Over the last decade blackberries, mobile phones, laptops, PDAs and a variety of other devices have become intrinsic to both our working and personal lives. It is impossible to imagine a life without them. Consumers and businesses alike have seen the advantages of real time communication and have embraced the technology that allows them to do more whilst on the move.
The desire to cultivate a mobile workforce has appealed to many businesses due to the increased productivity and flexibility they bring to an environment where watching the bottom line has become an integral element of every strategic roadmap. According to a recent survey from the Economist Intelligence Unit last year, three quarters of 1,500 people polled around the world said that mobile devices were very important to the success of their job, helping to increase their efficiency and reduce response time.
However, this increase in take up of mobile devices and encouragement by businesses to allow employees to communicate anytime/anywhere also has far-reaching implications for security. Once a device is beyond the corporate firewall, how do you manage it? How do you protect it? And whose responsibility is it anyway?
The speed of malicious attacks is becoming ever shorter with each new device invention. It took ten years for security issues to hit the desktop. This was shortened to three years for the notebook. Now, within a year of a new handheld device appearing, a virus has been invented to hit it. In short, the wave of attacks is increasing in volume and frequency and existing defences are not sufficient to tackle the problem.
Until recently, the number of electronic connections into an organisation was quite limited, and it was enough to deploy perimeter defences such as firewalls to prevent would-be intruders from accessing the corporate network. But with todays highly mobile workforce, there are now many alternate connection points into the internal network. Laptops are frequently removed from the office environment and attached to the Internet and other public and private networks, where they risk attracting malware. With the new thumb drives and memory sticks for USB ports, any number of Trojans, viruses, key-loggers, dialers and other spyware can be inadvertently or maliciously introduced into a business network.
All of these risks are making IT organisations realise that the notion of perimeter needs to be redefined. To be effective, enterprise security must now protect the individual computing devices outside of the business environment. Its not enough to just write an IT policy and hope that employees observe the fact that they are obliged to update their software and get the latest virus patches downloaded onto their laptops. Each individual device needs to benefit from network security features such as vulnerability detection, spyware detection and removal, network access control and application blocking.
In order to make this possible, its necessary to take the problem one step further back. To secure every laptop, PDA and Blackberry, you need to know how many you have, whos got them and what policies you need to protect them. Regular inventory control is vital to support any security policy. So is auto discovery of malicious software, standardisation of platforms and loads, regular threat analysis, as well as patch management for rectifying things when malicious software has been able to gain access to the network.
In addition, firewall collapse to specific devices deemed a security threat should ensure that no mobile device can access the contents of the network until is clean and safe. The question is, how is it possible to address all of these things across every single mobile device?
Up until now this has been a difficult question to answer. Perfect device level security is, at the current time, impossible. The ultimate goal is to develop a security policy for every single data file, to ensure that the information is protected, regardless of which device it is on, so that data can be locked in the same way that computing environments can be locked, However, that day is not yet here, so in the meantime, everything possible must be done to ensure that devices are automatically protected. The key to doing this is combining systems management with security to enable organisations to take active control of device-level configuration security, control device access and establish automated policies to maintain a secure computing environment. One should not and cannot exist without the other.
Herein lies an opportunity for IT managers to seize the security problem by the scruff of the neck and tackle it head on. The mobile security issue is on a large enough scale, with sufficiently far-reaching consequences to be addressed and soon. The technology is there for a single, automated console to support the IT department in the management of these devices. The threat is there and growing. The only thing that is not there is an excuse not to act.
There is one final point to be observed device manufacturers themselves have a responsibility to tackle the growing security threat on mobile devices. Before long, built-in security on your Blackberry or your mobile will become a purchase criteria. The onus is therefore on the manufacturers to recognise and address the problem to make the life of the IT manager easier and the job of the hackers harder.
The security nightmare is that cyber terrorists will strengthen their reign. The security opportunity is that the mobile issue will force organisations to take a long, hard look at their ability to protect their organisation as a whole from the salesman with the PDA to the financial director at his desktop. Only by recognising and embracing the fact that mobile security cannot be separated from the wider systems management issue will internal and external threats stand a proper chance of being thwarted before they actually cause any damage.
LANDesk Software are exhibiting at Infosecurity Europe 2005 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk