IBM: Mobile phone, cloud security issues can impact IT

IBM says IT staff need to pay extra attention to use of mobile devices and cloud infrastructure on business networks because both technologies are still young, and security can be sketchy.

Businesses should know that jailbreakers who figure out how to gain root access to mobile phones are causing trouble. While some phone owners want this type of access so the phones can support applications manufacturers didn't intend them to, attackers benefit from jailbreaking toolkits. Attackers can modify the code into a tool to gain unauthorized root access, according to a new report from IBM's security watchers, "IBM X-Force 2010 Trend and Risk Report."

OTHER CONCERNS: Social networking security threats taken too lightly

"We aren't seeing a lot of widespread attack activity targeting these vulnerabilities today," the report says, "because mobile devices likely do not represent the same kind of financial opportunity that desktop machines do for the sort of individuals who create large Internet botnets."

Even so, individual phones may contain enough valuable information to warrant a targeted attack. "Malicious software on the devices can be used to spy on users, access sensitive information on the phones, and reach back into corporate networks. Therefore, enterprises should take the risk of targeted malware on phones seriously," the report says.

IBM X-Force recommends a bare minimum of security measures including a firewall, anti-malware, strong passwords, lock-out and data removal after multiple failed logins, use of gateways between devices and the enterprise network, and configuring Bluetooth so devices link only to other safe devices.

Businesses should also consider encryption of sensitive data as it sits on mobile devices. Not all data need be encrypted, but valuable corporate data should, the report says.

A powerful potential source of smartphone malware is legitimate application stores. Without the resources to fully vet all submitted apps, these stores may sell applications that are actually malware. "It is likely that malicious behaviors in what appear to be trustworthy applications may provide an easy vector," the report says.

Corporations seeking to secure smartphones could benefit from technology that allows encapsulating all business-related data and applications separate from personal data and applications within the same phone. Users prefer to carry just one device, and encapsulating business content would support personal use while protecting business data, IBM says.

The report also targets cloud services and notes that cloud security is the greatest hindrance to adopting them, but businesses are increasingly adopting them anyway for at least some of their data and applications. Security need not be foolproof if the risks associated with using the cloud are acceptable. "The question for organizations is not whether the cloud as a whole is secure, but whether the organization is comfortable placing their workload on the cloud," IBM X-Force says.

Customers naturally need to trust the security offered by cloud providers, but equally understandably the providers are reluctant to give away a blueprint for attackers by revealing what measures are in place. Customers need to trust the providers, but there is no foolproof way to do so, IBM X-Force says.

It is feasible that cloud providers could offer better security than customers could provide themselves due to a lack of resources and expertise. And security services provided from the cloud could help protect corporate networks better than they do themselves, the report says.

At least in the short term, customers need to work out what tolerance they have for risk associated with cloud services and act appropriately, the report says.

Read more about wide area network in Network World's Wide Area Network section.