Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Insecurity On The Go

Thanks to laptops, smartphones, iPads, and other new mobile devices, our enterprises now extend to the local coffee shop, hotels and even cars on the interstate and commuter trains. Organizations let users purchase their own devices and connect them to the enterprise in the name of productivity, but this policy also introduces risks. And IT shops know it. According to a recent InformationWeek Analytics survey on mobile device management (MDM), the number of respondents citing security as the primary reason for deploying MDM jumped by 40 percent between 2008 and 2010. It's up to IT organizations to make sure mobile devices are properly secured. With a little work, you can mitigate the risks  these devices introduce.

Employee-owned mobile devices are harder to deal with than those issued by the enterprise. For one, IT has to work with multiple platforms, including Blackberry, Apple, Windows Mobile and Google Android. For another, these devices are the property of the employee, not the organization, which can limit IT's ability to manage, disable or seize the devices. These devices introduce two main risks: enterprise access, and data on the device. The former is a bit easier to handle, so we'll discuss it first.

To retrieve e-mail, smartphones connect to the enterprise mail servers or, in the case of Blackberry, to the RIM network. This connection could expose credentials if not properly secured.  Ensure connections to the mail server are encrypted to prevent snooping of the username and passwords. You can go one step further and require a client-side certificate for authentication. Not only does this add a layer of authentication, it lets you control which phones are allowed to access the mail server. Some companies use this feature to stop phones that don't have enterprise support features from entering their environment.

The iPhone and other smartphones now support VPNs. While this is a positive step because it protects data in transit, it also opens a channel for malware on the phone to potentially infect the enterprise. Fortunately, malware and attacks designed to compromise and control smartphones are not prevalent--at least not yet. Mobile attacks are on the rise and malware is in the wild, but we have a chance to tighten security now before the situation gets worse. Scan incoming smartphone traffic for malware and viruses. You should be doing this for all PC and laptop-based VPN connections anyway, so there's no reason to treat smartphones differently.

The second major risk revolves around data on these devices. Business users are downloading e-mail, documents and other files, some of which might contain sensitive information. Once data is on the device, it can never fully be controlled. A rogue employee can do just as much--or even more--damage as an external attacker. If IT provisions smartphones for employees, ensure your MDM platform can support screen locks, encryption and remote wipe capabilities. However, remote wipe may be a trickier issue with employees' personal smartphones. You'll have to work with your legal and HR departments regarding what you can--and can't--do to a phone your company doesn't own.