please contact your IBM marketing representative or visit the following website: ibm.com/services/enduser Additionally, financing solutions from IBM Global Financing can enable effective cash management, protection from technology obsolescence, improved total cost of ownership and return on investment. Also, our Global Asset Recovery Services help address environmental concerns with new, more energy-efficient solutions. For more information on IBM Global Financing, visit:
© Copyright IBM Corporation 2011 IBM Global Services Route 100 Somers, NY 10589 U.S.A.
ibm.com/financing
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at
Produced in the United States of America April 2011 All Rights Reserved
ibm.com/legal/copytrade.shtml
BlackBerry®, RIM®, Research In Motion® and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Used under license from Research In Motion Limited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. iPhone, iPad and iPod Touch are trademarks of Apple Inc., registered in the U.S. and other countries. Other company, product or service names may be trademarks or service marks of others. 1
,
2 “2010 Annual Study: U.S. Cost of a Data Breach,” Ponemon Institute, LLC, March 8, 2011.
Please Recycle
AZW03001-USEN-00
