Securing Mobile Access in the Age of “Consumerized” IT

May 14, 2013

As budgets are cut or frozen in today’s stagnant economy, the IT department is under increasing pressure to reduce office costs and effect efficiencies by enabling staff to work away from their desks.

Traditionally, to make workers mobile required a dedicated business laptop or smartphone, along with dongle, token or smartcard – all of which can cost $2,000 per user or more. This has always been a necessary expense for the field marketers, the sales reps and the other “road warriors” within an organisation, but is hardly justifiable to spend this on every employee.

But times are changing, along with attitudes to technology. Most professionals today are used to having enormous computing power in their pockets or briefcases. Consumer devices such as smartphones and tablets are now so powerful and capable that they can replicate most of the everyday functionalities of laptops and desktop computers, and they can even outperform them.

As they become increasingly powerful, consumer devices are creeping into the workplace. This use of personal devices for work has been dubbed the “consumerization of IT.” In other words, as consumer gadgets become ever more sophisticated, so the boundaries between a “work” and a “play” device become increasingly blurred. The fact that we spend more time with, and are consequently more attached to our personal devices naturally drives this trend.

So why are IT departments – so many of which are under pressure to cut costs and boost efficiency and employee mobility – reluctant to sanction the use of personal smartphones and tablets for mobile access?

The main reason – and often the only one – for preventing universal access on personal devices is the lack of security safeguards currently in place on most mobiles. No sane IT manager would allow staff to log-on to corporate networks and download sensitive, confidential data without robust security systems in place.

But the consumerisation of mobile IT has happened so quickly that enterprise-grade security doesn’t feature at all on today’s devices. Take the iPad, for example. This device, revolutionary and marvellous as it is, doesn’t support virtual private networking (VPN). That means anyone who wishes to connect to corporate networks and access content using an iPad – or, for that matter, almost any mobile device – must make a direct connection with the network.

This is a security and compliance officer’s worst nightmare. Not only must they manage every mobile device trying to access the network and ensure that permissions are granted to breach the firewall, but each device is also a potentially huge security threat.

Who knows whether every smartphone has strong anti-virus protection, or if it is infected with password-stealing Trojans? Who can be sure that all employees are strictly following company security policies: for example, not downloading or storing content on their devices? Who can tell if staff mobiles are caching login details, handing network access to anyone who steals or finds a device?

Therefore the IT manager is much more likely to see mobile access as a liability, with each device an open sore in the protective skin of the firewall, through which all sorts of infections can be introduced into the network; or as individual pores through which sensitive business data can leak.

It’s not impossible to achieve a mobile workforce without sacrificing security; in fact, it’s remarkably easy as long as certain conditions are met. First, it’s vital that the workforce all uses a common, secure standard for mobile access, for ease of understanding and of administration. Naturally, data traffic should be encrypted, while user details must not be cached on the device – nor should documents or other content pulled from the corporate network be cached. Finally, there should be no direct connection between the host server and the device that connects to it: this protects the corporate network from unauthorised access, attacks or malware from mobiles.

In the last few months there has been a range of announcements, which are able to help the IT department. Blackberry 10 has “Balance,” enabling users to distinguish and separate out their work and personal lives. Samsung has also announced a similar technology with “Knox.” That also allows the separation of a user’s work and personal smartphone experience. These technologies work well, but need the user or the IT department to change their smartphone with the added costs that this involves.

With other technologies and services coming along all of the time I believe that the IT department needs to start embracing and utilizing what is there and where they can best use it to address security concerns. But not changing the underlying way that the application or hardware device interacts with the user. What Dropbox, Samsung and others have proven to us over the past 24 months is that the user wants things to be simple, hidden, functional and above all uncluttered. Until they start doing that then really they are going to be stuck in the past with big expensive services running applications that the user will try to work around and applications that nobody really wants, which will cause security breaches, malware attacks and user frustration. All of which increases the cost center of the department.

Simon Bain, Founder and CTO, Simplexo

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.